FBI issues flash alert on Apache Struts vulnerability

A FBI flash alert obtained by CyberScoop shows the FBI is pushing the private sector to close the vulnerability linked to the massive data breach at Equifax
(Getty Images)

Law enforcement is just beginning to understand the damage caused by a single, highly publicized software vulnerability that was labeled as a key reason credit reporting agency Equifax suffered a disastrous data breach earlier this year.

The FBI is asking for help from the private sector to identify and track a group that recently was found to target older versions of the open source web application framework Apache Struts.

The vulnerability, which was originally disclosed in March, remains present inside hundreds of corporate networks. Apache Struts is especially popular within the U.S.’s three big credit reporting agencies. More than 145 million people were affected by the Equifax breach.

This call for information comes in the form of an FBI Flash alert sent Sept. 29 and obtained by CyberScoop. The flash alert, labeled “TLP:AMBER,” provides technical indicators related to a recent, unnamed corporate breach involving a hacker exploiting a remote code execution vulnerability in Apache Struts to deploy simple backdoor implants known as web shells, which allowed for wide access within a compromised network.


The Apache Struts flaw referred to in the alert is known as CVE-2017-5638. It allows for an attacker to remotely run code on a web server, access files and bypass security controls by sending unauthenticated web requests to an unpatched machine.

Although left nameless in the FBI document, the company in question may be the recently breached Equifax due to an apparent overlap in the techniques and tools reportedly used by the attacker and those subsequently mentioned in the alert.

The cryptographic signatures for the web shells found are included in the report so that defenders can check their own networks for possible intrusions and other evidence. A cursory search for these SHA256 hash values on the malware signature database VirusTotal provides few additional clues, as many of the hashes do not appear to have been uploaded.

“During an incident involving one of the previously reported Apache Struts vulnerabilities, cyber actors deployed multiple Web shells,” the flash alert obtained by CyberScoop reads. “These vulnerabilities affect numerous industries, including financial firms and third-party vendors on which financial firms rely. Vulnerabilities associated with Apache Struts can exist on Web applications hosted on traditional servers as well as be embedded in hardware devices such as multifunction printers which support a Web interface for configuration and management.”


Bloomberg previously reported, citing an internal security assessment, that the hackers responsible for the Equifax breach had exploited an outdated version of Apache Struts to install upwards of 30 web shells during their operation into the credit monitoring giant. The web shells reportedly helped them steal login credentials, personal records and other information.

Some of the hackers behind this incident may be state-sponsored, according to Bloomberg, due to the reported discovery of indicators previously linked to Chinese intelligence.

The FBI alert encourages companies to take proactive steps to decrease the potential for these types of attacks, specifically by “patching and updating systems running Apache Struts” and conducting “regular system and application vulnerability scans to establish areas of risk,” among other recommendations.


More broadly, the FBI flash alert serves to highlight the complex, multidimensional and interconnected nature of large scale cybercrime cases — which are often dependent on gathering evidence from private, commercial databases that are beyond the immediate reach of law enforcement.

Latest Podcasts