In recent cybersecurity news, researchers at Binary Defense have uncovered a concerning trend: hackers are actively targeting the Apache AXIS server to deploy malicious web shells. This activity highlights significant vulnerabilities in systems that may not receive the attention they deserve, particularly unmanaged servers that operate without proper oversight from security teams.
Apache AXIS is a web service engine designed to facilitate the integration of web service interfaces into web applications. It can function as a standalone application server, supporting various protocols such as SOAP 1.1, SOAP 1.2, and RESTful services. However, its capabilities also present opportunities for cybercriminals when security measures are inadequate.
In August 2024, a China-linked threat actor successfully breached three unmanaged AIX servers that were exposed to the internet. These servers were accessed through basic administrative passwords, a common vulnerability that many organizations overlook. After gaining entry, the attacker uploaded an AxisInvoker web shell, which provided them with SSH access and the ability to maintain persistent communication with the targeted network using a Fast Reverse Proxy (FRP).
From March to August, the threat actors conducted extensive reconnaissance using LDAP, SMB shares, and local configuration files. This preparation phase allowed them to map the network and identify critical assets, enabling them to plan their attack with precision.
Once they switched to a Windows operating system, the attackers attempted to deploy Cobalt Strike beacons and JavaScript-based web shells. They executed NTLM relay attacks, which facilitated Active Directory reconnaissance and impersonation of legitimate accounts. However, their lateral movement was curtailed when they attempted to dump the LSASS process memory—a well-known technique for credential harvesting. This action raised alarms and triggered security protocols that limited the attack’s scope.
This incident underscores the dangers associated with shadow IT—where IT solutions are implemented without the security team’s oversight. Such practices can lead to significant vulnerabilities, as unauthorized systems may lack the necessary security controls and monitoring.
The exploitation of unmanaged AIX servers by threat actors emphasizes the need for organizations to maintain a robust security posture across all devices, including legacy systems that might not be considered high-priority.
To mitigate such complex attacks, organizations must prioritize advanced threat detection mechanisms. This includes monitoring not only modern systems but also older, seemingly insignificant devices that could serve as entry points for attackers.
Binary Defense’s report highlights that the unmanaged AIX servers were particularly vulnerable due to their lack of oversight and protection. By using tools like the AxisInvoker web shell and the Fast Reverse Proxy, the attackers were able to gain initial access and attempt to move laterally within the network.
The attackers employed various Linux commands such as wget and curl, which are not compatible with AIX systems. This lack of compatibility blocked their attempts to establish a Command and Control (C2) channel through Cobalt Strike. Such technical details illustrate the sophisticated nature of the attackers, who adapted their methods based on the environment they were infiltrating.
This incident serves as a critical reminder for organizations about the necessity of comprehensive security monitoring. Every networked device, including those that might seem outdated or low-profile, requires visibility and protection. Regular audits, credential management, and integrated security measures are essential components in defending against similar threats in the future.
To safeguard against attacks like those targeting Apache AXIS servers, organizations should implement the following strategies:
The ongoing attacks against Apache AXIS servers demonstrate the evolving landscape of cybersecurity threats. By leveraging advanced techniques and exploiting common vulnerabilities, threat actors can gain unauthorized access to sensitive systems.
Organizations must remain vigilant and proactive in their cybersecurity strategies to defend against these sophisticated threats. By implementing robust security measures and fostering a culture of awareness, businesses can strengthen their defenses and better protect their critical assets.
Apache AXIS is a web service engine that enables the integration of web service interfaces into web applications, supporting protocols like SOAP and REST.
Hackers are exploiting vulnerabilities in unmanaged AIX servers running Apache AXIS by using weak passwords and deploying malicious web shells to gain unauthorized access.
A web shell is a malicious script that provides an attacker with a backdoor to control a compromised web server, allowing them to execute commands and manipulate the system.
Organizations should conduct regular security audits, enforce strong password policies, implement network segmentation, and ensure comprehensive monitoring of all systems.
Shadow IT refers to the use of IT systems without proper security oversight, which can lead to vulnerabilities and expose organizations to cyber threats.
Dutta, T. S. (2024, September 24). Hackers Attacking Apache AXIS Server To Deploy Malicious Web Shells. Retrieved from Cyber Security News: https://cybersecuritynews.com/hackers-attacking-apache-axis-server/
Share this :