Hackers Exploit Public-facing Vulnerable IIS, Apache, SQL Servers to Attack Gov & Telcom Networks

A sophisticated cyberespionage campaign, tracked as CL-STA-0048, has been identified targeting government and telecommunications networks in South Asia.

The attackers exploited vulnerabilities in public-facing servers running Microsoft IIS, Apache Tomcat, and MSSQL to gain unauthorized access and exfiltrate sensitive data.

The campaign is attributed to a Chinese-linked advanced persistent threat (APT) group.

Google News

The attackers systematically targeted three critical services, starting with Microsoft IIS servers, where they attempted to deploy web shells through vulnerabilities.

However, security measures like Cortex XDR’s anti-webshell modules blocked these attempts.

After failing with IIS, they shifted focus to Apache Tomcat servers, using a ColdFusion web shell, but were again unsuccessful. Finally, they targeted an unpatched MSSQL server, successfully compromising it and executing PowerShell scripts for reconnaissance and data exfiltration.

Security experts at Palo Alto Networks’ Unit42 noted that the attackers employed advanced tactics to evade detection:-

  • Hex Staging: Payloads were delivered in chunks as hex-encoded data, bypassing traditional detection systems. Once assembled, tools like certutil decoded the data into executable binaries.
  • PowerShell Reverse Shells: These were used for lateral movement and command execution.
  • Cobalt Strike Beacons: A widely used penetration testing tool repurposed for malicious activity.
  • ColdFusion Web Shells: Deployed on Apache servers to maintain persistence.
Execution flow of Cobalt Strike (Source – Palo Alto Networks)

Exfiltration Methods

One of the most notable techniques was exfiltration over DNS using the ping command. Attackers formatted command outputs as subdomain strings and sent DNS requests to capture data stealthily. Additionally, SQL scripts were deployed to extract sensitive information from databases.

Process tree of the data exfiltration (Source – Palo Alto Networks)

Example of Malicious SQL Script:-

SELECT * FROM INFORMATION_SCHEMA.COLUMNS 
WHERE COLUMN_NAME LIKE '%phone%' OR COLUMN_NAME LIKE '%mobile%' OR COLUMN_NAME LIKE '%TEL%';

This script searched for columns containing phone-related data across databases.

To escalate privileges, tools like SspiUacBypass and the “Potato Suite” (BadPotato) were used to bypass User Account Control (UAC). For persistence, legitimate binaries were exploited through DLL sideloading techniques.

Example of Hex Staging Command:-

certutil -decode hex_payload.txt malware.exe
Activity timeline (Source – Palo Alto Networks)

Organizations are urged to patch known vulnerabilities in IIS, Apache Tomcat, and MSSQL servers while implementing robust intrusion detection systems (IDS) and endpoint protection.

Monitoring DNS traffic for anomalous requests and regularly auditing server configurations and access logs further strengthen security against potential threats.

Indicators of Compromise (IoCs)

  • Domains: mail.tttseo[.]com, h5.nasa6[.]com
  • IP Addresses: 154.201.68[.]57, 43.247.135[.]106
  • Tools: Cobalt Strike, PlugX malware

Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request

Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.