The following blog is a continuation of our previous Source Zero blog, which outlined the Optiv Global Threat Intelligence Center’s (gTIC) Prioritized Software and Services List. The List provides a high-level introduction on frequently exploited software, services, and protocols and associated MITRE¹ ATT&CK Tactic mappings. The intent of researching, identifying, and prioritizing potentially high-risk (based off attractiveness for, and frequency of, targeting by adversaries) products is to supplement and support enterprise risk management, incident response preparedness, intelligence collection, and threat research. These subsequent follow-up reports will go into more details regarding adversaries, vulnerabilities, techniques, and real-world incidents (where applicable) pertaining to many of the software and services outlined in the original report.

This Part Two edition will cover exploitation trends and vulnerabilities in popular Apache frameworks to support the gTIC’s inclusion of Apache products on our Prioritized Software and Services List.

Apache Frameworks and MITRE Technique Mapping

Optiv’s gTIC has identified and categorized Apache and its various frameworks and servers as Critical Enterprise Software. As described in our initial Prioritized Software and Services List blog, products and software that fall under the category of Critical Enterprise Software are considered essential to business processes and continuity. These products enable internal and external system communications; web and application servers; and file and data hosting, management, storage, and sharing. Adversaries target these types of software and products for various actions, including accessing and exfiltrating data, gaining initial entry with malware, scanning and exploiting insecure web-facing instances, installing backdoors and web shells for Persistence, enumerating user credentials and privileges, and mapping out other parts of the network.

The Apache Corporation has developed multiple products and frameworks for web applications and web servers. For this blog series, Optiv’s gTIC focused on a handful of Apache products that are consistently interrogated and exploited by adversaries. The elevated risk profile of organizations running these products are based off the ubiquity of the products, as well as the severity and notoriety of known vulnerabilities and real-world compromises. Optiv’s gTIC focuses its intelligence gathering and analysis on Apache products that include Tomcat, Struts, Solr, and HTTP Server. While all these products have a strong presence in corporate environments globally, some are more frequently reported on. Independent of report frequency, if your organization owns or uses any of these products, prioritize accordingly.

Reports and observations show that adversaries leverage Apache products and frameworks to navigate across nearly all Tactics mapped to the MITRE ATT&CK framework. Specific MITRE ATT&CK Techniques for each of the observed Tactics include the following:

TA0042 - Resource Development
T1584 - Compromise Infrastructure: Apache web servers can be infected with host cryptocurrency miners and botnet malware like XMRig, BuleHero, PerlBot, and Sysrv Botnet to expand and grow adversary cryptocurrency mining resources and botnet ‘zombie’ networks, which can later be used for other campaigns like distributed denial of service (DDoS) or mass brute-forcing attacks.

TA0001 - Initial Access
T1190 – Exploit Public-Facing Application: Vulnerable internet-facing instances of Apache products like Struts, Solr, and HTTP Server are exploited to allow threat actors to intrude and drop payloads or carry out other Techniques and procedures. Based on log activity data and a number of high-profile incidents, adversaries are known to target Apache vulnerabilities in Struts (CVE-2017-5638) and HTTP Server (CVE-2018-11776).

TA0003 – Persistence
T1053 – Scheduled Task/Job: Exploitation of webservers powered by Apache have resulted in adversaries running cron jobs, like the CroniX cryptocurrency miner operators, to periodically check connections and extract data on a scheduled basis.

T1505 – Server Software Component: Webshells and cryptocurrency mining software like Bulehero, CNRig, PerlBot, and Sysrv Botnet are known to be installed onto Struts and Solr instances.

TA0004 - Privilege Escalation
T1078 – Valid Accounts: Insecure user credentials stored on Apache systems can be leveraged to run scripts as authorized users or to access other web applications or sites with higher privileges.

T1068 – Exploitation for Privilege Escalation: CVE-2019-0211, a high severity vulnerability (CVSSv3 Score 7.8) in multiple versions of Apache HTTP Server, would allow an attacker with local access to modify old worker processes to change bucket index values to point to shared memory, which could result in root-level access to the server. This vulnerability existed in Apache HTTP Server for four (4) years before being discovered and reported.

TA0007 – Discovery
T1046 – Network Service Discovery: During an incident response engagement, Optiv consultants observed an adversary identifying and attempting to exploit virtualization software/environments after successfully gaining access via Apache Tomcat.

TA0009 – Collection
T1005 – Data from Local System: Germany’s Federal Office for Information Security (BSI) reported that exploitation of a server-side request forgery (SSRF) vulnerability in Apache HTTP allowed an attacker to obtain hash values of user credentials from the compromised system/server.

TA0010 - Exfiltration
T1041 – Exfiltration Over C2 Channel: Multiple webshells were installed on a webserver after exploitation of Apache Struts against Equifax in 2017, resulting in exfiltration and transfer of sensitive customer data.

TA0011 - Command and Control
T1071 – Application Layer Protocol: Botnet and cryptocurrency malware are installed onto Apache servers, which then communicate with the malware operators via HTTP for follow-up commands.

TA0040 - Impact
T1486 – Data Encrypted for Impact: Cerber Ransomware campaigns previously leveraged exploitation of Apache Struts for Initial Access to discover other systems and move laterally before executing the encrypting payload.

Vulnerabilities and Threats

Vulnerabilities in Apache products are known to be interrogated by adversaries to accomplish numerous objectives, including delivering various types of payloads and implants like cryptocurrency miners, webshells, and ransomware, as well as to establish a foothold for botnets. The most well-known example involving the compromise of an Apache product was the breach of Equifax in 2017, during which a vulnerability in Apache Struts was exploited for Initial Access and resulted in Exfiltration of sensitive customer data. Exploitation of older (2+ years) vulnerabilities, a key standing assessment of Optiv’s gTIC, is also evident with Apache systems and products. As recently as mid-2022, attempted exploitation of an older remote code execution (RCE) vulnerability in Apache Struts, CVE-2018-11776, was among the top vulnerabilities targeted according to an industry peer’s telemetry data. In addition to direct targeting of Apache products to compromise the confidentiality, integrity, and availability of data and assets, the secondary effects of successful exploitation of Apache products include the compromise of other vendor products and services.

Examples of secondary (supply-chain) effects of Apache vulnerabilities and compromises include an October 2021 alert from Atlassian, which reported that CVE-2021-42340, a denial of service (DoS) vulnerability in Apache Tomcat, posed a potential risk to multiple versions of its Jira product line. In April 2022, network-access storage (NAS) device maker, QNAP, which relies on Apache HTTP, reported its devices were impacted by two RCE vulnerabilities in Apache HTTP, CVE-2022-22721 and CVE-2022-23943. CVE-2021-40438, a server-side request forgery (SSRF) vulnerability in Apache HTTP, triggered a notification by Cisco that multiple network management and application products were impacted. Additionally, in early 2022, Optiv’s Enterprise Incident Management (EIM) team responded to a cybersecurity incident at a Financials company, during which attackers exploited an Apache Tomcat instance that allowed them to discover and attempt to compromise the victim's VMware Horizon webserver. This highlights the risk of successful compromised of Apache products to enable Lateral Movement and the Discovery of other vulnerable or critical assets within a targeted organization.

Aside from inherent vulnerabilities in Apache products, specific (mis)configurations, settings, or conditions are also required to render an Apache instance vulnerable to exploitation. For example, critical vulnerabilities in Apache HTTP Server, including CVE-2021-44790, CVE-2022-22721, and CVE-2021-41773 (which included RCE components), were the result of certain configurations or security settings that were disabled by default to allow for exploitation. Apache Tomcat's CVE-2020-1938 (aka: Ghostcat) was also the result of a default setting that was enabled and shipped out with several versions of Tomcat that allowed arbitrary file upload and RCE.

The following link chart shows the gTIC’s prioritized Apache frameworks and products mapped to various malware, adversaries, and popular vulnerabilities that are assessed to pose a high risk to organizations or that are known to be exploited by cyber adversaries over the last 24 months. The graphic also shows how some adversary and malware activity overlaps across multiple Apache products.

Image

Appendix

References

¹MITRE ATT&CK^® is a globally accessible knowledge base of adversary Tactics and Techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. More information about MITRE ATT&CK^® can be found at attack.mitre.org. All information about MITRE ATT&CK belongs to The MITRE Corporation subject to the following copyright: ^©2021 The MITRE Corporation. MITRE ATT&CK^® is licensed under the Terms of Use located at https://attack.mitre.org/resources/terms-of-use/".

Link charts and graphs in this report were created by Optiv gTIC leveraging the ThreatQuotient^® Investigations platform.

Cisco, ‘Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021’, 2021, https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ

Fidelis Cybersecurity, ‘Monthly TRT Report Threat Intelligence Summary’, 2022, https://fidelissecurity.com/wp-content/uploads/2022/08/Threat-Intelligence-Summary_F_July_2022.pdf

Fisher, Dennis, ‘Apache Patches Serious Privilege Escalation Flaw’, 2019, https://duo.com/decipher/apache-patches-serious-privilege-escalation-flaw

Jira, ‘Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError’, 2021, https://jira.atlassian.com/browse/JRASERVER-72914

National Vulnerability Database, ‘CVE-2021-42013 Detail’, 2021, https://nvd.nist.gov/vuln/detail/CVE-2021-42013

Paganini, Pierluigi, ‘Experts warn of attacks exploiting CVE-2021-40438 flaw in Apache HTTP Server’, 2021, https://securityaffairs.co/125107/hacking/cve-2021-40438-apache-http-server-attacks.html

QNAP, ‘Multiple Vulnerabilities in Apache HTTP Server’, 2022, https://www.qnap.com/en/security-advisory/QSA-22-11

Sophos, ‘Apache’s other product: Critical bugs in ‘httpd’ web server, patch now!’, 2021, https://nakedsecurity.sophos.com/2021/12/21/apaches-other-product-critical-bugs-in-httpd-web-server-patch-now/

Vaughan-Nicols, Steven, ‘There’s a Nasty Security Hole in the Apache Webserver’, 2022, https://thenewstack.io/theres-a-nasty-security-hole-in-the-apache-webserver/

Analytical Comments, Statements, and Best Practices

Most Likely Course of Action (MLCOA) – the expected and probable tactics, techniques, and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments.

Most Dangerous Course of Action (MDCOA) – tactics, techniques, or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.

Words of Estimated Probability – Optiv EIM Intelligence employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, Optiv EIM Intelligence leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:

Confidence statements, as defined by Optiv EIM Intelligence, apply to reliability and relevance of information reported and are as follows:

Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.