IIS, Drupal, and Oracle WebLogic web technologies experienced increased attacks in Q2 2018. According to a new threat report from eSentire, Inc., the largest pure-play Managed Detection and Response (MDR) provider, IIS attacks showed a 782x increase, from 2,000 to 1.7 million, since last quarter.
Analysis of the attacks by eSentire Threat Intelligence revealed that both IIS and WebLogic exploits maintained a consistent number of attacks (about 200) per IP across organizations, with those attacks originating from servers hosting Apache, RDP, SQL, IIS, and HTTP API services.
Most sources targeting IIS web servers originated from China-based IP addresses. According to Shodan, there are 3.5 million IIS web servers exposed (with 1 million in China). The compromised servers largely originated from Tencent and Alibaba.
eSentire also noted an interesting collection of operating systems among the attacking infrastructure involved – over 400 of the attacking IPs had Shodan records indicating they were Windows machines (including XP, 7, 8, 2008, and 2012). Additionally, nearly 350 FTP servers and over 100 mail servers were reported; there were also VPN servers, MikroTik devices (reported as bandwidth-testing servers), Kangle, Squid, Jetty, and a handful of lesser-known web service technologies.
Additional Q2 2018 report findings:
- Top five most affected industries: biotechnology, accounting, real estate, marketing, and construction.
- The most common execution tactic technique observed around endpoint solutions was the use of PowerShell (32%), followed by VBA scripting (21%). Of the PowerShell-based attacks observed, 83% used obfuscated command lines intended to hide their intentions.
- Emotet was the most frequently observed malware due to numerous version updates and feature additions since it was first reported in 2014.
- The use of obfuscated PowerShell commands increased 50% from last quarter, partly due to contributions by Emotet.
- Four observed exploit campaigns stood out targeting IIS, Drupal, WebLogic servers, and GPON routers. GPON home routers were attacked after the PoC code release (eSentire saw 5K detections total, with volume peaking on May 12). eSentire continues to see home router exploits through Q3.
Report Methodology
The eSentire Threat Intelligence team used data gathered from 2,000+ proprietary network and host-based detection sensors distributed globally across multiple industries. Raw data was normalized and aggregated using automated machine-based processing methods. Processed data was reviewed by a visual data analyst applying quantitative analysis methods. Quantitative intelligence analysis results were further processed by a qualitative intelligence analyst resulting in a written analytical product.
eSentire’s 2018 Q2 Threat Report provides a quarterly snapshot, analyzing all cyber threat events investigated by the eSentire Security Operations Center (SOC), while addressing three key areas: threat types, threat volume, and attack types. Each topic is divided into multiple sections, including visual data analysis, written analytical analysis, practical recommendations, and key assumptions.
To access a complete copy of the report, visit: https://www.esentire.com/resources/knowledge/q2-2018-quarterly-threat-report.
OVH Introduces Dedicated Intensive Data Processing Servers
Posted in Commentary with tags OVH on October 10, 2018 by itnerdOVH today announced its new high-end dedicated servers: the HG 2019 series. Designed to meet the intensive data processing requirements of today’s IT Pro’s focused on big data, high performance computing (HPC), artificial intelligence (AI), deep learning, and virtual desktop infrastructures (VDI), the HG 2019 servers will exceed the expectations of organizations in search of excellence in terms of reliability, manageability and security, while maximizing performance and reducing costs.
Combining best in class components and passing rigorous tests has allowed OVH to ensure the best performance at the best price. With 19 years of experience in designing and optimizing servers, the company is able to standardize and offer at large scale, servers equipped with advanced components such as the Intel Xeon Gold 6154 processor, customizable GPU’s such as Nvidia P100 for parallel processing, and M60 for desktop virtualization, Optane SSD’s, and up to 1.5 TB of RAM.
For maximum reliability, the HG 2019 dedicated servers are built with a redundant architecture at multiple levels, such as electrical circuits or cooling, network connections and power supply. Disks are also hot-swappable, ensuring no downtime and thus allowing unmatched availability for mission critical applications.
This new range of servers takes advantage of OVH’s private network (vRack), which allows direct physical connections between all OVH infrastructures anywhere in the world. With 3 Gbbps bandwidth, the vRack private network is ideal for load balancing and database isolation, all while ensuring the security of machine-to-machine communications within an infrastructure.
The HG 2019 portfolio will also include the exclusive advantages OVH has come to be known for by its customers: 24/7 support, protection against DDoS attacks included at no extra cost, private worldwide optical fibre network of the European cloud leader (15 Tbps throughput). Fully customizable, the servers are already available in OVH data centres located in Roubaix and Gravelines (France) as well as Beauharnois, Quebec (Canada) for OVH users to have a maximum proximity with their customers. Servers will soon be deployed in OVH data centres located in Germany, UK and Poland.
Leave a comment »