Cyber Attackers Leverage Apache HTTP Server Vulnerability to Install Linuxsys Cryptocurrency Miner

July 17, 2025
Cryptocurrency / Security Threats

Recent findings by cybersecurity experts reveal a new campaign that targets a known vulnerability in the Apache HTTP Server to deploy a cryptocurrency miner named Linuxsys. This vulnerability, identified as CVE-2021-41773, carries a high severity rating (CVSS score: 7.5) and involves a path traversal issue in Apache HTTP Server version 2.4.49, which allows for remote code execution. According to Jacob Baines from VulnCheck, “Attackers exploit compromised legitimate websites to disseminate malware, facilitating hidden delivery and evasion of detection.” The infection process, traced back to an Indonesian IP address (103.193.177[.]152), aims to transfer a subsequent payload from “repositorylinux[.]org” using tools like curl or wget. This payload, a shell script, is tasked with downloading the Linuxsys cryptocurrency miner from five separate legitimate sites, indicating that the threat actors…

Hackers Target Apache HTTP Server Vulnerability to Deploy Linuxsys Cryptocurrency Miner

On July 17, 2025, cybersecurity experts reported a dangerous campaign exploiting a vulnerability in the Apache HTTP Server, enabling attackers to deploy a cryptocurrency miner known as Linuxsys. This specific flaw, identified as CVE-2021-41773, carries a high severity rating (CVSS score: 7.5) and affects Apache HTTP Server version 2.4.49. The path traversal vulnerability can lead to remote code execution, allowing malicious actors to execute commands on compromised systems.

The attack leverages compromised legitimate websites for malware distribution, a technique that enhances the stealthiness of the delivery method and aids in evading detection. Jacob Baines from VulnCheck highlighted this strategy in a recent report shared with The Hacker News. The observed infection sequence, traced back to an Indonesian IP address, specifically 103.193.177[.]152, indicates a coordinated effort to distribute the malicious payload.

Upon successful exploitation, the attackers use tools like curl or wget to fetch a next-stage payload from “repositorylinux[.]org.” This payload is essentially a shell script, which is programmed to download the Linuxsys cryptocurrency miner from several legitimate websites. This multifaceted approach suggests a mature level of organization and strategic planning behind the campaign.

Business owners must be acutely aware of the risks associated with such vulnerabilities. Compromised systems can not only lead to financial loss but can also erode consumer trust and damage brand credibility. The tactics employed in this attack align with several categories outlined in the MITRE ATT&CK framework. The methods used likely include initial access and execution, where attackers gain entry through exploiting the vulnerability and subsequently execute payloads to establish persistence within the affected environment.

In addition, tactics such as privilege escalation may have been utilized to gain enhanced access within the compromised machines, facilitating the deployment of the Linuxsys miner. The reliance on trusted web resources for malware delivery underscores the importance of comprehensive web security protocols for organizations.

As the cybersecurity landscape continues to evolve, it is essential for business owners to stay informed about emerging threats and vulnerabilities. Proactive measures, including regular software updates and vulnerability assessments, can be critical in safeguarding systems against such malicious campaigns. Awareness of potential tactics, as laid out in frameworks like MITRE ATT&CK, will enable organizations to bolster their defenses and mitigate risks effectively.

Source link

Related Posts

Severe Flaw in NVIDIA Container Toolkit Enables Privilege Escalation in AI Cloud Services

On July 18, 2025, cybersecurity experts revealed a critical vulnerability in the NVIDIA Container Toolkit that threatens AI cloud services. Identified as CVE-2025-23266, this flaw has a CVSS score of 9.0 out of 10.0 and has been dubbed “NVIDIAScape” by Wiz, a cloud security firm owned by Google. According to NVIDIA’s advisory, the vulnerability arises from issues in the initialization hooks of the container, allowing attackers to execute arbitrary code with elevated permissions. Successful exploitation could lead to privilege escalation, data tampering, information leakage, and denial-of-service attacks. This vulnerability affects all versions of the NVIDIA Container Toolkit up to 1.17.7 and the NVIDIA GPU Operator up to 25.3.0, with patches included in versions 1.17.8 and 25.3.1.

Exploitation of Ivanti Vulnerabilities Leads to MDifyLoader Deployment and In-Memory Cobalt Strike Attacks

Cybersecurity researchers have revealed new insights into MDifyLoader, a malware recently linked to cyber attacks exploiting security weaknesses in Ivanti Connect Secure (ICS) appliances. A report from JPCERT/CC highlights that threat actors have exploited vulnerabilities CVE-2025-0282 and CVE-2025-22457 between December 2024 and July 2025 to deploy MDifyLoader, which is then utilized to initiate in-memory Cobalt Strike operations. CVE-2025-0282 is a critical vulnerability allowing unauthenticated remote code execution, addressed by Ivanti in January 2025. Meanwhile, CVE-2025-22457, patched in February 2025, involves a stack-based buffer overflow potentially enabling arbitrary code execution. Previous findings indicate that CVE-2025-0282 was actively weaponized in the wild as a zero-day beginning in mid-December 2024, facilitating the delivery of various malware families.

Hackers Target Critical CrushFTP Vulnerability to Gain Administrative Access on Unpatched Servers

July 20, 2025
Vulnerability / Threat Intelligence

A recently identified critical vulnerability in CrushFTP is now being actively exploited. Designated CVE-2025-54309, this flaw has a CVSS score of 9.0. According to the NIST National Vulnerability Database, “CrushFTP versions 10 prior to 10.8.5 and 11 prior to 11.3.4_23, when the DMZ proxy feature is not in use, improperly handles AS2 validation, enabling remote attackers to gain admin access via HTTPS.” CrushFTP reported detecting the first zero-day exploitation of this vulnerability on July 18, 2025, at 9 a.m. CST, although they noted that it might have been weaponized earlier. The company explained, “The attack vector utilized HTTP(S) to exploit the server. While we had addressed a separate AS2-related issue in HTTP(S), we did not realize that a previous bug could be exploited in this manner. It seems hackers observed our code changes and took advantage of them.”

Severe Unpatched SharePoint Zero-Day Under Active Exploitation, Compromises Over 75 Company Servers

July 20, 2025
Zero-Day / Vulnerability

A serious security flaw in Microsoft SharePoint Server has been weaponized in an ongoing, large-scale exploitation campaign. The zero-day vulnerability, identified as CVE-2025-53770 (CVSS score: 9.8), is a variant of CVE-2025-49704 (CVSS score: 8.8), which was addressed by Microsoft in their July 2025 Patch Tuesday updates. Microsoft explained that “deserialization of untrusted data in on-premises Microsoft SharePoint Server enables unauthorized attackers to execute code over a network,” as detailed in an advisory released on July 19, 2025. The company is actively preparing a comprehensive update to mitigate this issue. Viettel Cyber Security is credited with discovering and reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI). Additionally, Microsoft has acknowledged awareness of ongoing attacks related to this vulnerability.