Full Report
Overview AhnLab SEcurity intelligence Center (ASEC) is responding to and categorizing attacks targeting poorly managed Windows web servers by utilizing their AhnLab Smart Defense (ASD) infrastructure. This post will cover the damage status of Windows web servers that have become attack targets and the statistics of attacks launched against these servers, based on the logs […]
Analysis Summary
# Incident Report: Q2 2025 Windows Web Server Compromises via Vulnerability Exploitation
## Executive Summary
During the second quarter of 2025, ASEC observed widespread attacks targeting poorly managed Windows web servers (IIS and Apache Tomcat). Threat actors primarily exploited unpatched vulnerabilities or configuration weaknesses to gain initial access, often via file upload vulnerabilities, leading to the deployment of web shells and subsequent malware installation. The impact involved system compromise, with multiple threat actors often targeting the same vulnerable servers.
## Incident Details
- **Discovery Date:** Q2 2025 (Based on ASD log analysis for the quarter)
- **Incident Date:** Q2 2025
- **Affected Organization:** Multiple unmanaged Windows web server instances globally (Type of organization not specified, focusing on infrastructure vulnerability)
- **Sector:** General Web Services/IT Infrastructure
- **Geography:** Global (Inferred from broad attack logs)
## Timeline of Events
### Initial Access
- **Date/Time:** Q2 2025 (Ongoing throughout the quarter)
- **Vector:** Exploitation of software vulnerabilities (e.g., file upload bugs, Web Application Server (WAS) flaws) and poor server configuration.
- **Details:** Attackers aimed to upload web shells to execute remote commands. Direct Remote Code Execution (RCE) vulnerabilities were also utilized.
### Lateral Movement
- **Details:** Not explicitly detailed in the provided text, but compromised systems often had malware installed, suggesting post-exploitation activities followed successful access.
### Data Exfiltration/Impact
- **Details:** The goal was system compromise, resulting in the installation of malware and the actor gaining control over the Windows web server. Specific data exfiltration details were not provided, but system takeover is the primary documented impact.
### Detection & Response
- **How it was discovered:** Identified and analyzed through logs collected via the AhnLab Smart Defense (ASD) infrastructure.
- **Response actions taken:** ASEC analyzed and categorized the damage and malware strains observed across the Q2 timeframe. (Specific remediation for individual victims is not detailed).
## Attack Methodology
- **Initial Access:** Exploiting file upload vulnerabilities, RCE vulnerabilities in web frameworks/WAS, or targeting unpatched/poorly configured servers.
- **Persistence:** Installation of malware following initial shell execution (implied).
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Not explicitly detailed.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Not explicitly detailed, though common for attackers post-shell placement.
- **Lateral Movement:** Not explicitly detailed.
- **Collection:** Not explicitly detailed.
- **Exfiltration:** Not explicitly detailed.
- **Impact:** Installation of malware and gaining overall control of the Windows web server.
## Impact Assessment
- **Financial:** Not estimated, but implied costs associated with remediation and downtime for affected organizations.
- **Data Breach:** System compromise involving web shells and various malware strains. Scope and volume of data are unquantified.
- **Operational:** Direct operational control lost on compromised Windows web servers (IIS/Apache Tomcat).
- **Reputational:** Minimal public reputational impact detailed, focused on technical analysis.
## Indicators of Compromise
- **Network indicators (Defanged):**
- IP: `108[.]61[.]247[.]121`
- IP: `66[.]42[.]113[.]183`
- IP: `45[.]76[.]219[.]39`
- IP: `139[.]180[.]142[.]127`
- FQDN: `linuxwork[.]net`
- **File indicators (MD5 Hashes):**
- `06ebef1f7cc6fb21f8266f8c9f9ae2d9`
- `3f6211234c0889142414f7b579d43c38`
- `460953e5f7d1e490207d37f95c4f430a`
- `4c8ccdc6f1838489ed2ebeb4978220cb`
- `5c835258fc39104f198bca243e730d57`
- **Behavioral indicators:** Execution of downloaded scripts (`Invoke-WMIExec[.]ps1`) and binaries (`mc[.]exe`).
## Response Actions
- **Containment measures:** (Not explicitly provided, generally involves isolating the compromised web server).
- **Eradication steps:** (Not explicitly provided, would involve removing web shells and identified malware).
- **Recovery actions:** (Not explicitly provided, involves patching patched vulnerabilities and restoring clean configurations).
## Lessons Learned
- **Key takeaways:** Poorly managed server environments, especially those running vulnerable web server software (IIS, Tomcat) without timely patching, remain prime targets for threat actors seeking remote code execution.
- **What could have been done better:** Organizations must adopt proactive vulnerability management and hardening procedures for public-facing web servers.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately patch all Internet Information Services (IIS) and Apache Tomcat installations.
2. Conduct thorough security configuration reviews, focusing on file upload mechanisms to prevent arbitrary file placement.
3. Implement strong Web Application Firewalls (WAFs) to detect and block common exploitation attempts, including RCE payloads.
4. Proactively monitor network egress and system process activity for signs of web shell execution or external command execution.