Security Alert: Hackers Exploit Apache HTTP Server Vulnerability to Deploy Linuxsys Cryptocurrency Mining Program

Security Alert: Hackers Exploit Apache HTTP Server Vulnerability to Deploy Linuxsys Cryptocurrency Mining Program

Keywords

Vulnerability

1️⃣ Linuxsys Secret Mining Resurfaces, Exploiting Apache Vulnerability for Attacks

Recently, a report from “VulnCheck” revealed that attackers are exploiting a known path traversal vulnerability in Apache HTTP Server 2.4.49 (CVE‑2021‑41773, CVSS 7.5) to spread a cryptocurrency mining program named Linuxsys.

  • Infection Chain Revealed: Originating from an Indonesian IP <span>103.193.177.152</span>, attackers use cURL or wget to download shell scripts from <span>repositorylinux[.]org</span>, subsequently obtaining Linuxsys mining files from multiple compromised legitimate sites.

  • Covert Propagation Mechanism: Hides download sources through the trust chain of legitimate sites with HTTPS (valid SSL certificates), while cron scripts ensure the mining program restarts automatically.

  • Exploitation of Multiple Vulnerabilities: Attackers have also leveraged n-day vulnerabilities in products like GeoServer, Confluence, Metabase, and Palo Alto to spread Linuxsys, demonstrating a combat style based on long-term exploitation of known vulnerabilities and distributed propagation.

2️⃣ GhostContainer Exchange Backdoor Exposed: APT Breaches Email Core

At the same time, the Kaspersky GReAT team disclosed that the Exchange Server backdoor GhostContainer has been detected in several government and high-tech institutions in Asia, suspected of deploying using the patched vulnerability CVE‑2020‑0688 (CVE score 8.8).

  • Stealth Mode Operation: The backdoor injects itself into the Exchange Server as a DLL, masquerading as a normal component, executing shellcode, file operations, .NET module downloads, and network proxy and tunneling functions.

  • Extremely Covert Control Method: GhostContainer does not actively connect to C2 but listens for hidden data in Exchange Web requests, concealing its presence to avoid detection by standard IDS/network monitoring.

  • APT Background Revealed: This attack targets specific objectives in Asia, showcasing the attackers’ proficiency in using publicly available code to construct advanced persistent backdoors (APTs), with capabilities for long-term infiltration and lateral movement.

🔐 Defense Recommendations: Build a Deep Network Defense System

Defense Layer Recommended Measures
Vulnerability Patching Upgrade Apache to ≥2.4.51; immediately install the Exchange CVE‑2020‑0688 patch.
Access Isolation Enforce network segmentation to ensure servers are not directly exposed to the Internet; disable unnecessary modules (e.g., mod_cgi).
Log Monitoring Enable IDS/WAF mechanisms to monitor abnormal HTTP/HTTPS requests, shell scripts, and cron file increments.
Behavior Auditing Deploy EDR/UEBA to identify mining, lateral movement, command injection characteristics, and hidden DLL file activities.
Security Training Train employees to recognize phishing attacks, timely update system patches, and enhance security awareness and emergency response capabilities.

✅ Conclusion

Linuxsys and GhostContainer are two completely different but highly covert attack chains:

  • One exploits server-side vulnerabilities to implant ongoing mining risks;

  • The other lurks within the core of Exchange, achieving APT infiltration and continuous control.

This case once again reminds all organizations: Zero Trust + Patch Management + Behavior Monitoring is the core strategy to effectively defend against such advanced threats. If you need customized detection rules or drill services, feel free to contact support for communication.

END

Recommended Reading

【Security Circle】Manufacturing Security Alert: Why Default Passwords Must Be Completely Abolished?

【Security Circle】Serious Vulnerability Exposed in TeleMessage SGNL, a “Signal Alternative” Used by the US Government, Heap Memory Leak Already Exploited by Hackers

【Security Circle】2.3 Million Downloads at Risk: LaRecipe Vulnerability Could Allow Complete Server Takeover

【Security Circle】UK Co-op Supermarket Confirms 6.5 Million Member Data Breach, Four Hackers Arrested

Security Alert: Hackers Exploit Apache HTTP Server Vulnerability to Deploy Linuxsys Cryptocurrency Mining ProgramSecurity Alert: Hackers Exploit Apache HTTP Server Vulnerability to Deploy Linuxsys Cryptocurrency Mining Program

Security Circle

Security Alert: Hackers Exploit Apache HTTP Server Vulnerability to Deploy Linuxsys Cryptocurrency Mining Program

← Scan to Follow Us

Gathering Hot Topics in the Circle, Focusing on Cybersecurity

Real-time Information at Your Fingertips!

Security Alert: Hackers Exploit Apache HTTP Server Vulnerability to Deploy Linuxsys Cryptocurrency Mining Program

If You Find It Good, Share It; If Useful, Give It a Like

Support “Security Circle” by Clicking Three Times!

Security Alert: Hackers Exploit Apache HTTP Server Vulnerability to Deploy Linuxsys Cryptocurrency Mining Program

Leave a Comment