Web servers are a prime target for threat actors due to their open and volatile nature. However, these servers must remain open to provide various web services to users.
Web services that are provided on Windows servers by the Web servers include the following elements:-
Cybersecurity researchers at AhnLab Security Emergency Response Center (ASEC) recently identified that threat actors are actively targeting the web servers and their services that are vulnerable, improperly managed, and not yet patched.
On most infected systems, researchers found an account named “tripod,” which is exploited by the threat actors and this characteristic enables experts in identifying the threat actors.
Moreover, it’s been revealed that weak Apache Tomcat and JBoss PACS servers were also targeted for installing Metasploit Meterpreter by threat actors.
Windows servers in domestic companies often employ IIS web servers, frequently hit in attacks like Dalbit and Chinese hacking incidents.
Attacks focus on vulnerable systems, especially IIS or MS-SQL servers, where multiple attackers target the same system persistently. However, among various malicious codes and attack logs, identifying a specific attacker is challenging.
Typical IIS attacks reveal the following common tools that are often linked to Chinese-speaking hackers:-
Some attackers mask code in VMP or create custom tools to evade file scans, leading to attack categorization, and besides this, in the following path the attackers primarily craft the malicious code:-
In these attacks, threat actors also employ a command-executing tool, Sy_Runas, that takes advantage of the web shell to gain the privileges of a specific user.
The attack tools are often open source, due to which they lack attacker info like PDB, and not only that, even Chinese ties were also found in tools and malware used by the attackers.
Here below, we have mentioned all the malicious codes that the attackers develop:-
Threat actors use the RunasCs and Sy_Runas, with higher Sy_Runas use per logs, but, most of the systems also show the “.Net-based RunasCs” presence.
For remote control, threat actors used:-
Cybersecurity analysts affirmed that since 2019 APT attacks are constantly targeting local companies’ web servers.
However, the motive behind these attacks is to inject malicious ads on the homepage of the companies, but now the current attack logs suggest ransomware deployment alongside.
Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
Multinational engineering and technology services firm Tata Technologies has reportedly fallen victim to a significant…
U.S. authorities announced the seizure of $31 million tied to the 2021 Uranium Finance decentralized…
Imagine a government that tracks your daily movements, monitors your communications, and catalogs your digital…
A recently disclosed vulnerability in Docusnap's Windows client software (CVE-2025-26849) enables attackers to decrypt sensitive…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2018-8639, a decade-old Microsoft Windows privilege…
Google’s March 2025 Android Security Bulletin has unveiled two critical vulnerabilities—CVE-2024-43093 and CVE-2024-50302—currently under limited,…