New Cyberattack Campaign Targets Apache HTTP Server to Distribute Cryptocurrency Miner
Cybersecurity experts have recently identified a worrisome campaign leveraging a known vulnerability in the Apache HTTP Server to deliver a cryptocurrency miner named Linuxsys. This attack exploits a significant flaw, specifically CVE-2021-41773, which has a high severity score of 7.5 and presents a path traversal vulnerability in Apache version 2.4.49. If left unchecked, this vulnerability could lead to remote code execution, allowing attackers to execute harmful commands on affected systems.
The Attack Mechanics
The attackers use compromised legitimate websites to distribute their malware, providing a clever way to avoid detection. According to a report from VulnCheck, this approach not only enhances the stealthiness of the attack but also allows the malware to be delivered through seemingly trustworthy sources. This tactic is particularly effective since users connect to these sites via valid SSL certificates, making it harder for traditional security measures to identify malicious activity.
The infection chain was first observed earlier this month, originating from an Indonesian IP address (103.193.177[.]152). The attackers drop a secondary payload onto the victim’s system from "repositorylinux[.]org," employing tools like curl or wget to do so. This next-stage payload then runs a shell script, which is responsible for downloading the Linuxsys cryptocurrency miner from various legitimate sites. This indicates that the threat actors have successfully compromised multiple trusted infrastructures to facilitate their operation.
Clever Evasion Tactics
One notable aspect of this attack is the delivery method. The shell script not only downloads the Linuxsys miner but also places another script named "cron.sh" on the infected system. This secondary script ensures that the miner launches automatically every time the system reboots, persisting undetected within the system’s operations.
Interestingly, VulnCheck has also identified Windows executables hosted on the hacked sites, suggesting that attackers may be extending their campaign to target Windows users as well. This expansion indicates a broader strategy and diversification in the attack tactics employed by the perpetrators.
A Series of Vulnerabilities
This is not the first time the Linuxsys miner has exploited security weaknesses. Previous attacks have taken advantage of other critical vulnerabilities in recent years, including:
- CVE-2023-22527: A template injection vulnerability in Atlassian Confluence
- CVE-2023-34960: A command injection vulnerability in Chamilo Learning Management Systems (LMS)
- CVE-2023-38646: A command injection vulnerability in Metabase
- CVE-2024-0012 and CVE-2024-9474: Authentication bypass and privilege escalation vulnerabilities in Palo Alto Networks firewalls
This pattern of exploiting a range of weaknesses suggests that the attackers are running a well-coordinated, long-term campaign. Their methodology includes using n-day vulnerabilities, a common term for previously disclosed flaws that remain unpatched, staging content on compromised hosts, and employing coin mining software on infected machines.
Conclusion
The success of these cybercriminals hinges not just on their tactics but also their approach to targeting. They appear to avoid low-interaction honeypots, opting instead for high-interaction scenarios where they can monitor and leverage their attacks effectively. The use of compromised hosts for malware distribution has significantly reduced their chances of being scrutinized, thus making their operations even more challenging to detect.
GhostContainer Backdoor Targets Exchange Servers
In a related development, Kaspersky has revealed a new campaign targeting government entities in Asia using a custom backdoor known as GhostContainer. This sophisticated malware exploits a now-patched vulnerability (CVE-2020-0688) in Microsoft Exchange Server. Kaspersky’s report highlights that this backdoor grants attackers full control over compromised servers, allowing them to execute various malicious activities.
The capabilities of the GhostContainer include executing shellcode, downloading and managing files, and even manipulating .NET code. This malware operates discreetly, with commands concealed within normal Exchange web requests, which indicates a high level of skill and understanding of Exchange’s architecture by the attackers.
Through these disclosures, it becomes apparent that a multi-faceted approach is being adopted in cybersecurity threats, escalating the urgency for organizations to patch vulnerabilities proactively and improve their defenses against such intricate attacks.
