Servers from China behind 282-fold increase in IIS attacks

IIS attacks showed a 782-fold increase, from 2,000 to 1.7 million, in the second quarter of this year compared to the quarter before.

Biotechnology, accounting, real estate, marketing and construction sectors were industries most seriously affected.

The most common execution tactic technique observed around endpoint solutions was the use of PowerShell (32%), followed by VBA scripting (21%). Of the PowerShell-based attacks observed, 83% used obfuscated command lines intended to hide their intentions.

The findings come courtesy of a new threat report from eSentire, Inc.

>See also: eSentire and Cyxtera partner to bring protection to the midsize enterprise

The report found that most sources targeting IIS web servers originated from China-based IP addresses. According to Shodan, there are 3.5 million IIS web servers exposed (with 1 million in China). The compromised servers largely originated from Tencent and Alibaba.

eSentire also said that there was an “interesting collection of operating systems among the attacking infrastructure involved.” More than 400 of the attacking IPs had Shodan records indicating they were Windows machines (including XP, 7, 8, 2008, and 2012). Additionally, nearly 350 FTP servers and over 100 mail servers were reported; there were also VPN servers, MikroTik devices (reported as bandwidth-testing servers), Kangle, Squid, Jetty and a handful of lesser-known web service technologies.

“IIS is a popular web server, with prevalence in the US and China,” explained Kerry Bailey, CEO, eSentire.

>See also: Hybrid IT is essential for enterprise innovation – SUSECON 17

Bailey suggested that “organisations using web servers need to make sure they monitor for these vulnerabilities and update or patch as necessary.

“Oracle WebLogic is another web server that saw a lot of attacks and we’ve seen Apache attacks reported too.

“Web servers are exposed de facto, which makes them a primary target, and we saw continued attacks against IIS continue in Q3 2018.

>See also: Why organisations must secure the network

“IIS patches for earlier versions, like 6.0, are available. Otherwise, users should consider updating to more recent versions of the web server.”

The report also found that:

  • Emotet was the most frequently observed malware due to numerous version updates and feature additions since it was first reported in 2014.
  • The use of obfuscated PowerShell commands increased 50% from last quarter, partly due to contributions by Emotet.
  • Four observed exploit campaigns stood out targeting IIS, Drupal, WebLogic servers, and GPON routers. GPON home routers were attacked after the PoC code release (eSentire saw 5K detections total, with volume peaking ‪on May 12‬). eSentire continues to see home router exploits through Q3.

Avatar photo

Michael Baxter

.Michael Baxter is a tech, economic and investment journalist. He has written four books, including iDisrupted and Living in the age of the jerk. He is the editor of Techopian.com and the host of the ESG...

Related Topics

Servers