IIS Servers Hacked for SEO Fraud and Credential Theft

A cybercrime group is compromising high-value Internet Information Services (IIS) servers across multiple regions to conduct search engine optimization (SEO) fraud and steal sensitive data. The attackers exploit weak file upload settings to install web shells, escalate privileges, and establish persistent access using RDP and various VPN tools. Their primary goal is to deploy custom "BadIIS" malware, which manipulates search results and redirects users to malicious sites like gambling platforms. In addition to SEO manipulation, the group actively steals credentials, configuration files, and certificates from compromised organizations. For deeper persistence, the campaign also utilizes heavily obfuscated Cobalt Strike beacons deployed via DLL sideloading.

Latest mentioned: 10-03

Earliest mentioned: 09-30

Sources

talosintelligence.com securityonline.info fortinet.com thedfirreport.com talosintelligence.com

Also Read

Critical DrayTek Router Flaw Allows Remote Attacks

A critical vulnerability has been discovered in numerous DrayTek routers running DrayOS, allowing for potential remote code execution. The flaw can be exploited by an unauthenticated attacker sending a specially crafted request to the device's web interface. Successful exploitation can cause memory corruption, leading to a system crash or allowing an attacker to run arbitrary code. While routers with remote access disabled are protected from external threats, attackers on the local network can still exploit the vulnerability. The manufacturer has released firmware updates to patch the issue and strongly advises all users to upgrade their devices immediately.

10-03Read more →