ThreatList: Microsoft IIS Sees Triple-Digit Spike in Cyberattack Volume

Most of the attacks originated in China.

Internet Information Services (IIS), an extensible web server originally created by Microsoft for use with the Windows NT family, saw a whopping 782x increase in cyberattacks during the second quarter, according to analysis.

According to eSentire’s latest threat report (based on data gathered from 2,000+ proprietary network and host-based detection sensors distributed globally across multiple industries) attacks on IIS increased from just 2,000 to a statistically significant 1.7 million, quarter-over-quarter.

Most sources targeting IIS web servers originated from China-based IP addresses, the report found: According to Shodan, there are 3.5 million IIS web servers exposed around the globe, with 1 million exposed in China alone. The compromised servers largely originated from Tencent and Alibaba, according to eSentire.

eSentire also noted an interesting collection of operating systems among the attacking infrastructure involved – over 400 of the attacking IPs had Shodan records indicating they were Windows machines (including XP, 7, 8, 2008 and 2012). Additionally, nearly 350 FTP servers and over 100 mail servers were reported; there were also VPN servers, MikroTik devices (reported as bandwidth-testing servers), Kangle, Squid, Jett, and a handful of lesser-known web-service technologies.

“IIS is a popular web server, with prevalence in the US and China. Organizations using web servers need to make sure they monitor for these vulnerabilities and update or patch as necessary,” said Kerry Bailey, CEO, eSentire. “Oracle WebLogic is another webserver that saw a lot of attacks and we’ve seen Apache attacks reported too.”

Analysis of the attacks by eSentire Threat Intelligence also revealed that both IIS and WebLogic exploits maintained a consistent number of attacks (about 200) per IP across organizations, with those attacks originating from servers hosting Apache, RDP, SQL, IIS and HTTP API services.

Bailey added, “web servers are exposed de facto, which makes them a primary target, and we saw continued attacks against IIS continue in Q3 2018. IIS patches for earlier versions, like 6.0, are available. Otherwise, users should consider updating to more recent versions of the web server.”

Other Findings

The report also found that the top five most-attacked industries in the quarter were biotechnology, accounting, real estate, marketing and construction.

Also, the most common execution tactic technique observed around endpoint solutions was the use of PowerShell (32 percent), followed by VBA scripting (21 percent). Of the PowerShell-based attacks observed, 83 percent used obfuscated command lines intended to hide their intentions.

The use of obfuscated PowerShell commands increased 50 percent from last quarter, partly due to contributions by the Emotet malware. In fact, Emotet was the most frequently observed malware due to numerous version updates and feature additions since it was first reported in 2014, the report noted.

On the phishing front, it turns out that businesses are 2.5 times more likely to fall victim to a phishing attack Tuesday to Thursday; and, for every 33 employees your can expect one phishing attack per quarter.

And finally, the report showed that the most common way to cloak malware in social-engineering emails is to disguise it as an “invoice.”


Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.