Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Attackers Targeted Outdated Microsoft IIS Web Servers in ‘OpUSA’ Campaign

A significant portion of servers targeted as part of the OpUSA hacktivist campaign earlier this year hit Microsoft IIS Web Servers running outdated software, according to a new report from Solutionary, the managed security services firm recently acquired by NTT.

A significant portion of servers targeted as part of the OpUSA hacktivist campaign earlier this year hit Microsoft IIS Web Servers running outdated software, according to a new report from Solutionary, the managed security services firm recently acquired by NTT.

About 73 percent of sites compromised during OpUSA were hosted on Microsoft IIS Web servers and 17 percent of the platforms were running IIS versions 5.0 or 5.1, Solutionary’s Security Engineering Research Team found in its Quarterly Threat Report (PDF) released Tuesday. In comparison, of the Apache servers compromised, 49 percent were running version 2.2.24, which is only a few months old.

Considering that the latest version of IIS is 7.5, the fact that so many systems were still running 10-year old versions was disconcerting. Microsoft no longer supports versions 5.0 and 5.1.

The “oversight left clear and obvious holes” for attackers to exploit, SERT said.

Attackers behind the OpUSA campaign against various financial sector targets in May combined distributed denial-of-service attacks with other techniques, such as SQL injection and cross-site scripting. Another common configuration was Apache 2.2.21 to Apache 2.2.24 on Unix systems with OpenSSL 0.9.8e to OpenSSL 1.0.0 installed, and had mod_auth_passthrough 2.1, mod_bwlimited 1.4, and FrontPAge extensions enabled.

The United States topped the list of countries with affected servers, at 32 percent.

The report also noted a “significant increase” in malicious Domain Name System (DNS) requests and denial of service (DoS) activity worldwide. However, the US and China and the US were the top two countries of origin, with 57 percent of attacks coming from the US and 30 percent from China, SERT said. France and Russia were also called out, at 8 percent and 2 percent, respectively.

Almost all of the domestic sources of malicious DNS activity were private or commercial hosting providers, according to the report. The systems appeared to be performing reconnaissance in search of open DNS servers, specifically servers that are recursively responding to all queries. About 94 percent of the requests had a “Any” flag set, SERT found in the report.

The information gathered in this manner could be used in DNS Amplification Attacks to launch DoS attacks against a specific target, the researchers found. “By sending domain specific queries, the attacker can cause DNS to become part of, or amplify the effect of, a wider DDoS attack on a particular target,” the report said.

SERT predicted an increase in DDoS attacks “in the near future” that would use the information that had been harvested as part of these reconnaissance activities.

While information about the National Security Agency’s PRISM project dominated headlines during the second quarter of 2013, Solutionary said there has been no impact on any of its client operations.

“Headline-driven security concerns can often take the focus off of fixes that can improve defensive postures,” Rob Kraus, SERT’s director of research, said in a statement.

“Observations by SERT over the past several months have led us to conclude that hacktivist attacks are on the rise,” Kraus said. The report provides security and risk professionals with specific defense and mitigation activities that can be applied to their respective environment to defend against DNS amplification attacks, system compromises, and domain defacements.

“Security and risk professionals reading this report will find that there are several simple steps that can be taken to better defend against the identified attacks,” Kraus said.

Written By

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...