T9

T9-24-02-M-NE-CLH

Apache2 HTTP Path Traversal RCE + Cl0p Ransomware

This attack is a combination of T3-24–02–S–N–CL and T4-24-02-S-E-M, and two logs are collected: pcap and log.

1. Target should have vulnerable Apache sever version with mods cgi or cgid feature enabled
2. Attacker used relative path to call Shell using /cgi-bin and to bypass previous patch, executed "." URL Encoding twice.
3. Downlaod and execute CI0p Ransomware by executing remote command
4. Executing encryption to internal files using CI0p Ransomware

CVE-2021-42013, caused by incomplete path of CVE-2021-41773, allows attcker to ransom by sending remote commands that download and execute Ransomware and encrypt internal files.

	OS	IP	Software	Log collection time	Program runtime
Attacker	Windows 11	192.168.56.1	-	25 sec	100 sec
Victim	Ubuntu 22.04	192.168.56.107	Apache 2.4.50	25 sec	100 sec

Installing

python3 -m pip install -r requirements.txt

Using

python3 run.py

MITRE ATT&CK Framework

Attack Tactic
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion
Credential	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact

Logs

./log/2024_02_T9_{time}.pcap # YYmmdd_HHMMSS
./log/2024_02_T9_{time}.xml # YYmmdd_HHMMSS

References

[1] NIST [CVE-2021-42013]
[2] Apache HTTP Server [CVE-2021-41773 / CVE-2021-42013 [Apache HTTP Server]]
[3] Github - Walnut Security Services Pvt. Ltd [CVE-2021-42013]
[4] CYBERONE [Apache HTTP Server 보안 업데이트 권고]
[5] WINS [[CVE-2021-42013] Apache Directory Traversal]
[6] Kaspersky [What is cl0p ransomware?]
[7] VirusTotal [09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef]
[8] CTX [09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef]
[9] MalwareBazaar [09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef]
[10] Cl0p [Cl0p Ransomware: Active Threat Plaguing Businesses Worldwide]

※ Click on the attack name to see a description and scenario for the attack