Researchers are warning users of certain WSO2 products to apply patches to a vulnerability that has been exploited in the wild since April. Over the last few weeks, attackers have been exploiting the flaw to install Linux-compatible Cobalt Strike beacons and more on targeted systems.
WSO2, an open-source technology provider that specializes in application program interface (API) management software for a number of industries including the healthcare, banking, energy, education and government sectors, issued a patch for the vulnerability (CVE-2022-29464) in April.
The critical flaw, which is an unrestricted file upload vulnerability with a 9.8 CVSS score, is serious in that attackers can be remote and do not need user interaction or administrative privileges for abuse.
“Looking at the vulnerability’s vector analysis, exploiting this gap is easy as the servers using the affected products can be found with a Google or a Shodan search,” said Hitomi Kimura, Abraham Camba and Ryan Soliven, researchers with Trend Micro, in a Tuesday analysis. “Moreover, the threat actors appear to be persistent in implementing the existing PoC, and the availability of the Metasploit module is one milestone in the increased exploit of vulnerabilities for cybercriminals.”
“Threat actors getting access to the IAM servers could gain access to all services and user data that have access management under the WSO2 products server at will.”
In the days after the flaw was disclosed, a proof-of-concept (PoC) exploit was released and attacks were then observed by researchers with Rapid7’s Managed Detection and Response team, which said attackers stayed close to the original PoC exploit and dropped web shells and cryptocurrency miners on targets.
Over the next few weeks, attackers have continued to target impacted products and have been “notably aggressive in installing web shells,” according to researchers with Trend Micro, who observed the installation of Windows- and Linux-compatible Cobalt Strike beacons, scan tools like fscan for Windows, cryptocurrency miners and other malware. While there have been previous reports of a Linux-compatible Cobalt Strike beacon in September 2021, researchers said this recent beacon had a different structure.
“We also observed the installation of other samples of the beacon from the same family in other environments affected by the vulnerability,” said Trend Micro researchers. “Considering this, we expect to see samples of this family in vulnerable Linux environments more actively in the future as the installation of backdoor beacons indicate the potential for more malicious and damaging activities than the installation of coinminers.”
Researchers recommend that impacted users remediate the flaw immediately with instructions that can be found in WSO2’s advisory. Specifically impacted are WSO2 API Manager 2.2.0 and above, Identity Server 5.2.0 and above, Identity Server Analytics 5.4.0 to 5.6.0, Identity Server as Key Manager 5.3.0 and above, Open Banking AM 1.4.0 and above, and Enterprise Integrator 6.2.0 and above.
“Compared to other servers, WSO2 Identity Server can be considered one of the most valuable assets for infiltration for threat actors as it is an open source Identity Access Management (IAM) product,” said Trend Micro researchers. “Threat actors getting access to the IAM servers could gain access to all services and user data that have access management under the WSO2 products server at will.”