IIS, Drupal, and Oracle WebLogic web technologies experienced increased attacks in Q2 2018. According to a new threat report from eSentire, Inc., the largest pure-play Managed Detection and Response (MDR) provider, IIS attacks showed a 782x increase, from 2,000 to 1.7 million, since last quarter.
Analysis of the attacks by eSentire Threat Intelligence revealed that both IIS and WebLogic exploits maintained a consistent number of attacks (about 200) per IP across organizations, with those attacks originating from servers hosting Apache, RDP, SQL, IIS, and HTTP API services.
Most sources targeting IIS web servers originated from China-based IP addresses. According to Shodan, there are 3.5 million IIS web servers exposed (with 1 million in China). The compromised servers largely originated from Tencent and Alibaba.
eSentire also noted an interesting collection of operating systems among the attacking infrastructure involved ? over 400 of the attacking IPs had Shodan records indicating they were Windows machines (including XP, 7, 8, 2008, and 2012). Additionally, nearly 350 FTP servers and over 100 mail servers were reported; there were also VPN servers, MikroTik devices (reported as bandwidth-testing servers), Kangle, Squid, Jetty, and a handful of lesser-known web service technologies.
?IIS is a popular web server, with prevalence in the U.S. and China. Organizations using web servers need to make sure they monitor for these vulnerabilities and update or patch as necessary.
Source: esentire.com