Monday, April 15, 2024

Cyber Criminals Attacking Web Services to Breach Organisations

Web servers are a prime target for threat actors due to their open and volatile nature. However, these servers must remain open to provide various web services to users.

Web services that are provided on Windows servers by the Web servers include the following elements:-

Cybersecurity researchers at AhnLab Security Emergency Response Center (ASEC) recently identified that threat actors are actively targeting the web servers and their services that are vulnerable, improperly managed, and not yet patched.

On most infected systems, researchers found an account named “tripod,” which is exploited by the threat actors and this characteristic enables experts in identifying the threat actors.

Tripod user account (Source – Asec)

Cyber Criminals Attacking Web Services

Moreover, it’s been revealed that weak Apache Tomcat and JBoss PACS servers were also targeted for installing Metasploit Meterpreter by threat actors.

Windows servers in domestic companies often employ IIS web servers, frequently hit in attacks like Dalbit and Chinese hacking incidents.

Attacks focus on vulnerable systems, especially IIS or MS-SQL servers, where multiple attackers target the same system persistently. However, among various malicious codes and attack logs, identifying a specific attacker is challenging.

Typical IIS attacks reveal the following common tools that are often linked to Chinese-speaking hackers:-

  • Web shell
  • Potato
  • Ladon

Some attackers mask code in VMP or create custom tools to evade file scans, leading to attack categorization, and besides this, in the following path the attackers primarily craft the malicious code:-

  • %ALLUSERSPROFILE%\Microsoft\DeviceSync\
  • %SystemRoot%\debug\WIA\

In these attacks, threat actors also employ a command-executing tool, Sy_Runas, that takes advantage of the web shell to gain the privileges of a specific user.

Sy_Runas (Source – Asec)

The attack tools are often open source, due to which they lack attacker info like PDB, and not only that, even Chinese ties were also found in tools and malware used by the attackers.

Malicious Codes Developed & Malware Used

Here below, we have mentioned all the malicious codes that the attackers develop:-

  • Potato malware
  • UserClone
  • Mimikatz
  • PrintSpoofer
  • Vulnerable PoC malware

Threat actors use the RunasCs and Sy_Runas, with higher Sy_Runas use per logs, but, most of the systems also show the “.Net-based RunasCs” presence.

RunasCs tool (Source – Asec)

For remote control, threat actors used:-

Cybersecurity analysts affirmed that since 2019 APT attacks are constantly targeting local companies’ web servers. 

However, the motive behind these attacks is to inject malicious ads on the homepage of the companies, but now the current attack logs suggest ransomware deployment alongside.

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.


Latest articles

Hacker Customize LockBit 3.0 Ransomware to Attack Orgs Worldwide

Cybersecurity researchers at Kaspersky have uncovered evidence that cybercriminal groups are customizing the virulent...

Microsoft .NET, .NET Framework, & Visual Studio Vulnerable To RCE Attacks

A new remote code execution vulnerability has been identified to be affecting multiple Microsoft...

LightSpy Hackers Indian Apple Device Users to Steal Sensitive Data

The revival of the LightSpy malware campaign has been observed, focusing on Indian Apple...

LightSpy Malware Attacking Android and iOS Users

A new malware known as LightSpy has been targeting Android and iOS users.This sophisticated...

This Startup Aims To Simplify End-to-End Cybersecurity, So Anyone Can Do It

The Web3 movement is going from strength to strength with every day that passes....

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles