Full Report
Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey.
Analysis Summary
# Tool/Technique: Araneida Scanner (Powered by Cracked Acunetix)
## Overview
Araneida Scanner is a service being resold on cybercrime forums, often as a cloud-based platform, that utilizes a cracked version of the commercial web application vulnerability scanner, Acunetix. Its purpose is to allow paying customers to conduct offensive reconnaissance, scrape user data, and find web application vulnerabilities for subsequent exploitation.
## Technical Details
- Type: Tool (Resold service built on cracked commercial software)
- Platform: Web applications (scanning targets); Windows/Linux (implied for the underlying software operation)
- Capabilities: Web application scanning, vulnerability discovery, user data scraping, robust proxy offering for anonymity.
- First Seen: Research identifying the specific reseller service surfaced around mid-2023. Cracked Acunetix use rumored since June 2023.
## MITRE ATT&CK Mapping
The core functionality revolves around reconnaissance and initial access/discovery.
- **TA0043 - Reconnaissance**
- T1595 - Active Scanning
- T1595.002 - Internet Service Scanning
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Implied use after scanning)
## Functionality
### Core Capabilities
- Utilizing cracked Acunetix to scan target websites for vulnerabilities.
- Providing vulnerability results to paying customers.
- Facilitating data scraping and bulk credential acquisition.
### Advanced Features
- **Proxy Offering:** Bundles the service with a robust proxy system, randomly selecting relays to mask the true origin of customer scans.
- **Cloud-Based Delivery:** Resold as a readily accessible, cloud-based service, lowering the barrier to entry for less sophisticated criminal users.
- **Service Aggressiveness:** Described as an "aggressive scanning effort," generating a high volume of requests to API endpoints and random CMS URLs.
## Indicators of Compromise
The article focuses on identifiers related to the *reseller service infrastructure* rather than standard malware IOCs, as it is a service wrapper.
- File Hashes: N/A (Applies to the cracked software/service backend, not detailed in the report)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Primary sales domain: `araneida[.]co`
- Associated promotional/development domain: `orndorks[.]com`
- Associated user domain: `altugsara[.]com`
- Behavioral Indicators:
- HTML Title containing: “Araneida Customer Panel”
- Use of legacy Acunetix SSL certificates on active control panels.
- High volume of requests to various API endpoints and random CMS URLs.
## Associated Threat Actors
- **FIN7:** Previously associated with scanning activity traced back to the Araneida service infrastructure.
- **APT 41:** Reportedly uses Acunetix (presumably cracked versions) in their operations.
- Unattributed cybercriminals who subscribe to the Araneida service.
## Detection Methods
- Signature-based detection: Legacy Acunetix SSL certificate detection on exposed infrastructure.
- Behavioral detection: Monitoring for high-volume, aggressive scanning activity targeting common web APIs and CMS endpoints indicative of automated vulnerability discovery tools.
- YARA rules: N/A (Not disclosed)
## Mitigation Strategies
- **Vulnerability Management:** Prompt patching and configuration hardening of all public-facing web applications and content management systems.
- **Network Monitoring:** Implement strict rate-limiting and anomaly detection on web traffic, filtering out traffic exhibiting the high-volume, randomized scanning patterns described.
- **WAF/IPS:** Utilize Web Application Firewalls (WAFs) capable of identifying and blocking mass reconnaissance probing.
- **Acunetix Licensing Integrity:** (For Invicti/Acunetix customers) Ensuring proper licensing controls to prevent unauthorized use of trial versions.
## Related Tools/Techniques
- **Acunetix:** The underlying commercial web application vulnerability scanner being cracked and resold.
- Other vulnerability scanners used by APTs (mentioned in HHS report contextually, but not detailed).
- Services/users historically linked to Araneida operators: ORN, ori0n, Ornie#9811, @sirorny, Exorn.