Threat Hunting//
Threat Hunting Case Study: FileFix
FileFix bypasses Mark of the Web (MotW) protections by hijacking the Windows File Explorer address bar. Here is how to hunt for it.
Late last year, an Apache Struts Remote Code Execution (RCE) vulnerability (CVE-2020-17530) was discovered. In Apache Struts versions 2.0.0 - 2.5.25 a forced Object Graph Navigational Language (OGNL) double evaluation of a tag's dynamic attributes may lead to RCE. Apache Struts is one of the most popular web frameworks on the internet, and is often a target by malicious threat actors due to its public facing nature. This RCE vulnerability is dependent on how a specific Apache Struts web application is configured which can make detection, defense, and risk analysis a complex task.
The vulnerability can be exploited by sending a specially crafted HTTP request containing an OGNL payload to a vulnerable server. The Apache Struts framework can be forced to perform a dobule evalution of attributes assigned to certain tag's attributes (such as "id"). The value passed to the Apache Struts application will be evaluated for a second time when the tag's attributes are rendered. If you are using Apache Struts in your environment, this vulnerability has been patched since Apache Struts v2.5.26 release and we highly recommend updating as soon as possible. This RCE vulnerability has been seen in the wild and is currently being used in active, malicious campaigns.
If you'd like to learn more about this vulnerability, you can find a proof of concept exploit for CVE-2020-17530 written in Python on the Cyborg Security GitHub account:
https://github.com/CyborgSecurity/CVE-2020-17530
Component not found for block type:
video-embedFor more deep dives, view our latest, Threat Hunt Deep Dives: SolarWinds' Supply-Chain Compromise (Solorigate / SUNBURST Backdoor).
