DragonRank Hacking Group Compromises Global Windows Servers: A Threat to Cybersecurity
A cybercriminal organization known as DragonRank has recently been identified as having breached over 30 Windows servers around the world, including in Thailand, India, Korea, Belgium, the Netherlands, and China. This Chinese-speaking hacking group is primarily focused on exploiting vulnerabilities in Internet Information Services (IIS) to manipulate Search Engine Optimization (SEO) rankings and distribute malicious websites, thereby inflicting significant harm on unsuspecting users.
The attack begins with the group targeting web application services such as phpMyAdmin and WordPress, gaining initial access through identified vulnerabilities in these platforms. Upon compromising a server, they deploy web shells, such as ASPXspy, which grant them remote control. A recent technical report by Cisco Talos highlights how DragonRank uses these web shells to gather system information and distribute various malware, including PlugX and BadIIS. They are also noted for employing credential-harvesting tools like Mimikatz, which enables them to compromise additional servers within the targeted network.
PlugX, a Remote Access Tool (RAT) employed by numerous Chinese-speaking threat actors for over a decade, is particularly versatile, allowing for extensive control over compromised systems. The configuration used in this campaign is tailored to ensure effective execution. On the other hand, BadIIS is specifically designed to manipulate search engine crawlers, facilitating SEO fraud by redistributing web traffic to deceptive sites. This version of BadIIS aligns with previously documented exploits, demonstrating its capabilities for nefarious activities.
What sets DragonRank apart from other cybercriminal entities is its business-like approach. The group operates a commercial website in both Chinese and English to promote their SEO fraud services, and they communicate with customers through platforms like Telegram and QQ. Their professionalism, which includes clear transaction guidelines, is an unusual trait among typical cybercrime groups, raising the stakes for businesses falling victim to their operations.
The implications of these attacks on businesses can be substantial. By redirecting traffic to harmful sites, increasing the visibility of fraudulent content, or destabilizing competitors through manipulation of search rankings, DragonRank’s operations pose a serious threat to online security. Affected companies face potential financial losses and reputational damage due to association with deceitful practices.
In terms of cybersecurity frameworks, several MITRE ATT&CK tactics could apply to this threat landscape, including initial access through exploitation of public-facing applications, persistence via web shell installation, and credential access through harvesting tools. These techniques highlight the sophisticated nature of the attacks, indicating the need for robust defense mechanisms.
To mitigate risks associated with such attacks, businesses should consider implementing advanced threat detection systems capable of identifying and responding to malware like PlugX. Regular updates to security protocols, particularly for web servers, are essential to protect against known vulnerabilities. Additionally, monitoring for unusual network behavior and educating staff on cyber threats can further enhance readiness to combat these sophisticated attacks.
In summary, the DragonRank hacking group’s activities underscore the urgent need for heightened vigilance among companies relying on digital infrastructures. As cybersecurity threats evolve in complexity and scope, awareness and preparedness must equally advance to safeguard organizational assets and integrity.
Source Link : https://hackread.com/chinese-dragonrank-hackers-windows-servers-seo-fraud/
