A sophisticated cyberattack campaign is actively exploiting a vulnerability in the Apache HTTP Server to deploy a cryptocurrency mining malware known as “Linuxsys.” Leveraging the CVE-2021-41773 flaw, attackers are compromising servers and covertly mining cryptocurrency, highlighting the risks posed by unpatched open-source software.
Technical Details
The campaign centers on CVE-2021-41773, a path traversal vulnerability present in Apache HTTP Server version 2.4.49. This flaw enables attackers to craft specific web requests that bypass directory restrictions, allowing unauthorized file access and, in certain configurations, full remote code execution on the affected system.
In these attacks, threat actors compromise legitimate websites and use them as distribution points for malicious shell scripts. Typically downloaded using standard utilities like curl or wget, the scripts install the Linuxsys cryptocurrency miner. The actual mining payload is often hosted across multiple legitimate—but previously compromised—websites, which reduces the likelihood of detection and complicates forensic investigations.
A further layer of obfuscation is achieved through the use of valid SSL certificates on distribution sites. This helps evade standard security scanning tools and makes distinguishing malicious traffic more challenging for network defenders.
Impact
Once deployed, the Linuxsys miner hijacks system resources on compromised servers to mine cryptocurrency. This unauthorized activity can cause severe slowdowns, degraded performance, and higher operational costs for affected organizations. Additionally, attackers typically establish persistence mechanisms, ensuring that removal of the malware is difficult and that the mining operation continues over time.
