Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Also by Will Hayes
The news on the Apache Struts 2 vulnerability is a few weeks old now, and a patch has been released to fix this issue. However, we have seen other vulnerabilities linger long after solutions became available and the Struts vulnerability presents particular challenges that make it difficult to address quickly.
Apache Struts is a framework for developing web applications. Versions 2.3.5 through 2.3.31 and 2.5 through 2.5.10 have a bug that allows remote code execution on any server that is running a web application developed with these code versions. Specifically, the Jakarta multipart parser mishandles Content-Type headers, allowing an attacker to deploy OGNL to execute commands remotely, as detailed in this post from Qualys.
To alleviate the vulnerability, each of these web applications must be recompiled with a patched version of Struts. However, because these code versions have been around for several years, many of the apps developed with them may not be actively maintained and are unlikely to be updated anytime soon. Additionally, recompiling applications with patched code takes time and may break them. Finally, finding servers running these vulnerable applications is incredibly difficult, a challenge our Customer Success team was forced to tackle while assisting our customers worried about the Struts vulnerability.
The Struts 2 vulnerability took a lot of people and companies by storm just like most exposures do. At RiskIQ, we were contacted by one of our biggest clients and asked if we could assist in finding out if they were in jeopardy. Fortunately for them, we could. Most companies large or small don’t know all of their web-facing assets, but with RiskIQ, they have the ability not only to find out what belongs to them but also be able to monitor those assets once they’ve been discovered and inventoried.
Using RiskIQ’s Digital Footprint product to go into this customer’s inventory, we could find vulnerable assets immediately. When searching for assets possibly tied to the Struts2 framework, we first queried a different branch of inventory entitled the “Full Site Index.” In Full-Site, we searched for any URL that contained “.do,” ”.action,” or “.go,” common extensions used by the Struts framework. This list was then de-duplicated and manually reviewed for false positive use of the words “do,” “action,” and “go” in the URL. Once we extracted the three exports, we then compiled the lists and removed any duplicate hostnames. Then, we queried those hostnames in their Inventory and exported that list to come up assets that may associate with Struts 2.
Next, we dove back into their inventory and searched for web components that are likely to point to Struts 2. These web components are:
We then extracted any websites using these web components and added them to the master list. We supplied our client with the newly formed comprehensive list, and they were able to find assets they owned tied to Struts 2, drastically lessening any blow they could have absorbed if they had not contacted us.
Since the vulnerability was announced, we have helped six of the top 10 companies in their respective industries, finding nearly 5,000 assets that may be using Struts 2 and continuing to find more as more clients ask for help. With our extensive database, skilled analysts and engineers, and a forward-thinking mentality, RiskIQ once again showed why we continue to be a reliable partner in finding and mitigating external threats.
Sign up for RiskIQ Community today for free and try Digital Footprint for yourself.
It's near impossible to hide online. Even ‘stealth’ executives are at risk for serious security breaches https://t.co/MRKhZbAW7i
Nick Gicinto,Vice President, Executive Guardian @RiskIQ on stage #SINETCanada #cybersecurity @FSToronto, @SINETConnection
Automation: the key to fighting cybercriminals https://t.co/dkx9Y3NApF
Coming to CyberHub Summit? Find out how RiskIQ's internet-wide visibility and unmatched data are helping the c-suite cope with a rapidly changing cybersecurity landscape https://t.co/IMaU5tLJfc
Today! Visit us at booth #1486 at #GSX2019 to find out how RiskIQ #ExecutiveGuardian is giving today's top executives a continuous 360-degree view of their attack surface.