Unmasking the Threat: Hackers Target Apache AXIS Server to Deploy Malicious Web Shells 

Apache AXIS Server

In recent cybersecurity news, researchers at Binary Defense have uncovered a concerning trend: hackers are actively targeting the Apache AXIS server to deploy malicious web shells. This activity highlights significant vulnerabilities in systems that may not receive the attention they deserve, particularly unmanaged servers that operate without proper oversight from security teams. 

Understanding Apache AXIS Server 

Apache AXIS is a web service engine designed to facilitate the integration of web service interfaces into web applications. It can function as a standalone application server, supporting various protocols such as SOAP 1.1, SOAP 1.2, and RESTful services. However, its capabilities also present opportunities for cybercriminals when security measures are inadequate. 

Recent Attacks: A Case Study of Apache AXIS Server

In August 2024, a China-linked threat actor successfully breached three unmanaged AIX servers that were exposed to the internet. These servers were accessed through basic administrative passwords, a common vulnerability that many organizations overlook. After gaining entry, the attacker uploaded an AxisInvoker web shell, which provided them with SSH access and the ability to maintain persistent communication with the targeted network using a Fast Reverse Proxy (FRP). 

The Attack Lifecycle 

From March to August, the threat actors conducted extensive reconnaissance using LDAP, SMB shares, and local configuration files. This preparation phase allowed them to map the network and identify critical assets, enabling them to plan their attack with precision. 

Once they switched to a Windows operating system, the attackers attempted to deploy Cobalt Strike beacons and JavaScript-based web shells. They executed NTLM relay attacks, which facilitated Active Directory reconnaissance and impersonation of legitimate accounts. However, their lateral movement was curtailed when they attempted to dump the LSASS process memory—a well-known technique for credential harvesting. This action raised alarms and triggered security protocols that limited the attack’s scope. 

The Risks of Shadow IT 

This incident underscores the dangers associated with shadow IT—where IT solutions are implemented without the security team’s oversight. Such practices can lead to significant vulnerabilities, as unauthorized systems may lack the necessary security controls and monitoring. 

The exploitation of unmanaged AIX servers by threat actors emphasizes the need for organizations to maintain a robust security posture across all devices, including legacy systems that might not be considered high-priority. 

The Role of Advanced Threat Detection 

To mitigate such complex attacks, organizations must prioritize advanced threat detection mechanisms. This includes monitoring not only modern systems but also older, seemingly insignificant devices that could serve as entry points for attackers. 

Binary Defense’s report highlights that the unmanaged AIX servers were particularly vulnerable due to their lack of oversight and protection. By using tools like the AxisInvoker web shell and the Fast Reverse Proxy, the attackers were able to gain initial access and attempt to move laterally within the network. 

Attack Techniques and Tools 

The attackers employed various Linux commands such as wget and curl, which are not compatible with AIX systems. This lack of compatibility blocked their attempts to establish a Command and Control (C2) channel through Cobalt Strike. Such technical details illustrate the sophisticated nature of the attackers, who adapted their methods based on the environment they were infiltrating. 

Importance of Comprehensive Security Monitoring 

This incident serves as a critical reminder for organizations about the necessity of comprehensive security monitoring. Every networked device, including those that might seem outdated or low-profile, requires visibility and protection. Regular audits, credential management, and integrated security measures are essential components in defending against similar threats in the future. 

Recommendations for Organizations 

To safeguard against attacks like those targeting Apache AXIS servers, organizations should implement the following strategies: 

  1. Conduct Regular Audits: Frequent security audits of all systems, including legacy and unmanaged servers, can help identify vulnerabilities and ensure proper configurations. 
  1. Enforce Strong Password Policies: Weak passwords are a common entry point for attackers. Organizations should implement strict password policies, including regular updates and complexity requirements. 
  1. Implement Network Segmentation: By dividing networks into segments, organizations can limit lateral movement and contain breaches more effectively. 
  1. Utilize Advanced Threat Detection Tools: Employing sophisticated monitoring solutions can help detect anomalies and potential threats across the network. 
  1. Educate Staff on Shadow IT Risks: Training employees about the dangers of shadow IT and encouraging them to consult with security teams before deploying new systems can significantly reduce vulnerabilities. 
  1. Ensure Legacy Systems Are Monitored: Organizations must ensure that all systems, regardless of their age or perceived importance, are included in security monitoring protocols. 

Conclusion 

The ongoing attacks against Apache AXIS servers demonstrate the evolving landscape of cybersecurity threats. By leveraging advanced techniques and exploiting common vulnerabilities, threat actors can gain unauthorized access to sensitive systems. 

Organizations must remain vigilant and proactive in their cybersecurity strategies to defend against these sophisticated threats. By implementing robust security measures and fostering a culture of awareness, businesses can strengthen their defenses and better protect their critical assets.

Frequently Asked Questions about Apache AXIS servers

What is Apache AXIS Server? 

Apache AXIS is a web service engine that enables the integration of web service interfaces into web applications, supporting protocols like SOAP and REST. 

How are hackers exploiting Apache AXIS servers? 

Hackers are exploiting vulnerabilities in unmanaged AIX servers running Apache AXIS by using weak passwords and deploying malicious web shells to gain unauthorized access. 

What is a web shell? 

A web shell is a malicious script that provides an attacker with a backdoor to control a compromised web server, allowing them to execute commands and manipulate the system. 

What can organizations do to prevent such attacks? 

Organizations should conduct regular security audits, enforce strong password policies, implement network segmentation, and ensure comprehensive monitoring of all systems. 

Why is shadow IT a risk? 

Shadow IT refers to the use of IT systems without proper security oversight, which can lead to vulnerabilities and expose organizations to cyber threats. 

​​References 

​​Dutta, T. S. (2024, September 24). Hackers Attacking Apache AXIS Server To Deploy Malicious Web Shells. Retrieved from Cyber Security News: https://cybersecuritynews.com/hackers-attacking-apache-axis-server/ 

Share this post :
Picture of Hoplon Infosec
Hoplon Infosec

One Response

Leave a Reply

Your email address will not be published. Required fields are marked *

Newsletter

Subscribe to our newsletter for free cybersecurity tips and resources directly in your inbox.