Hackers Exploit Public-facing Vulnerable IIS, Apache, SQL Servers to Attack Gov & Telcom Networks

A sophisticated cyberespionage campaign, tracked as CL-STA-0048, has been identified targeting government and telecommunications networks in South Asia.

The attackers exploited vulnerabilities in public-facing servers running Microsoft IIS, Apache Tomcat, and MSSQL to gain unauthorized access and exfiltrate sensitive data.

The campaign is attributed to a Chinese-linked advanced persistent threat (APT) group.

The attackers systematically targeted three critical services, starting with Microsoft IIS servers, where they attempted to deploy web shells through vulnerabilities.

However, security measures like Cortex XDR’s anti-webshell modules blocked these attempts.

After failing with IIS, they shifted focus to Apache Tomcat servers, using a ColdFusion web shell, but were again unsuccessful. Finally, they targeted an unpatched MSSQL server, successfully compromising it and executing PowerShell scripts for reconnaissance and data exfiltration.

Security experts at Palo Alto Networks’ Unit42 noted that the attackers employed advanced tactics to evade detection:-

• Hex Staging: Payloads were delivered in chunks as hex-encoded data, bypassing traditional detection systems. Once assembled, tools like certutil decoded the data into executable binaries.
• PowerShell Reverse Shells: These were used for lateral movement and command execution.
• Cobalt Strike Beacons: A widely used penetration testing tool repurposed for malicious activity.
• ColdFusion Web Shells: Deployed on Apache servers to maintain persistence.

Exfiltration Methods

One of the most notable techniques was exfiltration over DNS using the ping command. Attackers formatted command outputs as subdomain strings and sent DNS requests to capture data stealthily. Additionally, SQL scripts were deployed to extract sensitive information from databases.

Example of Malicious SQL Script:-

SELECT * FROM INFORMATION_SCHEMA.COLUMNS 
WHERE COLUMN_NAME LIKE '%phone%' OR COLUMN_NAME LIKE '%mobile%' OR COLUMN_NAME LIKE '%TEL%';

This script searched for columns containing phone-related data across databases.

To escalate privileges, tools like SspiUacBypass and the “Potato Suite” (BadPotato) were used to bypass User Account Control (UAC). For persistence, legitimate binaries were exploited through DLL sideloading techniques.

Example of Hex Staging Command:-

certutil -decode hex_payload.txt malware.exe

Organizations are urged to patch known vulnerabilities in IIS, Apache Tomcat, and MSSQL servers while implementing robust intrusion detection systems (IDS) and endpoint protection.

Monitoring DNS traffic for anomalous requests and regularly auditing server configurations and access logs further strengthen security against potential threats.

Indicators of Compromise (IoCs)

• Domains: mail.tttseo[.]com, h5.nasa6[.]com
• IP Addresses: 154.201.68[.]57, 43.247.135[.]106
• Tools: Cobalt Strike, PlugX malware

Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request