Hackers install malware through fake certificate expired notifications.
Attackers break into Windows Internet Information Services (IIS) servers and inject certificate expiration pages prompting you to install software that is actually a malware installer. The malicious program automatically installs and starts the TeamViewer remote control program. Once launched, the TeamViewer server contacts the attackers' C&C server.
“A potential security threat has been detected and the transition to [site name] has not been extended. Updating the security certificate may allow this connection to be established. NET :: ERR_CERT_OUT_OF_DATE ", - is reported in the notification on the pages.
As noted by cybersecurity researchers at Malwarebytes Threat Intelligence, a fake update installer signed with a Digicert certificate installs the TVRAT malware (also known as TVSPY, TeamSpy, TeamViewerENT or Team Viewer RAT) on the victim's computer. The malware provides operators with full remote access to infected hosts.
According to experts, attackers can use various methods to compromise Windows IIS servers. For example, a PoC code to exploit a critical worm-like vulnerability (CVE-2021-31166) in the HTTP Protocol Stack (HTTP.sys) used by the Windows IIS web server was published this May. Microsoft has fixed the issue and said it only affects Windows 10 2004 / 20H2 and Windows Server 2004 / 20H2 versions.
The Praying Mantis APT group (also known as TG1021) exploited the remote code execution vulnerability in Checkbox Survey (CVE-2021-27852), the insecure deserialization and alternate serialization vulnerability in VIEWSTATE, and the Telerik-UI vulnerability (CVE-2019 -18935 and CVE-2017-11317).
more than two million web servers have been found on the Internet, running on outdated and no longer supported versions of IIS. Microsoft IIS is the third most popular web server in the world, which powers over 50 million Internet sites. IIS has a market share of over 12%.
Attackers break into Windows Internet Information Services (IIS) servers and inject certificate expiration pages prompting you to install software that is actually a malware installer. The malicious program automatically installs and starts the TeamViewer remote control program. Once launched, the TeamViewer server contacts the attackers' C&C server.
“A potential security threat has been detected and the transition to [site name] has not been extended. Updating the security certificate may allow this connection to be established. NET :: ERR_CERT_OUT_OF_DATE ", - is reported in the notification on the pages.
As noted by cybersecurity researchers at Malwarebytes Threat Intelligence, a fake update installer signed with a Digicert certificate installs the TVRAT malware (also known as TVSPY, TeamSpy, TeamViewerENT or Team Viewer RAT) on the victim's computer. The malware provides operators with full remote access to infected hosts.
According to experts, attackers can use various methods to compromise Windows IIS servers. For example, a PoC code to exploit a critical worm-like vulnerability (CVE-2021-31166) in the HTTP Protocol Stack (HTTP.sys) used by the Windows IIS web server was published this May. Microsoft has fixed the issue and said it only affects Windows 10 2004 / 20H2 and Windows Server 2004 / 20H2 versions.
The Praying Mantis APT group (also known as TG1021) exploited the remote code execution vulnerability in Checkbox Survey (CVE-2021-27852), the insecure deserialization and alternate serialization vulnerability in VIEWSTATE, and the Telerik-UI vulnerability (CVE-2019 -18935 and CVE-2017-11317).
more than two million web servers have been found on the Internet, running on outdated and no longer supported versions of IIS. Microsoft IIS is the third most popular web server in the world, which powers over 50 million Internet sites. IIS has a market share of over 12%.
