Web servers are a prime target for threat actors due to their open and volatile nature. However, these servers must remain open to provide various web services to users.

Web services that are provided on Windows servers by the Web servers include the following elements:-

• Internet Information Services (IIS) web servers
• Apache Tomcat web servers
• JBoss
• Nginx

Cybersecurity researchers at AhnLab Security Emergency Response Center (ASEC) recently identified that threat actors are actively targeting the web servers and their services that are vulnerable, improperly managed, and not yet patched.

On most infected systems, researchers found an account named “tripod,” which is exploited by the threat actors and this characteristic enables experts in identifying the threat actors.

Cyber Criminals Attacking Web Services

Moreover, it’s been revealed that weak Apache Tomcat and JBoss PACS servers were also targeted for installing Metasploit Meterpreter by threat actors.

Windows servers in domestic companies often employ IIS web servers, frequently hit in attacks like Dalbit and Chinese hacking incidents.

Attacks focus on vulnerable systems, especially IIS or MS-SQL servers, where multiple attackers target the same system persistently. However, among various malicious codes and attack logs, identifying a specific attacker is challenging.

Typical IIS attacks reveal the following common tools that are often linked to Chinese-speaking hackers:-

• Web shell
• Potato
• Ladon

Some attackers mask code in VMP or create custom tools to evade file scans, leading to attack categorization, and besides this, in the following path the attackers primarily craft the malicious code:-

• %ALLUSERSPROFILE%\Microsoft\DeviceSync\
• %SystemRoot%\debug\WIA\

In these attacks, threat actors also employ a command-executing tool, Sy_Runas, that takes advantage of the web shell to gain the privileges of a specific user.

The attack tools are often open source, due to which they lack attacker info like PDB, and not only that, even Chinese ties were also found in tools and malware used by the attackers.

Malicious Codes Developed & Malware Used

Here below, we have mentioned all the malicious codes that the attackers develop:-

• Potato malware
• UserClone
• Mimikatz
• PrintSpoofer
• Vulnerable PoC malware

Threat actors use the RunasCs and Sy_Runas, with higher Sy_Runas use per logs, but, most of the systems also show the “.Net-based RunasCs” presence.

For remote control, threat actors used:-

• NetCat
• Ladon

Cybersecurity analysts affirmed that since 2019 APT attacks are constantly targeting local companies’ web servers. 

However, the motive behind these attacks is to inject malicious ads on the homepage of the companies, but now the current attack logs suggest ransomware deployment alongside.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.