A significant portion of servers targeted as part of the OpUSA hacktivist campaign earlier this year hit Microsoft IIS Web Servers running outdated software, according to a new report from Solutionary, the managed security services firm recently acquired by NTT.
About 73 percent of sites compromised during OpUSA were hosted on Microsoft IIS Web servers and 17 percent of the platforms were running IIS versions 5.0 or 5.1, Solutionary’s Security Engineering Research Team found in its Quarterly Threat Report (PDF) released Tuesday. In comparison, of the Apache servers compromised, 49 percent were running version 2.2.24, which is only a few months old.
Considering that the latest version of IIS is 7.5, the fact that so many systems were still running 10-year old versions was disconcerting. Microsoft no longer supports versions 5.0 and 5.1.
The “oversight left clear and obvious holes” for attackers to exploit, SERT said.
Attackers behind the OpUSA campaign against various financial sector targets in May combined distributed denial-of-service attacks with other techniques, such as SQL injection and cross-site scripting. Another common configuration was Apache 2.2.21 to Apache 2.2.24 on Unix systems with OpenSSL 0.9.8e to OpenSSL 1.0.0 installed, and had mod_auth_passthrough 2.1, mod_bwlimited 1.4, and FrontPAge 5.0.2.263 extensions enabled.
The United States topped the list of countries with affected servers, at 32 percent.
The report also noted a “significant increase” in malicious Domain Name System (DNS) requests and denial of service (DoS) activity worldwide. However, the US and China and the US were the top two countries of origin, with 57 percent of attacks coming from the US and 30 percent from China, SERT said. France and Russia were also called out, at 8 percent and 2 percent, respectively.
Almost all of the domestic sources of malicious DNS activity were private or commercial hosting providers, according to the report. The systems appeared to be performing reconnaissance in search of open DNS servers, specifically servers that are recursively responding to all queries. About 94 percent of the requests had a “Any” flag set, SERT found in the report.
The information gathered in this manner could be used in DNS Amplification Attacks to launch DoS attacks against a specific target, the researchers found. “By sending domain specific queries, the attacker can cause DNS to become part of, or amplify the effect of, a wider DDoS attack on a particular target,” the report said.
SERT predicted an increase in DDoS attacks “in the near future” that would use the information that had been harvested as part of these reconnaissance activities.
While information about the National Security Agency’s PRISM project dominated headlines during the second quarter of 2013, Solutionary said there has been no impact on any of its client operations.
“Headline-driven security concerns can often take the focus off of fixes that can improve defensive postures,” Rob Kraus, SERT’s director of research, said in a statement.
“Observations by SERT over the past several months have led us to conclude that hacktivist attacks are on the rise,” Kraus said. The report provides security and risk professionals with specific defense and mitigation activities that can be applied to their respective environment to defend against DNS amplification attacks, system compromises, and domain defacements.
“Security and risk professionals reading this report will find that there are several simple steps that can be taken to better defend against the identified attacks,” Kraus said.
