An exposed web server used in cyber-attacks against the Taiwanese Freeway Bureau and a local data center has been identified by the Hunt Research Team. The server administrator used open-source tools such as Nmap, SQLMap, and the backdoor BlueShell. This discovery underscores the persistent threat to Taiwan’s government agencies and critical infrastructure. The original report from Hunt can provide further insights into this discovery.
Initial Discovery: Exposed Server & Tools
Hunt researchers found a publicly accessible web server at IP address 103.98.73.189:8080 in Taiwan. The server, running a Python-based web server (SimpleHTTP/0.6 Python/3.8.2), was temporarily exposed before the threat actor likely corrected the error. By using Hunt’s Open Directory Search feature, the team downloaded files from the server to study the threat actor’s methods.
The server hosted various files, revealing the use of SQLMap to scan for vulnerabilities within a subdomain of the Taiwanese government’s freeway.gov.tw server. Key files such as log, session.sqlite, and target.txt provided insights into the attack methods. Additionally, Nmap was used to scan for open ports within a /26 network associated with a Taiwanese data center.
Use of Advanced Bash Scripts and BlueShell Backdoor
Contained within the server’s ./configrc5 directory were several bash files. A notable script named “a” detected CPU types and applied Model-Specific Register (MSR) values for optimization. This indicates a highly knowledgeable threat actor targeting specific network elements. Moreover, two Golang files (bsServer-0530 and bsServerfinal) were found, which through sandbox analysis, matched the BlueShell backdoor, confirming a sophisticated attack strategy.
Additional misconfigured servers targeting Taiwanese organizations were uncovered using Hunt’s Open Directories search function. A significant IP address, 156.251.172.194, was previously highlighted by EclecticIQ in a report on a Chinese threat actor using Cobalt Strike Cat against Taiwanese infrastructure. Various open directories exposed different offensive tools and targets, such as IP address 35.229.211.35 using SecurityTrails API, Acunetix, and ChatGPT.
Another IP, 202.182.105.104, showed scan results against the Cambodian Ministry of Foreign Affairs and a Taiwanese Hakka dialect school. This investigation reveals the extensive reach and methods of threat actors targeting government and institutional entities in Taiwan and beyond. Monitoring and analyzing open directories are essential for identifying and mitigating potential threats.
A prior investigation into open directories revealed similar offensive tactics. Comparatively, the current findings display a consistent use of publicly accessible tools by threat actors, emphasizing the need for improved cybersecurity measures. The tools and methods outlined by Hunt underline the resourcefulness and persistence of these cyber threats.
Comparing the recent and previous discoveries, it is evident that the threat actors employ a low-cost but high-reward strategy, targeting the network’s weaker points. The use of SQLMap and Nmap for scanning and identifying vulnerabilities remains a common thread in these attacks. The incorporation of bash scripts tailored for specific CPU types highlights the sophisticated and targeted nature of these cyber threats.
To mitigate these risks, continuous monitoring and analysis of open directories are crucial. Hunt’s tools offer insights and solutions to identify and counteract these threats. By leveraging advanced search functions and threat intelligence, organizations can better protect their infrastructure and data against persistent cyber attackers.
The comprehensive approach outlined by Hunt provides a roadmap for cybersecurity teams to follow. Continuous vigilance and proactive measures are essential in safeguarding against these evolving threats. The detailed analysis of tools like SQLMap, Nmap, and BlueShell backdoor emphasizes the need for specialized security protocols and regular updates to counteract sophisticated cyber-attacks.
The ongoing research and findings by Hunt highlight the importance of cybersecurity vigilance. The evolving nature of cyber threats necessitates a robust and adaptive security framework to protect critical infrastructure and sensitive data. Understanding and mitigating these threats can help organizations maintain their security posture effectively.
- Hunt team exposed a web server targeting Taiwan’s government infrastructure.
- Tools like Nmap, SQLMap, and BlueShell were utilized by the threat actor.
- Continuous monitoring and analysis of open directories are essential.
