September 12, 2024 By Emeka Victor
Hackers are launching a wave of attacks on Windows servers, compromising vulnerable websites and using them to steal credentials, deploy malware, and more. A newly uncovered hacking group is taking advantage of weaknesses in web application services to gain control of these servers, as revealed by a report from Cisco Talos, a cybersecurity research group. Their latest target? Websites using popular services like phpMyAdmin and WordPress.
Compromising Vulnerable Servers
The hackers, who have been under observation by Cisco Talos for some time, begin by identifying vulnerable web services. Once they find an opening, they deploy a web shell (a malicious script that grants them access to the server). With this access, they can collect system information, deploy additional malware such as PlugX and BadIIS, or run infostealers like Mimikatz and GodPotato.
One of the key tactics employed by this group is SEO poisoning. They manipulate search engine algorithms to push compromised websites higher up in the rankings, increasing traffic to these infected pages. This strategy boosts the chances of unsuspecting users visiting the sites, thereby increasing the number of victims.