Cyber criminals are selling hundreds of thousands of stolen certificates with the help of a cracked version Acunetixpowerful scanner for commercial web applications, new research finds. The compromised software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity has been traced to a Turkey-based information technology company.
Araneida Scanner.
Cyber threat analysts at Shut up Pusha said they recently received reports from a partner organization that identified a malicious scanning attempt on their website using an Internet address previously associated with the operation of FIN7, a notorious hacking group based in Russia.
But upon closer inspection they found the address had an HTML header of “Araneida Customer Panel,” and found that they could search through that text string to find dozens of unique addresses hosting the same service.
It soon became clear that Araneida was being resold as a cloud-based service using a cracked version of Acunetix, allowing paying customers to perform invasive investigations on potentially targeted websites, scrape user data, and detect exploits.
Silent Push has also learned that Araneida bundles its service with a strong proxy offering, so that customer scans appear to come from randomly selected Internet addresses from a large pool of referral traffic.
Makers of Acunetix, a Texas-based application security vendor Invicti Securityconfirmed Silent Push’s findings, saying that someone figured out how to hack a free trial version of the software to work without a valid license key.
“We have been playing cat and mouse with these boys for a while,” he said Matt Sciberraschief information security officer at Invicti.
Silent Push said that Araneida is advertised by an anonymous user on many cyber crime forums. The service’s Telegram channel boasts nearly 500 subscribers and explains how the tool is being used for malicious purposes.
In a “Fun Facts” column posted to the station in late September, Araneida said their service was used to take down more than 30,000 websites in just six months, and that one customer used it to buy a Porsche with credit card data (“dumps”) they were selling.
Araneida Scanner’s Telegram channel boasts of how customers are using the cyber crime service.
“They are always bragging to their community about the crimes that are being committed, how they make money for criminals,” he said. Zach Edwardssenior threat researcher at Silent Push. “They also sell bulk data and dumps that appear to have been obtained through this tool or because of vulnerabilities found with the tool.”
Silent Push also found a cracked version of Acunetix powering at least 20 times the same cloud-based vulnerability assessment service that caters to Mandarin speakers, but they couldn’t find any sales threads related to them on the dark web.
Rumors of a cracked version of Acunetix being used by attackers appeared in June 2023 on Twitter/X, when researchers first linked the scanning activity observed with Araneida.
According to the August 2023 report (PDF) from US Department of Health and Human Services (HHS), Acunetix (possibly a cracked version) is among several tools used by APT 41, a powerful hacking group sponsored by the Chinese government.
TURKISH CONNECTION
Silent Push notes that the website where Araneida is sold – araneida[.]co – was first found online in February 2023. But a review of this Araneida alias in cybercrime forums shows that they have been active in the hacking scene since at least 2018.
A search on the Intel 471 threat intelligence site shows a user named Araneida has promoted the scanner to two cybercrime sites since 2022, including It has been violated again It is nulled. In 2022, Araneida told other Breached members that they could be reached on Discord under the username “Ornie#9811.”
According to Intel 471, this same Discord account was advertised in 2019 by someone on a cybercrime forum. It is cracked who uses monikers”ORN” and “or0.” The user “ori0n” mentioned in several posts can be reached on Telegram under the username “@sirorny.”
Orn advertising Araneida Scanner on Feb. 2023 on the Cracked forum. Photo: Ke-la.com.
The Sirorny Telegram ID was also mentioned as a contact point for a current user on the cybercrime forum Nulled who sells website development services, and refers to araneida.[.]co as one of their projects. That user, “Exorn,” has posts from August 2018.
In early 2020, Exorn developed a website called “orndorks[.]com,” which they described as a web-based automated vulnerability scanning service. A DNS lookup performed on this domain in DomainTools shows that its email records point to the address [email protected].
Constella Intelligence, a company that tracks information exposed in data breaches, discovers that this email address was used to register an account on Grounds for violations in July 2024 under the alias “Ornie.” Constella also receives the same email registered to the website netguard[.]codes in 2021 using the password “punish2003” [full disclosure: Constella is currently an advertiser on KrebsOnSecurity].
A search of ceza2003’s password on Constella turns up about a dozen email addresses he used in the disclosed data breach, most of which have some variation of the name “altugsara,” including [email protected]. Constella also discovered that [email protected] was used to create an account in a cyber crime community RaidForums under username “or0,” at an internet address in Istanbul.
According to DomainTools, [email protected] was used in 2020 to register the domain name. altugsara[.]com. The Archive.org history of that site shows that in 2021 it featured the website of a child who was 18 years old at the time. Altuğ Şara from Ankara, Turkey.
Archive.org’s memory of what altugsara dot com looked like in 2021.
LinkedIn you get this same altugsara[.]com domain listed in the “contact information” section of the profile Altug Sara from Ankara, who says he has worked for the past two years as a senior software developer for a Turkish firm called Bilitro Yazilim.
Neither Altug Sara nor Bilitro Yazilim responded to requests for comment.
Invicti’s website says it has offices in Ankara, but the company’s chief executive said none of the employees knew either name.
“We have a small team in Ankara, but as far as I know there is no contact with anyone unless they are also in Ankara,” the CEO of Invicti. Neil Roseman he told KrebsOnSecurity.
Silent Push researchers say that despite Araneida using a seemingly endless supply of proxies to hide the real location of its users, it is a “noisy” scanner that will issue multiple requests to different API locations, and make requests randomly. URLs are associated with different content management systems.
In addition, a cracked version of Acunetix that is resold by hackers requests legacy Acunetix SSL certificates from active control panels, which Silent Push says provides a strong pivot to access some of this infrastructure, especially for Chinese threat actors.
Further reading: Silent Push’s research on the Araneida Scanner.
Source link