Attacks on IIS web servers soar over the last quarter

Attacks targeting IIS servers have shown a massive 782 times increase, from 2,000 to 1.7 million, over the last quarter according to a new report.

The report from threat protection specialist eSentire reveals that most attacks targeting IIS web servers originated from China-based IP addresses.

There's also an eclectic range of operating systems among the attacking infrastructure involved -- over 400 of the attacking IPs had Shodan records indicating they were Windows machines (including XP, 7, 8, 2008, and 2012). Additionally, nearly 350 FTP servers and over 100 mail servers were reported. There were also VPN servers, MikroTik devices (reported as bandwidth-testing servers), Kangle, Squid, Jetty, and a handful of lesser-known web service technologies.

"IIS is a popular web server, with prevalence in the US and China. Organizations using web servers need to make sure they monitor for these vulnerabilities and update or patch as necessary. Oracle WebLogic is another webserver that saw a lot of attacks and we’ve seen Apache attacks reported too," says Kerry Bailey, CEO at eSentire. "Web servers are exposed de facto, which makes them a primary target, and we saw continued attacks against IIS continue in Q3 2018. IIS patches for earlier versions, like 6.0, are available. Otherwise, users should consider updating to more recent versions of the web server."

Among other findings are that the top five most affected industries are, biotechnology, accounting, real estate, marketing, and construction. The most common execution tactic observed around endpoint solutions was the use of PowerShell (32 percent), followed by VBA scripting (21 percent). Of the PowerShell-based attacks observed, 83 percent used obfuscated command lines to hide their intentions.

If you want to find out more, the full report is available from the eSentire website.

Photo Credit: adike/Shutterstock