CyberSecurity news

FlagThis - #iis

@www.bleepingcomputer.com //
Attackers are actively exploiting a deserialization vulnerability, identified as CVE-2025-0994, in Trimble’s Cityworks Server AMS. This flaw allows for remote code execution on Microsoft IIS web servers. The exploitation involves hackers deploying Cobalt Strike beacons for initial network access after gaining the ability to remotely execute commands. Cityworks is primarily used by local governments, utilities, and public works organizations for asset and work order management.

CISA has added the Cityworks vulnerability to its Known Exploited Vulnerabilities catalog, urging organizations to apply necessary updates and search for indicators of compromise. Furthermore, Microsoft has warned of code injection attacks using publicly disclosed ASP.NET machine keys, which can lead to the delivery of the Godzilla post-exploitation framework. It is advised to not copy keys from publicly available resources, as this poses a higher risk than stolen keys because they are available in multiple code repositories.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • : CISA puts out a standalone security alert about Trimble Cityworks Server Asset Management System (AMS).
  • securityaffairs.com: U.S. CISA adds Trimble Cityworks flaw to its Known Exploited Vulnerabilities catalog
  • securityonline.info: CVE-2025-0994: Critical Vulnerability in Trimble Cityworks Exploited in the Wild
  • securityonline.info: CVE-2025-0994: Critical Vulnerability in Trimble Cityworks Exploited in the Wild
  • Anonymous ???????? :af:: Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • www.bleepingcomputer.com: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • BleepingComputer: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • bsky.app: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • Anonymous ???????? :af:: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • therecord.media: Hackers exploiting bug in popular Trimble Cityworks tool used by local gov’ts
Classification:
  • HashTags: #RCE #Cityworks #IISServer
  • Company: Microsoft, Trimble
  • Target: Trimble Cityworks, Microsoft IIS Servers
  • Product: Cityworks, IIS
  • Feature: Remote Code Execution
  • Malware: Godzilla
  • Type: Vulnerability
  • Severity: Critical
info@thehackernews.com (The Hacker News)@The Hacker News //
A recent surge in cyberattacks has revealed that Microsoft Internet Information Services (IIS) servers are being targeted to deploy the BadIIS malware. This malware is designed for search engine optimization (SEO) fraud and malicious content injection. The campaign has been attributed to a Chinese-speaking group known as DragonRank, and it has been observed primarily in Asia, including India, Thailand, and Vietnam, with potential impact in other regions. Over 35 IIS servers across various industries, including government, universities, technology, telecommunications, and e-commerce sectors, have been compromised.

The BadIIS malware exploits vulnerabilities in unpatched IIS servers, allowing attackers to manipulate HTTP responses. It operates in two primary modes. In SEO fraud mode, it intercepts HTTP headers to identify traffic from search engines and redirects users to fraudulent gambling sites. In injector mode, it embeds obfuscated JavaScript into HTTP responses, redirecting users to attacker-controlled domains hosting malware or phishing schemes. Trend Micro's analysis has linked the malware to Chinese-speaking threat actors through domain names and code patterns written in simplified Chinese, and they also employ batch scripts for automated installation of malicious IIS modules.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • gbhackers.com: GBHackers article on cybercriminals targeting IIS servers with BadIIS malware.
  • The Hacker News: The Hacker News article details DragonRank's exploitation of IIS servers using BadIIS malware.
  • Cyber Security News: Hackers Exploiting IIS Servers to Deploy BadIIS Malware on Servers
  • gbhackers.com: Cybercriminals Target IIS Servers to Spread BadIIS Malware
  • Know Your Adversary: 041. BadIIS: Hunting and Detection
  • ciso2ciso.com: Report describing BadIIS malware and its functionalities.
  • ciso2ciso.com: Threat actors have been observed targeting Internet Information Services (IIS) servers in Asia as part of a search engine optimization (SEO) manipulation campaign designed to install BadIIS malware.
  • www.trendmicro.com: TrendMicro published a report on a Chinese-speaking threat actor using BadIIS malware.
  • : InfoSec reports on DragonRank exploiting IIS servers for SEO fraud and gambling redirects.
  • Virus Bulletin: Trend Micro's Ted Lee & Lenart Bermejo analyse an SEO manipulation campaign targeting countries in Asia including India, Thailand & Vietnam. Threat actors exploit vulnerable IIS servers to install the BadIIS malware on the compromised servers.
Classification:
  • HashTags: #IISservers #BadIIS #DragonRank
  • Company: Microsoft
  • Target: IIS Servers
  • Attacker: DragonRank
  • Product: IIS
  • Feature: SEO rankings
  • Malware: BadIIS
  • Type: Malware
  • Severity: Major
@www.the420.in //
A large-scale malware campaign has compromised over 35,000 websites by injecting malicious JavaScript. The injected scripts redirect users to Chinese-language gambling platforms, specifically under the "Kaiyun" brand. This attack utilizes obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.

This malicious campaign operates by embedding a one-line `` tag into the source code of affected websites. These scripts then reference domains like zuizhongjs[.]com and other similar URLs. Once loaded, these scripts dynamically inject further payloads, manipulating browser behavior and creating a full-screen overlay that redirects users to unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken. The attackers employ techniques such as string concatenation and Unicode escapes to conceal their activities and evade detection by automated security systems.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Cyber Security News: cyberpress.org on 35,000 Websites Compromised with Malicious Scripts Redirecting Users to Chinese Websites
  • gbhackers.com: Over 35,000 Websites Hacked to Inject Malicious Scripts Redirecting Users to Chinese Websites
  • Talkback Resources: talkback.sh on Over 35,000 Websites Targeted in Full-Page Hijack Linking to a Chinese-Language Gambling Scam
  • Sucuri Blog: Sucuri article detailing WordPress spam
Classification: