Threat Intelligence

Global IIS server breach facilitates SEO fraud

Glowing red padlocks symbolizing cybersecurity and digital data protection.

Telecommunications providers, technology firms, universities, and other organizations in Canada, Brazil, India, Thailand, and Vietnam had their Internet Information Services servers targeted by the Chinese-speaking cybercrime operation UAT-8099 to launch an SEO fraud campaign mostly aimed at mobile users, according to Infosecurity Magazine.

Both Android and iOS users have been subjected to the attacks, which commence with web shell injections in vulnerable IIS servers to facilitate system data gathering and network reconnaissance, a Cisco Talos report revealed.

Information collection efforts are followed by the activation of the guest account, the escalation of its privileges, and subsequent remote desktop protocol mobilization, with persistence enabled by RDP access and the EasyTier, SoftEther VPN, and FRP reverse proxy tools.

Additional findings revealed multiple novel BadIIS malware variants, which better bypass antivirus systems through an updated code structure and functional workflow, compared with earlier BadIIS iterations.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds