Windows servers besieged by suspected Chinese hackers
At least 65 Windows servers worldwide, particularly in Brazil, Thailand, and Vietnam, have been compromised by the newly discovered Chinese-linked GhostRedirector threat cluster in attacks involving the Rungan backdoor and the Gamshen Internet Information Services module, reports The Hacker News. Intrusions which have primarily targeted organizations in the healthcare, education, technology, insurance, transportation, and retail industries commenced with the abuse of a potential SQL injection bug and subsequent PowerShell usage to launch Rungan, which could execute commands, and Gamshen, which facilitates search engine optimization fraud, according to an analysis from ESET. GhostDirector, whose source code has hard-coded Chinese strings and a Chinese firm-issued code-signing certificate, also deployed other tools enabling remote connections, privileged user creation, website data gathering, and web shell injections. "GhostRedirector also demonstrates persistence and operational resilience by deploying multiple remote access tools on the compromised server, on top of creating rogue user accounts, all to maintain long-term access to the compromised infrastructure," said ESET researchers.
