APT & Targeted Attacks
Recent Cyberattacks Target Open-source Web Servers
Malicious actors take advantage of people’s reliance on web servers to perform attacks like remote code execution, access control bypass, denial of service, or even cyberjacking the victim servers to mine cryptocurrencies.
As organizations reeled from the Log4Shell vulnerability (CVE-2021-44228), cyberattacks aiming at open-source web servers, like Apache HTTP Server, were rapidly rising. Malicious actors take advantage of people’s reliance on web servers to perform attacks like remote code execution (RCE), access control bypass, denial of service (DoS), or even cyberjacking the victim servers to mine cryptocurrencies.
To protect enterprises against malicious activities, we need more than just timely patches. Using software composition analysis (SCA) to discover issues in each layer of the software supply chain has become a must in 2022.
Vulnerabilities of Apache HTTP Server have increased since 2017
Open-source web servers, especially Apache HTTP Server, have been heavily exploited in the past five years. Compared to Nginx, another widely used open-source web server, Apache had the greatest increase in vulnerabilities over the past five years – particularly high-risk ones.
According to the Apache HTTP Server webpage, from 2012 to 2016 there were a total of 31 vulnerabilities found in the Apache HTTP Server. However, from 2017 to 2021 the total vulnerabilities number surged to 57. 2021 alone accounted for 14 of those vulnerabilities, breaking a 17-year record high.
Most importantly, two vulnerabilities found in 2H’2021 (CVE-2021-42013, CVE-2021-41773) were rated by Apache’s rating system as “Critical”. Before that, there were no vulnerabilities rated at this level. The “Critical” vulnerabilities have the potential to be exploited by a remote attacker to get Apache to execute arbitrary code. They could also be exploited automatically by worms.
Source: Apache HTTP Server Project
Weaponized vulnerabilities lead to great risk
Not only has the number of total Apache HTTP Server vulnerabilities gone up, but so has the number of weaponized vulnerabilities.
Trend Micro detected that at least 15 of the 57 vulnerabilities found in the past five years were weaponized and used in malicious activities. The most common types of attack include denial of service (DoS), path traversal, server-side request forgery (SSRF), and remote code execution (RCE). Multiple vulnerabilities found in 2021 are proven to have been actively exploited.
Table 1: The 15 vulnerabilities weaponized since 2017
CVE ID | cvss3 score | Description |
CVE-2021-42013 | 9.8 | Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) |
CVE-2021-41773 | 7.5 | Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 |
CVE-2021-40438 | 9 | mod_proxy SSRF |
CVE-2020-11984 | 9.8 | mod_proxy_uwsgi buffer overflow |
CVE-2019-10098 | 6.1 | mod_rewrite potential open redirect |
CVE-2019-10097 | 7.2 | CVE-2019-10097 mod_remoteip Stack buffer overflow and NULL pointer dereference |
CVE-2019-0190 | 7.5 | mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 |
CVE-2018-8011 | 7.5 | mod_md, DoS via Coredumps on specially crafted requests |
CVE-2018-1303 | 7.5 | Possible out of bound read in mod_cache_socache |
CVE-2018-11763 | 5.9 | DoS for HTTP/2 connections by continuous SETTINGS |
CVE-2017-9798 | 7.5 | Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed") |
CVE-2017-9788 | 9.1 | Uninitialized memory reflection in mod_auth_digest |
CVE-2017-7668 | 9.8 | ap_find_token() Buffer Overread |
CVE-2017-7659 | 7.5 | mod_http2 Null Pointer Dereference |
CVE-2017-15715 | 8.1 | <FilesMatch> bypass with a trailing newline in the file name |
Source: Apache HTTP Server Project, Trend Micro Inc., NVD
CVE-2021-41773 and CVE-2021-42013, the two critical vulnerabilities, are perfect examples of how attackers exploit the vulnerabilities in the Apache HTTP Server.
As Trend Micro reported, these two are path traversal vulnerabilities that allow attackers to map URLs to files/directories outside of the webroot. In certain configurations where Common Gateway Interface (CGI) scripts are enabled for these paths, attackers can achieve RCE on the vulnerable server.
Both discovered in early October 2021, CVE-2021-41773 and CVE-2021-42013 were detected with more than four million exploits by the end of 2021.
Another Apache HTTP Server vulnerability, CVE-2021-40438, shows how great the impact can be when the vulnerability gets exploited.
CVE-2021-40438 is a vulnerability existing in the mod_proxy module and prone to SSRF. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network.
CVE-2021-40438 has a huge impact on products from Cisco, IBM QRadar SIEM, Debian Linux, F5 Os, Red Hat and more. On December 1, 2021, CISA added CVE-2021-40438 to its list of known exploited vulnerabilities.
Schemes behind the attacks
The attacks that target open-source web servers could lead to enormous threats. Once any web server vulnerability gets exploited and hacked, the victim server can be taken over and used for malicious activities.
The most common activities include using victim servers to send out spam mail or launching attacks against other servers at the cost of the victim server’s memory and bandwidth. Attackers can also install a phishing website on the victim server to gain access to any data that passes through it.
However, the most popular utility of attacks in recent years is cryptojacking: hackers exploit the vulnerability and secretly use the victim server’s computing power to mine popular cryptocurrencies. Trend Micro revealed how cyber actors used the vulnerabilities and abuse of GitHub and Netlify repositories to mine Monero.
For cybercriminals, Apache HTTP Server is always a favorite target: It serves 24.63% of the million busiest websites according to Netcraft stats. Major web service providers such as Slack, Linkedin, The New York Times, GrubHub, and more rely on Apache HTTP Server. For IT professionals, it’s challenging to patch such a vital service and not to harm user satisfaction.
Furthermore, the complexity of the software supply chain nowadays exacerbates the abuse of open-source software vulnerabilities. Cyber attackers could compromise software components of third-party suppliers by inserting malicious code inconspicuously. Compared to the traditional supply chain, the software supply chain requires more layers of verification to ensure its security.
Protect your web server against potential harm
To mitigate the potential risk of attacks from open-source software, software composition analysis (SCA) has become an effective approach. SCA identifies and lists all the parts and versions present in the code. It also checks each specific service and looks for outdated or vulnerable libraries that may pose security risks to the application. These tools can also check for legal issues regarding the use of open-source software with different licensing terms and conditions. Trend Micro published a whitepaper on how to prevent supply chain attacks in the age of cloud computing in 2020 October.
Developing a risk-based approach to patch management can help organizations identify and prioritize which vulnerabilities they need to deal with now. This approach consists of:
- Continuously conducting exposure assessments to determine what CVEs – past and present – are in your environment at all times.
- Assessing the criticality of those systems that contain those CVEs.
- Conducting a continuous but simple risk assessment:
- Assessing the likelihood that those identified CVEs are or will be exploited in the wild against the impact of those CVEs used in an attack.
i. Is a POC available
ii. Is it in the wild
- Assessing the likelihood that those identified CVEs are or will be exploited in the wild against the impact of those CVEs used in an attack.
If you struggle with patch management, you may look at virtual patching or IPS technology to help as these can be deployed to detect/block exploits of a vulnerability and allow you time to properly patch the vulnerability with the vendor’s patch. Trend Micro’s Zero Day Initiative bug bounty program and our vulnerability research teams help us identify new vulnerabilities and develop virtual patches for our Cloud One, TippingPoint, Apex One, and Worry Free Services customers. In some cases, we have virtual patches out months ahead of the vendor patch.
Malicious actors will continue to exploit vulnerable applications, operating systems, and devices in their efforts to attack organizations. Improving your understanding of key applications like Apache can help you better understand where you can minimize your risk of attack.