||CVE scanning tool
- CloudSEK’s Threat Intelligence team discovered a post, on a cybercrime forum, advertising a scanning tool for the path traversal and file disclosure vulnerability, CVE-2021-41773, in Apache HTTP Server.
- Apache HTTP Server is an open-source server for UNIX and Windows operating systems.
- The scanning tool assists threat actors in identifying vulnerable Apache servers.
- Apache has released an advisory  regarding the same, along with a patch in version 2.4.50.
- Threat actors can exploit this vulnerability to poison server logs to carry out remote code execution and/ or exfiltrate sensitive data.
[caption id="attachment_18106" align="aligncenter" width="990"]
A threat actor’s post describing the scanning tool of CVE-2021-41773 on a cybercrime forum[/caption]
Analysis and Attribution
- A threat actor posted an advertisement on a cybercrime forum, offering a scanning tool that helps speed up the process of finding Apache servers vulnerable to CVE-2021-42773.
- Apache HTTP Server is one of the most widely used server software around the world. The vulnerability, tracked as CVE-2021-41773, is a path traversal and file disclosure vulnerability in Apache HTTP Server which is being exploited in the wild, as a zero-day.
- The scanning tool shared by the threat actor is coded in Python programming language. The package's scripting file is dependent on a separate file that specifies the domain to be scanned, and it eventually informs the user whether the server is vulnerable or not.
- By analyzing the script file shared by the threat actor, it is evident that its main function is to automate the process of finding vulnerable Apache servers for the vulnerability CVE-2021-41773.
The Threat Actor
- The actor, who joined the forum in Dec 2019, has a medium reputation.
- Most of their activities are related to sharing/ selling accesses to online shops.
- Their previous posts and activities indicate that the actor is a coder whose preferred programming language is Python.
- The actor is popular on the forum and has a high number of posts, and responses to other posts.
- The information shared by the actor seems reasonably logical and consistent.
- Most of the actor’s past activities have been related to access and are usually legitimate.
- The reliability of the actor can be rated Usually reliable (B).
- The credibility of the advertisement can be rated Possibly true (3).
- Giving overall source credibility of B3
Impact & Mitigation
- Attackers could use a path traversal attack to map URLs to files outside the expected document root and access sensitive files, passwords, etc.
- This flaw could leak the source of interpreted files such as CGI scripts.
- This vulnerability could lead to an RCE (Remote code execution) attack by poisoning server logs.
- RCE can lead to devastating attacks including, but not limited to, Ransomware campaigns.
- Immediately update Apache HTTP Server to the patched version 2.4.50.
- Advisory issued by Apache for the vulnerabilities in Apache HTTP Server version 2.4
- Link to CloudSEK’s Vulnerability Intelligence Report on Apache CVE-2021-42773