Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix<\/strong>, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey.<\/p>\n Araneida Scanner.<\/p>\n<\/div>\n Cyber threat analysts at Silent Push<\/strong> said they recently received reports from a partner organization that identified an aggressive scanning effort against their website using an Internet address previously associated with a campaign by FIN7<\/a>, a notorious Russia-based hacking group.<\/p>\n But on closer inspection they discovered the address contained an HTML title of \u201cAraneida Customer Panel<\/strong>,\u201d and found they could search on that text string to find dozens of unique addresses hosting the same service.<\/p>\n It soon became apparent that Araneida was being resold as a cloud-based service using a cracked version of Acunetix, allowing paying customers to conduct offensive reconnaissance on potential target websites, scrape user data, and find vulnerabilities for exploitation.<\/p>\n Silent Push also learned Araneida bundles its service with a robust proxy offering, so that customer scans appear to come from Internet addresses that are randomly selected from a large pool of available traffic relays.<\/p>\n The makers of Acunetix, Texas-based application security vendor Invicti Security<\/strong>, confirmed Silent Push\u2019s findings, saying someone had figured out how to crack the free trial version of the software so that it runs without a valid license key.<\/p>\n \u201cWe have been playing cat and mouse for a while with these guys,\u201d said Matt Sciberras<\/strong>, chief information security officer at Invicti.<\/p>\n Silent Push said Araneida is being advertised by an eponymous user on multiple cybercrime forums. The service\u2019s Telegram channel boasts nearly 500 subscribers and explains how to use the tool for malicious purposes.<\/p>\n In a \u201cFun Facts\u201d list posted to the channel in late September, Araneida said their service was used to take over more than 30,000 websites in just six months, and that one customer used it to buy a Porsche with the payment card data (\u201cdumps\u201d) they sold.<\/p>\n Araneida Scanner\u2019s Telegram channel bragging about how customers are using the service for cybercrime.<\/p>\n<\/div>\n \u201cThey are constantly bragging with their community about the crimes that are being committed, how it\u2019s making criminals money,\u201d said\u00a0Zach Edwards<\/strong>, a senior threat researcher at Silent Push. \u201cThey are also selling bulk data and dumps which appear to have been acquired with this tool or due to vulnerabilities found with the tool.\u201d<\/p>\n Silent Push also found a cracked version of Acunetix was powering at least 20 instances of a similar cloud-based vulnerability testing service catering to Mandarin speakers, but they were unable to find any apparently related sales threads about them on the dark web.<\/p>\n Rumors of a cracked version of Acunetix being used by attackers surfaced in June 2023 on Twitter\/X<\/a>, when researchers first posited a connection between observed scanning activity and Araneida<\/a>.<\/p>\n According to an August 2023 report<\/a> (PDF) from the U.S. Department of Health and Human Services<\/strong> (HHS), Acunetix (presumably a cracked version) is among several tools used by APT 41<\/a>, a prolific Chinese state-sponsored hacking group.<\/span><\/p>\n Silent Push notes that the website where Araneida is being sold \u2014 araneida[.]co<\/strong> \u2014 first came online in February 2023. But a review of this Araneida nickname on the cybercrime forums shows they have been active in the criminal hacking scene since at least 2018.<\/p>\n A search in the threat intelligence platform Intel 471<\/a> shows a user by the name Araneida promoted the scanner on two cybercrime forums since 2022, including Breached<\/strong> and Nulled<\/strong>. In 2022, Araneida told fellow Breached members they could be reached on Discord at the username \u201cOrnie#9811<\/strong>.\u201d<\/p>\n According to Intel 471, this same Discord account was advertised in 2019 by a person on the cybercrime forum Cracked<\/strong> who used the monikers \u201cORN<\/strong>\u201d and \u201cori0n<\/strong>.\u201d The user \u201cori0n\u201d mentioned in several posts that they could be reached on Telegram at the username \u201c@sirorny<\/strong>.\u201d<\/p>\n Orn advertising Araneida Scanner in Feb. 2023 on the forum Cracked. Image: Ke-la.com.<\/p>\n<\/div>\n The Sirorny Telegram identity also was referenced as a point of contact for a current user on the cybercrime forum Nulled who is selling website development services, and who references araneida[.]co as one of their projects. That user, \u201cExorn<\/strong>,\u201d has posts dating back to August 2018.<\/p>\n In early 2020, Exorn promoted a website called \u201corndorks[.]com<\/strong>,\u201d which they described as a service for automating the scanning for web-based vulnerabilities. A passive DNS lookup on this domain at DomainTools.com<\/a> shows that its email records pointed to the address ori0nbusiness@protonmail.com<\/strong>.<\/p>\n Constella Intelligence<\/a>, a company that tracks information exposed in data breaches, finds this email address was used to register an account at Breachforums<\/strong> in July 2024 under the nickname \u201cOrnie<\/strong>.\u201d Constella also finds the same email registered at the website netguard[.]codes in 2021 using the password \u201cceza2003<\/strong>\u201d [full disclosure: Constella is currently an advertiser on KrebsOnSecurity].<\/p>\n A search on the password ceza2003 in Constella finds roughly a dozen email addresses that used it in an exposed data breach, most of them featuring some variation on the name \u201caltugsara<\/strong>,\u201d including altugsara321@gmail.com<\/strong>. Constella further finds altugsara321@gmail.com was used to create an account at the cybercrime community RaidForums<\/strong> under the username \u201cori0n<\/strong>,\u201d from an Internet address in Istanbul.<\/p>\n According to DomainTools, altugsara321@gmail.com was used in 2020 to register the domain name altugsara[.]com<\/strong>. Archive.org\u2019s history for that domain<\/a> shows that in 2021 it featured a website for a then 18-year-old Altu\u011f \u015eara<\/strong> from Ankara, Turkey.<\/p>\n Archive.org\u2019s recollection of what altugsara dot com looked like in 2021.<\/p>\n<\/div>\n LinkedIn<\/strong> finds this same altugsara[.]com<\/strong> domain listed in the \u201ccontact info\u201d section of a profile<\/a> for an Altug Sara<\/strong> from Ankara, who says he has worked the past two years as a senior software developer for a Turkish IT firm called Bilitro Yazilim<\/strong>.<\/p>\n Neither Altug Sara nor Bilitro Yazilim responded to requests for comment.<\/p>\n Invicti\u2019s website states that it has offices in Ankara, but the company\u2019s CEO said none of their employees recognized either name.<\/p>\n \u201cWe do have a small team in Ankara, but as far as I know we have no connection to the individual other than the fact that they are also in Ankara,\u201d Invicti CEO Neil Roseman<\/strong> told KrebsOnSecurity.<\/p>\n Researchers at Silent Push say despite Araneida using a seemingly endless supply of proxies to mask the true location of its users, it is a fairly \u201cnoisy\u201d scanner that will kick off a large volume of requests to various API endpoints, and make requests to random URLs associated with different content management systems.<\/p>\n What\u2019s more, the cracked version of Acunetix being resold to cybercriminals invokes legacy Acunetix SSL certificates on active control panels, which Silent Push says provides a solid pivot for finding some of this infrastructure, particularly from the Chinese threat actors.<\/p>\n Further reading: Silent Push\u2019s research on Araneida Scanner<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2024\/12\/araneida-scanner.png?resize=749%2C562&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2024\/12\/araneida-tg.png?resize=658%2C273&ssl=1\")
<\/p>\nTHE TURKISH CONNECTION<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2024\/12\/orn-araneida.png?resize=749%2C411&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2024\/12\/altugsaradotcom.png?resize=749%2C345&ssl=1\")
<\/p>\n