Security News > 2021 > September > Hacked sites push TeamViewer using fake expired certificate alert

Hacked sites push TeamViewer using fake expired certificate alert
2021-09-20 20:15

Threat actors are compromising Windows IIS servers to add expired certificate notification pages that prompt visitors to download a malicious fake installer.

Internet Information Services is Microsoft Windows web server software included with all Windows versions since Windows 2000, XP, and Server 2003.

The TeamViewer server will reach out to a command-and-control server to let the attackers know they can remotely take complete control of the newly compromised computer.

Exploit code targeting a critical wormable vulnerability found in the HTTP Protocol Stack used by the Windows IIS web server has been publicly available since May. Microsoft patched the security flaw during the May Patch Tuesday and said it only impacts Windows 10 versions 2004/20H2 and Windows Server versions 2004/20H2.

"The operators behind the activity targeted Windows internet-facing servers, using mostly deserialization attacks, to load a completely volatile, custom malware platform tailored for the Windows IIS environment," the researchers said.

Praying Mantis actors then used the access the hacked IIS servers provided to conduct additional malicious tasks, including credential harvesting, reconnaissance, and lateral movement on their targets' networks.


News URL

https://www.bleepingcomputer.com/news/security/hacked-sites-push-teamviewer-using-fake-expired-certificate-alert/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Teamviewer 3 1 5 8 1 15