Industry Research : IIS Attacks Increase from 2K to 1.7M over Last Quarter According to Threat Report
IIS, Drupal, and Oracle WebLogic web technologies experienced increased attacks in Q2 2018. According to a new threat report from eSentire, Inc., a pure-play Managed Detection and Response (MDR) provider, IIS attacks showed a 782x increase, from 2,000 to 1.7 million, since last quarter.
Analysis of the attacks by eSentire Threat Intelligence revealed that both IIS and WebLogic exploits maintained a consistent number of attacks (about 200) per IP across organizations, with those attacks originating from servers hosting Apache, RDP, SQL, IIS, and HTTP API services.
Most sources targeting IIS web servers originated from China-based IP addresses. According to Shodan, there are 3.5 million IIS web servers exposed (with 1 million in China). The compromised servers largely originated from Tencent and Alibaba.
eSentire also noted an interesting collection of operating systems among the attacking infrastructure involved – over 400 of the attacking IPs had Shodan records indicating they were Windows machines (including XP, 7, 8, 2008, and 2012). Additionally, nearly 350 FTP servers and over 100 mail servers were reported; there were also VPN servers, MikroTik devices (reported as bandwidth-testing servers), Kangle, Squid, Jetty, and a handful of lesser-known web service technologies.
Sponsor message - content continues below this message
Employee Engagement Awards NOW OPEN!
Enter your center,and compete for this prestigious award to attract new staff and show investors and customers you are #1 in your nation!!
Content continues ….
"IIS is a popular web server, with prevalence in the U.S. and China. Organizations using web servers need to make sure they monitor for these vulnerabilities and update or patch as necessary. Oracle WebLogic is another webserver that saw a lot of attacks and we’ve seen Apache attacks reported too," said Kerry Bailey, CEO, eSentire. "Web servers are exposed de facto, which makes them a primary target, and we saw continued attacks against IIS continue in Q3 2018. IIS patches for earlier versions, like 6.0, are available. Otherwise, users should consider updating to more recent versions of the web server."
Additional Q2 2018 report findings:
- Top five most affected industries: biotechnology, accounting, real estate, marketing, and construction.
- The most common execution tactic technique observed around endpoint solutions was the use of PowerShell (32%), followed by VBA scripting (21%). Of the PowerShell-based attacks observed, 83% used obfuscated command lines intended to hide their intentions.
- Emotet was the most frequently observed malware due to numerous version updates and feature additions since it was first reported in 2014.
- The use of obfuscated PowerShell commands increased 50% from last quarter, partly due to contributions by Emotet.
- Four observed exploit campaigns stood out targeting IIS, Drupal, WebLogic servers, and GPON routers. GPON home routers were attacked after the PoC code release (eSentire saw 5K detections total, with volume peaking on May 12). eSentire continues to see home router exploits through Q3.
The eSentire Threat Intelligence team used data gathered from 2,000+ proprietary network and host-based detection sensors distributed globally across multiple industries. Raw data was normalized and aggregated using automated machine-based processing methods. Processed data was reviewed by a visual data analyst applying quantitative analysis methods. Quantitative intelligence analysis results were further processed by a qualitative intelligence analyst resulting in a written analytical product.
Today's Tip of the Day - Look After Your Agents
More Editorial From eSentire, Inc.
About eSentire, Inc.:
eSentire® keeps mid-size organizations safe from constantly evolving cyber attacks that traditional security defenses simply can’t detect. eSentire combines people, process and technology to deliver an unmatched, premium level service that detects, remediates and communicates sophisticated cyber threats in real-time, 24/7.
About MRB PR:
MRB PR is a public relations company.
Published: Monday, October 15, 2018
ConSol bridges the gap between governments, corporations institutions and their stakeholders using technology, facility provides efficient services in exchange of valuable information solutions that i...
|Bright Pattern Inc|
Bright Pattern is an effective cloud contact center software which helps businesses to simplify multichannel service. Bright Pattern’s solution features enterprise-grade architecture that offers n...
Genesys® powers 25 billion of the world’s best customer experiences each year. Our success comes from connecting employee and customer conversations on any channel, every day. Over 10,000 companies in...
Teleperformance is a global provider of customer experience management in terms of revenue and global scale. We are the industry leader in security and our management has over 30 years of experience w...