Threat actors reportedly sell a cracked version of Acunetix, a powerful commercial web application vulnerability scanner, for malicious purposes.
The cracked software, known as the “Araneida Scanner,” is being marketed as a cloud-based attack tool on various cybercrime forums and through a Telegram channel with nearly 500 subscribers.
Cybercriminals are using this unauthorized version of Acunetix to conduct offensive reconnaissance on potential target websites, scrape user data, and identify vulnerabilities for exploitation.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Silent Push’s investigation was triggered when one of their partners reported an aggressive scanning attempt against their website. Further analysis revealed that the scanning originated from an address associated with the “Araneida Customer Panel”.
The researchers discovered dozens of unique addresses hosting the same service, indicating a widespread operation.
Araneida’s operators claim their service has been used to compromise over 30,000 websites in just six months. They brazenly boast about their criminal activities, including instances where customers have used stolen payment card data to purchase luxury items.
Matt Sciberras, Chief Information Security Officer at Invicti Security (the maker of Acunetix), confirmed to Silent Push that threat actors had managed to crack the free trial version of the software, enabling it to run without a valid license key. Invicti has been actively working to counter these unauthorized uses of their product.
The implications of this cracked tool extend beyond individual cybercriminal activities. According to a report from the U.S. Department of Health and Human Services, a similar cracked version of Acunetix is reportedly being used by APT 41, a notorious Chinese state-sponsored hacking group.
Silent Push researchers have also uncovered at least 20 instances of a similar cloud-based vulnerability testing service catering to Mandarin-speaking users, suggesting a broader, potentially state-backed operation.
Despite attempts to mask their activities through proxy servers, the Araneida scanner leaves distinct digital footprints. It generates a high volume of requests to various API endpoints and makes queries to random URLs associated with different content management systems.
As the cybersecurity community grapples with this new threat, organizations are advised to remain vigilant and implement robust security measures to protect against potential attacks leveraging this cracked tool.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide