How to detect Apache HTTP Server Exploitation

Trend Micro -

In the above two requests and responses, we see the attacker fingerprinting vulnerable servers by running the ‘echo’ command. We observed successful exploitation attempts which led to cryptominers raking up compute on the vulnerable hosts.

CVE-2021-40438:
This CVE tracks the vulnerability posed by the ‘mod_proxy’ module in Apache HTTP Server (versions before 2.4.49). In CWE-918 Server-Side Request Forgery (SSRF) attack, a malicious actor can forward the request to an origin server of their choice

In this attempt, we observe attackers attempting to fetch Amazon Elastic Compute Cloud (EC2) instance meta data from the instance meta data service (IMDS) on the link-local IPv4 address 169.254.169.254. Had this attempt successfully returned the different fields from IMDS if the usage was not restricted to IMDSv2, attackers could have enumerated permissions for the API keys and could go on to exploit security misconfigurations (if any) in the AWS account.

This vulnerability in Apache HTTP Server has also been recently highlighted by the German cybersecurity authority Bundesamt fur Sicherheit in der Informationsyechnik (BSI) for active exploitation in the wild.

Detection of CVEs

To detect critical flaws before they’re exploited, we use Trend Micro Cloud One™, a security services platform for cloud

Read More: https://www.trendmicro.com/en_us/devops/21/l/how-to-detect-apache-http-server-exploitation.html