Open Directories Exposes Publically Available tools Used by Hackers

A series of misconfigured web servers have been uncovered, revealing a treasure trove of publicly accessible tools and tactics employed by malicious actors targeting critical infrastructure.

These exposed open directories, discovered through Hunt’s advanced scanning capabilities, highlight a significant security lapse that threat actors are exploiting with low-cost, high-reward methods.

Unveiling Hidden Threats on the Web

Among the most notable discoveries is a server targeting the Taiwanese Freeway Bureau and a local data center, providing a glimpse into the sophisticated yet accessible tools like Nmap, SQLMap, and the backdoor BlueShell being leveraged for cyberattacks.

The primary server, located at IP address 103.98.73.189:8080 in Taiwan, was found running a Python-based SimpleHTTP server, as indicated by its HTTP headers.

First captured on Hunt’s platform on May 31, 2024, this misconfigured infrastructure briefly exposed critical files before the operator likely rectified the oversight.

Analysis of the downloaded files revealed the use of SQLMap to probe vulnerabilities in a subdomain of freeway.gov.tw, a legitimate Taiwanese government website.

Additionally, Nmap scans targeted open ports within a /26 network linked to a Taiwanese data center.

Sophisticated Tools

Within the server’s directories, scripts tailored for specific CPU architectures (like AMD Zen and Intel) were found, indicating a methodical threat actor with deep knowledge of their targets.

Furthermore, Golang-based files named bsServer-0530 and bsServerfinal were linked to the BlueShell backdoor, confirmed by matching certificates in the server’s /key folder.

Such findings underscore the technical prowess and intent behind these operations, which extend beyond Taiwan to other regions and institutions.

According to the Report, Hunt’s Open Directory Search feature further exposed a pattern of similar misconfigurations targeting Taiwanese entities, with 55 files linked to “gov.tw” domains.

Additional servers, including one at 156.251.172.194 previously tied to a Chinese threat actor using Cobalt Strike Cat (as reported by EclecticIQ), and others hosted in Japan and elsewhere, revealed scans against entities like the Cambodian Ministry of Foreign Affairs, National Taiwan University Hospital, and even government offices in Paraguay and Thailand.

Tools such as Afrog for vulnerability scanning, Brute Ratel C4 for command-and-control, and OneForAll for subdomain enumeration were recurrent in these directories, demonstrating a reliance on open-source and readily available offensive software.

Scripts in Chinese, including a ChatGPT-powered web analysis tool, further hint at the geographic and lingual origins of some attackers.

These discoveries emphasize the global scope of such threats, where a single misconfigured server can expose reconnaissance data and attack plans across multiple continents, putting sensitive infrastructure at risk.

The continuous monitoring of open directories thus emerges as a critical defensive strategy to detect and mitigate these evolving cyber threats before they manifest into full-scale breaches.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates