Overview

 

AhnLab SEcurity intelligence Center (ASEC) is using the AhnLab Smart Defense (ASD) infrastructure to respond to and categorize attacks against poorly managed Windows web servers. This report will cover the current state of damage to Windows web servers which have become the target of attacks based on the logs discovered in Q4 2023, and also discuss statistics on the attacks launched against said servers. Furthermore, malware used in each attack will be categorized with a summary of the statistical details.

 

 

Statistics

 

1. Status of Attacks Against Windows Web Servers

 

The following are statistics on attacks against Windows web server identified through the ASD logs in the fourth quarter of 2023.

Figure 1. Attacks against Windows web servers in Q4 2023

The “Damage status” indicates the number of systems that have fallen victim to malware or attacks by threat actors. These are systems where a history of malware installation has been confirmed after the attacker gained control over the Windows web server. The Windows web server discussed here refers to Internet Information Services (IIS) web servers and Apache Tomcat web servers installed on Windows environments. Attacks targeting web servers primarily involve vulnerabilities in environments lacking security patches, attacks on improperly configured environments, or attacks on servers that are poorly managed.

Typically, threat actors targeting web servers often utilize the method of uploading a web shell by exploiting file upload vulnerabilities, allowing them to execute commands. However, in addition to this, threat actors can upload web shells by exploiting vulnerabilities in the web development framework itself or vulnerabilities in the Web Application Server (WAS). Of course, threat actors may also directly execute commands by exploiting remote code execution vulnerabilities instead of resorting to the file upload method. 

The “Attack status” shows the number of attacks the malware or the threat actor launched against the systems in question. For reference, these vulnerable Windows web servers are generally targeted by multiple threat actors and malware simultaneously, leading to the simultaneous detection of logs related to various malware.