Threat actors are now selling a cracked version of Acunetix, a renowned commercial web application vulnerability scanner, under the alias “Araneida Scanner.” This unauthorized version is marketed as a cloud-based attack tool across cybercrime forums and a Telegram channel with close to 500 subscribers. Acunetix, known for its ability to identify and help remediate vulnerabilities in web applications, is being repurposed by criminals to conduct reconnaissance on potential target websites. The attackers use this tool to scrape user data, scan for exploitable vulnerabilities, and potentially launch further attacks.
The cracked version bypasses Acunetix’s licensing mechanisms, allowing the malicious actors to use the tool without the legitimate software’s valid license key. Researchers from Silent Push discovered the tool after a partner organization reported an aggressive scanning attempt on their website. Their investigation traced the scanning activity to the “Araneida Customer Panel,” and further analysis revealed that the tool is being hosted on multiple addresses, indicating widespread use in cybercrime activities. The operators of Araneida claim to have compromised over 30,000 websites within six months, showcasing the tool’s destructive potential.
The cracked tool is not just used by individual cybercriminals but also by sophisticated, potentially state-backed actors. The U.S. Department of Health and Human Services has reported that a similar cracked version of Acunetix is being used by APT 41, a notorious Chinese state-sponsored hacking group. Silent Push also uncovered at least 20 other cloud-based vulnerability testing services targeting Mandarin-speaking users, further suggesting the existence of large-scale operations potentially tied to state-sponsored hacking groups.
Despite efforts by the attackers to conceal their activities by using proxy servers, the Araneida scanner leaves clear digital footprints. It generates a high volume of requests to various API endpoints and frequently queries random URLs associated with different content management systems. These distinctive patterns make it possible to trace the activities back to the malicious tool. The growing use of cracked security software by cybercriminals and state-sponsored actors underscores the importance of organizations staying vigilant, applying robust security measures, and monitoring for unusual scanning activities to defend against such threats.
Reference: