All news with #iis tag

Microsoft fixes Windows localhost HTTP/2 connection bug

🔧 Microsoft has fixed a known issue that broke HTTP/2 connections to localhost (127.0.0.1) and caused IIS sites to fail after recent Windows security updates. Affected systems included Windows 11 and Windows Server 2025, producing errors like “ERR_CONNECTION_RESET” and “ERR_HTTP2_PROTOCOL_ERROR”. Microsoft recommends checking Windows Update and restarting; it also enabled a Known Issue Rollback (KIR) for most home and non-managed devices, while enterprise admins can deploy a KIR group policy until a permanent update ships.

Chinese Cybercrime Group Runs Global SEO Fraud Ring

🔍 UAT-8099, a Chinese-speaking cybercrime group, has been linked to a global SEO fraud operation that targets Microsoft IIS servers to manipulate search rankings and harvest high-value data. The actor gains access via vulnerable or misconfigured file upload features, deploys web shells and privilege escalation to enable RDP, then uses Cobalt Strike and a modified BadIIS module to serve malicious content when requests mimic Googlebot. Infections have been observed across India, Thailand, Vietnam, Canada, and Brazil, affecting universities, telecoms and technology firms and focusing on mobile users.

New Chinese Group Hijacks IIS Servers for SEO Fraud

🔍 Cisco Talos warns a Chinese‑speaking threat group tracked as UAT-8099 is actively compromising misconfigured Microsoft IIS servers to run SEO fraud and harvest high-value data. The actors favor high-reputation domains in universities, technology firms, and telecom providers across India, Thailand, Vietnam, Canada and Brazil to reduce detection. They exploit unrestricted file uploads to install web shells, escalate a guest account to admin, enable RDP and deploy the BadIIS SEO malware, then persist with hidden accounts and VPN/backdoor tools. Talos has published indicators and mitigation guidance, including blocking script execution in upload folders, disabling RDP and enabling MFA.

Chinese Cybercriminals Hijack IIS Servers for SEO Fraud

🔍 A Chinese-speaking cybercrime group tracked as UAT-8099 is hijacking trusted Microsoft IIS servers worldwide to run SEO scams that redirect users to unauthorized adverts and illegal gambling sites. According to Cisco Talos, attackers exploit server vulnerabilities, upload web shells, and conduct reconnaissance before enabling the guest account, escalating privileges and activating RDP. For persistence they deploy SoftEther VPN, EasyTier and the FRP reverse proxy and install the BadIIS malware variants designed to evade detection.

Chinese-speaking Group UAT-8099 Targets IIS Servers

🔐 Cisco Talos recently disclosed activity by a Chinese-speaking cybercrime group tracked as UAT-8099 that compromises legitimate Internet Information Services (IIS) web servers across several countries. The actors use automation, custom malware and persistence techniques to manipulate search results for profit and to exfiltrate sensitive data such as credentials and certificates. Talos notes the group maintains long-term access and actively protects compromised hosts from rival attackers. Organizations should hunt for signs of BadIIS, unauthorized web shells and anomalous RDP/VPN activity and share IOCs promptly.

UAT-8099 Targets High-Value IIS Servers for SEO Fraud

🔍 Cisco Talos details UAT-8099, a Chinese-speaking cybercrime group that compromises reputable IIS servers to conduct SEO fraud and steal high-value credentials, certificates and configuration files. The actors exploit file-upload weaknesses to deploy ASP.NET web shells, enable RDP, create hidden administrative accounts and install VPN/reverse-proxy tools for persistence. They automate operations with custom scripts, deploy Cobalt Strike via DLL sideloading and install multiple BadIIS variants to manipulate search rankings and redirect mobile users to ads or gambling sites. Talos published IoCs, Snort/ClamAV signatures and mitigation guidance.

Chinese APT 'Phantom Taurus' Targets Gov and Telecom

🔎 Researchers at Palo Alto Networks have attributed two years of coordinated espionage to a previously unreported Chinese-aligned threat actor dubbed Phantom Taurus. The group targets government and telecommunications organizations across Africa, the Middle East, and Asia, focusing on foreign ministries, embassies, geopolitical events and military operations to maintain persistent covert access. Its toolkit includes a new IIS web-server backdoor suite called NET-STAR, DNS- and remote-access tools, in-memory implants and a wide mix of dual-use utilities. Operators have shifted from Exchange mailbox harvesting via ProxyLogon and ProxyShell exploits to targeted SQL database searches and WMI-driven data extraction.

BadIIS SEO-Poisoning Campaign Targets Vietnam Servers

🔍 Palo Alto Networks Unit 42 is tracking an SEO poisoning campaign dubbed Operation Rewrite that employs a native IIS implant called BadIIS. The module inspects User-Agent strings, identifies search engine crawlers, and fetches poisoned content from a remote C2 to inject keywords and links so compromised sites artificially rank for targeted queries. Unit 42 observed multiple tooling variants — lightweight ASP.NET handlers, a managed .NET IIS module, and an all‑in‑one PHP script — and reports a focus on East and Southeast Asia, particularly Vietnam.