|Vulnerability Class||CVE scanning tool|
- CloudSEK’s Threat Intelligence team discovered a post, on a cybercrime forum, advertising a scanning tool for the path traversal and file disclosure vulnerability, CVE-2021-41773, in Apache HTTP Server.
- Apache HTTP Server is an open-source server for UNIX and Windows operating systems.
- The scanning tool assists threat actors in identifying vulnerable Apache servers.
- Apache has released an advisory regarding the same, along with a patch in version 2.4.50.
- Threat actors can exploit this vulnerability to poison server logs to carry out remote code execution and/ or exfiltrate sensitive data.
Analysis and Attribution
- A threat actor posted an advertisement on a cybercrime forum, offering a scanning tool that helps speed up the process of finding Apache servers vulnerable to CVE-2021-42773.
- Apache HTTP Server is one of the most widely used server software around the world. The vulnerability, tracked as CVE-2021-41773, is a path traversal and file disclosure vulnerability in Apache HTTP Server which is being exploited in the wild, as a zero-day.
- The scanning tool shared by the threat actor is coded in Python programming language. The package's scripting file is dependent on a separate file that specifies the domain to be scanned, and it eventually informs the user whether the server is vulnerable or not.
- By analyzing the script file shared by the threat actor, it is evident that its main function is to automate the process of finding vulnerable Apache servers for the vulnerability CVE-2021-41773.
The Threat Actor
- The actor, who joined the forum in Dec 2019, has a medium reputation.
- Most of their activities are related to sharing/ selling accesses to online shops.
- Their previous posts and activities indicate that the actor is a coder whose preferred programming language is Python.
- The actor is popular on the forum and has a high number of posts, and responses to other posts.
- The information shared by the actor seems reasonably logical and consistent.
- Most of the actor’s past activities have been related to access and are usually legitimate.
- The reliability of the actor can be rated Usually reliable (B).
- The credibility of the advertisement can be rated Possibly true (3).
- Giving overall source credibility of B3
Impact & Mitigation