New cybersecurity reports are painting an alarming picture. Cybercriminals are targeting a CVE from a previous patch in the Apache HTTP Server to deliver a new cryptocurrency miner dubbed Linuxsys. This attack campaign uses the CVE-2021-41773 vulnerability, rated high-severity at 7.5, to allow attackers the possibility of remote code execution. This vulnerability potentially endangers users of Apache HTTP Server 2.4.49. To say the least, it can dramatically undermine their infrastructures.
The badness comes from a known bad Indonesian IP, [103.193.177.152]. It employs a shell script to pursue and kill any offensive security processes, databases, and user-facing applications. This creates an opportunity for even more exploitation to take place. The scale of this campaign is comparable to the H2Miner cryptocurrency mining botnet. In fact, this botnet is perhaps best known for using Kinsing, a remote access trojan (RAT) that installs mining malware.
Exploitation of Vulnerabilities
CVE-2021-41773 vulnerability is a path traversal vulnerability that enables an attacker to go outside the limits of a directory and conduct remote code execution. Cybercriminals take advantage of this security flaw to distribute Linuxsys. This cryptocurrency miner silently hijacks victims’ computing resources for profit without their knowledge or consent.
“Both the H2Miner and Lcrypt0rx chains converge on the deployment of Monero miners, a hallmark of resource hijacking campaigns.” – Fortinet
The infection starts with the shell script pulled down from “repositorylinux.com,” which has comments in Sundanese, an Indonesian language. This focused approach indicates that the attackers were highly deliberate in designing an attack that would avoid detection. Second, they disable important security measures. This provides them a landing spot in the victim’s system, often allowing for the deployment of other payloads.
In addition to Linuxsys, the attack chain introduces Lcrypt0rx, a variant of ransomware that poses a significant threat to victims. This ransomware changes Windows Registry settings in order to prevent important tools from executing. It asks for a ransom payment of $1,000 in cryptocurrency, due within three days. Noncompliance increases the likelihood of a file leaking, putting even more pressure on victims to act urgently.
The Broader Impact
The impact of these attacks goes beyond the direct experience of users. In cloud environments, scaled up systems that have been compromised may result in larger compute expenditures and worse performance. What are the operational risks? Organizations will be at even greater risk of suffering an operational interruption if their infrastructure is weaponized by bad actors.
“In cloud environments, this results in significant financial impact, as compromised systems incur elevated compute costs, degraded performance, and increased operational risk.” – Fortinet
The unfortunate convergence of the H2Miner botnet with Lcrypt0rx reveals a troubling trend in malignant software creation. As these targeted efforts develop, they can become more nuanced and advanced. They are always using tactics such as staging content on pwned hosts and utilizing n-day exploits. The attackers’ strategic targeting and attack configuration allows attackers to go undetected by security products while still utilizing trusted sites to deliver malware.
“The attacker leverages compromised legitimate websites to distribute malware, enabling stealthy delivery and evasion of detection.” – Jacob Baines, VulnCheck
Long-Term Campaign and Detection Challenges
Signs point to the fact that this campaign isn’t just a flash in the pan, but an effort that indicates a more long-term play used by the bad guys. Behind their success is a lot of hard work and strategic planning. They shirk low interaction honeypots and require high interaction from victims to be able to accurately monitor their actions.
“All of this indicates that the attacker has been conducting a long-term campaign, employing consistent techniques such as n-day exploitation, staging content on compromised hosts, and coin mining on victim machines.” – VulnCheck
The use of legitimate hosts that use valid SSL certificates makes detection efforts even more difficult. This extremely sneaky maneuver tricks victims into obtaining access to apparently safe websites. By the time they realize the threat, it is often too late.
“This approach is clever because victims connect to legitimate hosts with valid SSL certificates, making detection less likely.” – VulnCheck