Hackers are launching a wave of attacks on Windows servers, compromising vulnerable websites and using them to steal credentials, deploy malware, and more. A newly uncovered hacking group is taking advantage of weaknesses in web application services to gain control of these servers, as revealed by a report from Cisco Talos, a cybersecurity research group. Their latest target? Websites using popular services like phpMyAdmin and WordPress.
Compromising Vulnerable Servers
The hackers, who have been under observation by Cisco Talos for some time, begin by identifying vulnerable web services. Once they find an opening, they deploy a web shell (a malicious script that grants them access to the server). With this access, they can collect system information, deploy additional malware such as PlugX and BadIIS, or run infostealers like Mimikatz and GodPotato.
One of the key tactics employed by this group is SEO poisoning. They manipulate search engine algorithms to push compromised websites higher up in the rankings, increasing traffic to these infected pages. This strategy boosts the chances of unsuspecting users visiting the sites, thereby increasing the number of victims.
DragonRank Targets Various Sectors
The group’s activities, dubbed “DragonRank” by researchers, have predominantly targeted organizations in Asia, although some victims have been identified in Europe. The countries affected so far include Thailand, India, Korea, Belgium, the Netherlands, and China. Victims span a wide array of industries, from jewelry and media to healthcare, manufacturing, and even niche sectors like feng shui.
According to the report from Cisco Talos, DragonRank doesn’t seem to discriminate in its targeting. The goal appears to be the compromise of as many organizations as possible, regardless of industry. So far, more than 35 IIS (Internet Information Services) servers have been compromised, and these servers were found to be infected with BadIIS malware, a dangerous backdoor that has been active since 2020. This malware is particularly hard to detect, thanks to its advanced stealth techniques.
The DragonRank Group
Researchers suspect that the group behind DragonRank is of Chinese origin, given their use of commercial websites, a business model, and instant messaging accounts. With such an infrastructure in place, the group appears to be well-organized and intent on causing widespread damage.TechRadar first reported this growing threat, warning organizations to be vigilant in protecting their web servers. The malware deployed in these attacks is highly advanced, with BadIIS specifically designed to bypass security measures and grant unauthorized access to compromised servers. As the DragonRank campaign continues to evolve, organizations must remain vigilant to avoid becoming the next victim of this indiscriminate cyber-attack.