Executive Summary

• CloudSEK’s Threat Intelligence team discovered a post, on a cybercrime forum, advertising a scanning tool for the path traversal and file disclosure vulnerability, CVE-2021-41773, in Apache HTTP Server.
• Apache HTTP Server is an open-source server for UNIX and Windows operating systems. 
• The scanning tool assists threat actors in identifying vulnerable Apache servers.
• Apache has released an advisory [1] regarding the same, along with a patch in version 2.4.50.
• Threat actors can exploit this vulnerability to poison server logs to carry out remote code execution and/ or exfiltrate sensitive data.

Analysis and Attribution

• A threat actor posted an advertisement on a cybercrime forum, offering a scanning tool that helps speed up the process of finding Apache servers vulnerable to CVE-2021-42773.
• Apache HTTP Server is one of the most widely used server software around the world. The vulnerability, tracked as CVE-2021-41773, is a path traversal and file disclosure vulnerability in Apache HTTP Server which is being exploited in the wild, as a zero-day.[2]
• The scanning tool shared by the threat actor is coded in Python programming language. The package's scripting file is dependent on a separate file that specifies the domain to be scanned, and it eventually informs the user whether the server is vulnerable or not.
• By analyzing the script file shared by the threat actor, it is evident that its main function is to automate the process of finding vulnerable Apache servers for the vulnerability CVE-2021-41773.

The Threat Actor

• The actor, who joined the forum in Dec 2019, has a medium reputation.
• Most of their activities are related to sharing/ selling accesses to online shops.
• Their previous posts and activities indicate that the actor is a coder whose preferred programming language is Python.