Deserialization Attacks Surge Motivated by Illegal Crypto-mining


Imperva’s research group is constantly monitoring new web application vulnerabilities. In doing so, we’ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year. Our analysis shows that, in the past three months, the number of deserialization attacks has grown by 300 percent on average, turning them into a serious security risk to web applications. To make things worse, many of these attacks are now launched with the intent of installing crypto-mining malware on vulnerable web servers, which gridlocks their CPU usage. In this blog post we will explain what insecure deserialization vulnerabilities are, show the growing trend of attacks exploiting these vulnerabilities and explain what attackers do to exploit them (including real-life attack examples). ## What Is Serialization? The process of serialization converts a “live” object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialization converts the format back into a “live” object. The purpose of serialization is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created. For example, when withdrawing money from an ATM, the information of the account holder and the required operation is stored in a local object. Before this object is sent to the main server, it is serialized in order to perform and approve the needed operations. The server then deserializes the object to complete the operation. ## Types of Serialization There are many types of [serialization](<https://en.wikipedia.org/wiki/Serialization#Serialization_formats>) available, depending on the object which is being serialized and on the purpose. Almost all modern programming languages support serialization. In Java for example an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object. Other types of serialization include converting an object into a hierarchical format like JSON or XML. The advantage of this serialization is that the serialized objects can be read as plain text, instead of a byte stream. ## Deserialization Vulnerabilities from the Past Three Months In the [OWASP top 10 security risks of 2017](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) insecure deserialization came in at [eighth place](<https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization>) and rightfully so as we argued in our [previous blog](<https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/>) about the state of web application vulnerabilities in 2017. In 2017, major new vulnerabilities related to insecure serialization, mostly in Java, were published (see Figure 1). **Name** | **Release Date (Day/Month/Year)** | **Vulnerability details** ---|---|--- CVE-2017-12149 | 01/08/2017 | Vulnerability in the JBoss Application Server allows execution of arbitrary code via crafted serialized data because the HTTP Invoker does not restrict classes for which it performs deserialization CVE-2017-10271 | 21/06/2017 | Vulnerability in the Oracle WebLogic Server allows execution of arbitrary code due to insufficient sanitizing of user supplied inputs in the wls-wsat component CVE-2017-9805 | 21/06/2017 | The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. CVE-2017-7504 | 05/04/2017 | The HTTPServerILServlet.java in JMS allows remote attackers to execute arbitrary code via crafted serialized data because it does not restrict the classes for which it performs deserialization _Figure 1: CVEs related to insecure deserialization_ In order to understand the magnitude of these vulnerabilities, we analyzed attacks from the past three months (October to December of 2017) that try to exploit insecure deserialization. A key observation is the _steep_ increase of deserialization attacks in the past few months, as can be seen in the Figure 2. _Figure 2: Insecure deserialization attacks over the course of three months_ Most of the attackers used no attack vectors other than insecure deserialization. We noticed that each attacker was trying to exploit different vulnerabilities, with the above-mentioned CVEs being the most prevalent. For a full list of CVEs related to insecure deserialization from the past few years see Figure 3. **Name** | **Relevant System** | **Public Exploit** | **Name** | **Relevant System** | **Public Exploit** ---|---|---|---|---|--- CVE-2017-9844 | SAP NetWeaver | Yes | CVE-2016-2170 | Apache OFBiz | No CVE-2017-9830 | Code42 CrashPlan | No | CVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No CVE-2017-9805 | Apache Struts | Yes | CVE-2016-2000 | HP Asset Manager | No CVE-2017-7504 | Red Hat JBoss | Yes | CVE-2016-1999 | HP Release Control | No CVE-2017-5878 | Apache OpenMeetings | Yes | CVE-2016-1998 | HP Service Manager | No CVE-2017-5645 | Apache Log4j | No | CVE-2016-1997 | HP Operations Orchestration | No CVE-2017-5641 | Apache BlazeDS | Yes | CVE-2016-1986 | HP Continuous Delivery Automation | No CVE-2017-5586 | OpenText Documentum D2 | Yes | CVE-2016-1985 | HP Operations Manager | No CVE-2017-3159 | Apache Camel | Yes | CVE-2016-1487 | Lexmark Markvision Enterprise | No CVE-2017-3066 | Adobe ColdFusion | Yes | CVE-2016-1291 | Cisco Prime Infrastructure | Yes CVE-2017-2608 | Jenkins | Yes | CVE-2016-0958 | Adobe Experience Manager | No CVE-2017-12149 | Red Hat JBoss | Yes | CVE-2016-0788 | Jenkins | Yes CVE-2017-11284 | Adobe ColdFusion | No | CVE-2016-0779 | Apache TomEE | No CVE-2017-11283 | Adobe ColdFusion | No | CVE-2016-0714 | Apache Tomcat | No CVE-2017-1000353 | CloudBees Jenkins | Yes | CVE-2015-8765 | McAfee ePolicy Orchestrator | No CVE-2016-9606 | Resteasy | Yes | CVE-2015-8581 | Apache TomEE | No CVE-2016-9299 | Jenkins | Yes | CVE-2015-8545 | NetApp | No CVE-2016-8749 | Jackson (JSON) | Yes | CVE-2015-8360 | Atlassian Bamboo | No CVE-2016-8744 | Apache Brooklyn | Yes | CVE-2015-8238 | Unify OpenScape | No CVE-2016-8735 | Apache Tomcat JMX | Yes | CVE-2015-8237 | Unify OpenScape | No CVE-2016-7462 | VMWare vRealize Operations | No | CVE-2015-8103 | Jenkins | Yes CVE-2016-6809 | Apache Tika | No | CVE-2015-7501 | Red Hat JBoss | Yes CVE-2016-5229 | Atlassian Bamboo | Yes | CVE-2015-7501 | Oracle Application Testing Suite | No CVE-2016-5004 | Apache Archiva | Yes | CVE-2015-7450 | IBM Websphere | Yes CVE-2016-4385 | HP Network Automation | No | CVE-2015-7253 | Commvault Edge Server | Yes CVE-2016-4372 | HP iMC | No | CVE-2015-6934 | VMWare vCenter/vRealize | No CVE-2016-3642 | Solarwinds Virtualization Manager | Yes | CVE-2015-6576 | Atlassian Bamboo | No CVE-2016-3461 | Oracle MySQL Enterprise Monitor | Yes | CVE-2015-6555 | Symantec Endpoint Protection Manager | Yes CVE-2016-3427 | JMX | Yes | CVE-2015-6420 | Cisco (various frameworks) | No CVE-2016-3415 | Zimbra Collaboration | No | CVE-2015-5348 | Apache Camel | No CVE-2016-2510 | Red Hat JBoss BPM Suite | No | CVE-2015-5254 | Apache ActiveMQ | No CVE-2016-2173 | Spring AMPQ | No | CVE-2015-4852 | Oracle WebLogic | Yes CVE-2016-2170 | Apache OFBiz | No | CVE-2015-3253 | Jenkins | Yes CVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No | CVE-2012-4858 | IBM Congnos BI | No _Figure 3: CVEs related to insecure deserialization_ ## Deserialization Attacks in the Wild Most of the attacks that we saw are related to byte-stream serialization of Java objects. Also, we saw some attacks related to serialization to XML and other formats, see Figure 4. _Figure 4: Distribution of vulnerabilities over different serialization formats_ In the following attack (see Figure 5) the attacker is trying to exploit CVE-2017-10271. The payload is sent in the HTTP request’s body using a serialized Java object through XML representation. [![Attack vector containing serialized java array into XML fig 5](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png>) _Figure 5: Attack vector containing a serialized java array into an XML_ The fact that this is a Java array can be seen by the hierarchical structure of the parameters, with the suffix of **“java/void/array/void/string”**. The attacker is trying to run a bash script on the attacked server. This bash script tries to send an HTTP request using “wget” OS command, download a shell script disguised as a picture file (note the jpg file extension) and run it. Few interesting notes can be made examining this command: * The existence of shell and “wget” commands indicate that this payload is targeting Linux systems * Using a picture file extension is usually done to evade security controls * The **“-q”** parameter to “wget” stands for “quiet”, this means that “wget” will have no output to the console, hence it will be harder to note that such a request was even made. Once the downloaded script runs the server is infected with a crypto mining malware trying to mine Monero digital coins (a crypto currency similar to Bitcoin). The next script (see Figure 6) tries to exploit the same vulnerability, but this time the payload is targeting Windows servers using cmd.exe and Powershell commands to download the malware and run it. [![Attack vector infect Windows server with crypto mining malware fig 6](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png>) _Figure 6: Attack vector trying to infect Windows server with crypto mining malware_ This indicates that there are two different infection methods for Windows and Linux server, each system with its designated script. Another example is the following payload (Figure 7) that we pulled from an attack trying to exploit a [deserialization vulnerability](<http://seclists.org/oss-sec/2016/q1/461>) with a Java serialized object. [![Attack vector containing java serialized object](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg>) _Figure 7: Attack vector containing a Java serialized object trying to download a crypto miner_ The “bad” encoding is an artifact of Java serialization, where the object is represented in the byte stream. Still, we can see a script in plain text marked in yellow. Shown as an image below is a variable that defines an internal field separator, where in this case it is just a variable for space. The variable is probably used instead of a space to try to make the payload harder to detect. [![](https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg>) Just as in the previous examples, this Bash script targets Linux servers that send an HTTP request using “wget” to download a crypto miner. ## Beyond Insecure Deserialization The common denominator of the attacks above is that attackers are trying to infect the server with a crypto mining malware by using an insecure deserialization vulnerability. However insecure deserialization is not the only method to achieve this goal. Below (Figure 8) we see an example of another attack payload, this time at the “Content-Type” header. [![Attack vector using RCE vulnerability of Apache Struts fig 8](https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg>) _Figure 8: Attack vector using an RCE vulnerability of Apache Struts_ This attack tries to exploit **CVE-2017-5638**, a well-known RCE vulnerability related to Apache Struts which was published in March 2017 and was covered in a [previous blog post](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>). When it was originally published we saw no indications of crypto miners in the attacks’ payloads related to this CVE, and most of the payloads were reconnaissance attacks. However, in this attack the payload (marked in yellow above) is very similar to the payload from the previous example. Using the same remote server and the exact same script, it infected the server with crypto mining malware. This old attack method with a new payload suggests a new trend in the cyber arena – attackers try to exploit RCE vulnerabilities, new and old, to turn vulnerable servers into crypto miners and get a faster ROI for their “effort”. ## Recommendations Given the many new vulnerabilities related to insecure deserialization that were discovered this year, and its appearance in the OWASP top 10 security risks, we expect to see newer related vulnerabilities released in 2018. In the meantime, organizations using affected servers are advised to use the latest patch to mitigate these vulnerabilities. An alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles. A WAF that provides virtual patching doesn’t interfere with the normal application workflow, and keeps the site protected while allowing the site owners to control the patching process timeline. Learn more about how to protect your web applications from vulnerabilities with [Imperva WAF solutions](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>).