How to detect Apache HTTP Server Exploitation

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

In the above two requests and responses, we see the attacker fingerprinting vulnerable servers by running the ‘echo’ command. We observed successful exploitation attempts which led to cryptominers raking up compute on the vulnerable hosts.

CVE-2021-40438:
This CVE tracks the vulnerability posed by the ‘mod_proxy’ module in Apache HTTP Server (versions before 2.4.49). In CWE-918 Server-Side Request Forgery (SSRF) attack, a malicious actor can forward the request to an origin server of their choice

In this attempt, we observe attackers attempting to fetch Amazon Elastic Compute Cloud (EC2) instance meta data from the instance meta data service (IMDS) on the link-local IPv4 address 169.254.169.254. Had this attempt successfully returned the different fields from IMDS if the usage was not restricted to IMDSv2, attackers could have enumerated permissions for the API keys and could go on to exploit security misconfigurations (if any) in the AWS account.

This vulnerability in Apache HTTP Server has also been recently highlighted by the German cybersecurity authority Bundesamt fur Sicherheit in der Informationsyechnik (BSI) for active exploitation in the wild.

Detection of CVEs

To detect critical flaws before they’re exploited, we use Trend Micro Cloud One™, a security services platform for cloud builders. Composed of seven services, this platform enables developers to build quickly and securely, granting security teams peace of mind that security is baked in from build time to runtime. Trend Micro Cloud One is integrated with Trend Micro Vision One™, which leverages its industry-leading XDR capabilities to collect and correlate across multiple security layers.

Think of Trend Micro Cloud One as your security camera system, and Trend Micro Vision One is the security app on your phone. Although you have multiple cameras, the app consolidates all your notifications and streams into one feed, making it easier to see your total security picture. Similarly, Trend Micro Cloud One services scan files, images, containers, and even open source code in your cloud environment of choice, and Trend Micro Vision One ties everything together in one straightforward dashboard. You can even choose how your team

Read more

Explore the site

More from the blog

Latest News