%20(2).webp "Cybercriminals Targeting Windows IIS Server to Upload Web Shells")
Hackers have been attacking Windows IIS servers frequently, targeting critical web applications and services that host sensitive data. Recently, a South Korean medical establishment fell victim to such an attack on its Windows IIS server with a Picture Archiving and Communication System (PACS). This incident was discovered by the AhnLab Security Intelligence Center (ASEC), which identified CoinMiner infections resulting from the attack.
The attack on the medical institution’s server raised suspicion of possible PACS vulnerabilities or misconfigured safety settings, as there were signs of web shell uploads. What was particularly alarming was that there were two separate attacks just days apart, suggesting a coordinated effort by hackers. The attackers, believed to be Chinese hackers, utilized tools like Cpolar and RingQ, with Chinese annotations present in the scripts.
This targeted attack highlighted the ongoing threat to exposed web servers in Korea, specifically directed towards China-speaking groups. The incident served as a reminder of the importance of implementing robust security measures for critical systems like PACS in hospitals to prevent such breaches in the future.
The first attack involved the upload of Chopper and Behinder web shells to the Korean medical institute’s web server, followed by system reconnaissance. The threat actor deployed BadPotato for privilege escalation and Cpolar for remote access. A CoinMiner infection was introduced through a “1.cab” file containing a batch script, task scheduler XML, and downloader. Additionally, the attackers included other malicious tools in the attack toolkit, such as ASPXspy, Caidao web shells, PrintNotifyPotato for privilege escalation, and Lcx, Frpc for port forwarding.
In the subsequent attack on the web server of another Korean medical institution, the threat actor utilized Certutil to download additional malware and installed privilege escalation tools like GodPotato, PrintNotifyPotato, and exploited CVE-2021-1732. Network exploration tools like fscan, remote shell, and Netcat were also deployed. Proxy and multi-functional tools like EarthWorm and Ladon were used for executing different stages of the attack process.
According to evidence gathered by ASEC, the threat actor behind these attacks is likely a Chinese speaker who employed RingQ to encrypt and execute malware in memory. The attackers managed to create a sophisticated ASPX downloader that disguised XMRig CoinMiner, employing advanced evasion techniques and focusing on cryptocurrency mining.
To prevent such attacks in the future, security analysts recommend various measures, including addressing file upload vulnerabilities, implementing regular password changes, ensuring proper access controls to mitigate lateral movement risks, and keeping antivirus software up to date.
The intrusion detection system (IOCs) and malware hashes (MD5) associated with these attacks can help security teams identify and remediate similar threats in their environment. The information on C&C server URLs and download URLs provides additional insights into the infrastructure used by the attackers for malicious activities.
Overall, these attacks on Windows IIS servers underscore the persistent threat posed by hackers to critical systems hosting sensitive data. It is crucial for organizations, especially those in the healthcare sector, to prioritize cybersecurity measures to protect their systems and data from such malicious activities.