A recent investigation has uncovered a disturbing trend in the cybercrime world, where stolen credential sets are being sold in the hundreds of thousands with the aid of a cracked version of Acunetix, a popular commercial web app vulnerability scanner. This cracked software has now been repackaged as a cloud-based attack tool and is being offered by at least two different services, one of which has been traced back to an IT firm in Turkey.
According to cyber threat analysts at Silent Push, reports have surfaced of an aggressive scanning campaign against various websites, utilizing an Internet address previously associated with the notorious Russia-based hacking group FIN7. However, upon closer inspection, it was revealed that this address was linked to an HTML title named “Araneida Customer Panel,” leading to the discovery of multiple unique addresses hosting the same service.
It appears that Araneida is being sold as a cloud-based service, powered by a cracked version of Acunetix, enabling paying customers to conduct offensive reconnaissance on target websites, extract user data, and identify exploitable vulnerabilities. Additionally, Araneida includes a proxy service to mask the origin of customer scans, making them appear as if they are coming from random Internet addresses.
The creators of Acunetix, Invicti Security, based in Texas, confirmed these findings, acknowledging that individuals had managed to crack the software’s free trial version to operate without a valid license key. Matt Sciberras, the Chief Information Security Officer at Invicti, expressed frustration at the ongoing cat and mouse game with these cybercriminals.
Silent Push also revealed that Araneida is actively promoted on various cybercrime forums by a user with the same name. The service boasts nearly 500 subscribers on its Telegram channel, where they provide instructions on utilizing the tool for malicious activities. Shockingly, in a “Fun Facts” list posted on the channel, Araneida claimed to have taken over more than 30,000 websites within six months, with one customer reportedly purchasing a Porsche using payment card data obtained through the service.
Further investigation unveiled a cracked version of Acunetix powering multiple instances of a similar cloud-based vulnerability testing service catering to Mandarin speakers. Despite this, no related sales threads were found on the dark web regarding this service.
Rumors of a cracked Acunetix version being employed by attackers first surfaced on Twitter in June 2023, when researchers began to connect the scanning activity with Araneida. Furthermore, an August 2023 report from the U.S. Department of Health and Human Services highlighted Acunetix as one of the tools utilized by APT 41, a prolific Chinese state-sponsored hacking group.
Silent Push delved deeper into the origins of Araneida, discovering that the website where the service is being sold, araneida[.]co, first appeared online in February 2023. However, the moniker Araneida has been active in criminal hacking circles since as early as 2018, as evidenced by its presence on multiple cybercrime forums.
The investigation also uncovered a trail of online accounts linked to the Araneida identity, including Discord, Telegram, and website domains such as orndorks[.]com. These accounts were found to be affiliated with a Turkish individual named Altuğ Şara and a Turkish IT firm called Bilitro Yazilim. However, both Altuğ Şara and Bilitro Yazilim declined to comment on their association with the Araneida scanner.
Despite the efforts to mask their true location through proxies, Silent Push researchers noted that Araneida’s scanning activities generate a significant volume of requests to various API endpoints and URLs associated with different content management systems. Additionally, the cracked version of Acunetix used by cybercriminals invokes legacy SSL certificates, providing a pivot point for identifying infrastructure linked to Chinese threat actors.
As the cybersecurity landscape continues to evolve, it is crucial for organizations and individuals to remain vigilant against the growing threat of cybercrime and take proactive measures to secure their digital assets. The uncovering of the Acunetix cracked software and its repackaging as a cloud-based attack tool serves as a stark reminder of the sophisticated tactics employed by cybercriminals and the importance of cybersecurity awareness and preparedness.