Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: iis (3 articles)Clear

Nightclub operator RCI breach exposes 40,000 records via website IDOR flaw

RCI Hospitality, one of the largest US adult-nightclub operators, has confirmed that a breach exposed the personal data of 40,178 people, mostly independent contractors. Attackers got in through an insecure direct object reference (IDOR) flaw on one of the company's IIS web servers, a common web bug where simply changing an ID number in a web address lets you pull up someone else's record. The intrusion began March 19 and was spotted four days later. Stolen data includes names, dates of birth, Social Security numbers, and driver's license numbers. RCI says no customer or financial systems were touched, and the data has not yet appeared publicly.

Check
If you received an RCI breach notice or worked with RCI, watch for identity fraud. Developers should test their own web apps for IDOR by altering record IDs in authenticated requests.
Affected
Roughly 40,178 people, mostly independent contractors of RCI Hospitality, whose names, birth dates, Social Security numbers, and driver's license numbers sat in the breached IIS web server.
Fix
Affected individuals should enroll in any offered credit monitoring and freeze their credit. Similar orgs should add server-side authorization checks on every object reference and pen-test for IDOR.

China-linked OP-512 hits Microsoft IIS servers with stealthy custom web shells

ReliaQuest has documented OP-512, a China-linked espionage cluster targeting Microsoft IIS web servers with a bespoke web-shell framework - the fourth such group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS in the past year. The framework uses three web shells that grant remote access while evading signature detection and complicating forensics: each deployment is uniquely generated, access is cryptographically restricted to the attacker, and compromised servers auto-report to centralized management. To hide, the web shells timestomp - scanning surrounding files, computing the median last-modified time, and overwriting their own timestamps to match. ReliaQuest notes close tactical proximity to CL-STA-0048, suggesting a revamped toolset or shared development.

Check
Hunt IIS servers for unfamiliar web shells, cryptographically-gated access, and timestomped files whose timestamps match the median of surrounding files. Apply ReliaQuest IoCs. Review IIS request logs for anomalous POSTs.
Affected
Internet-facing Microsoft IIS web servers, particularly at organizations aligned with China-linked intelligence priorities. OP-512's uniquely-generated, crypto-gated web shells evade signature detection and timestomp to hide.
Fix
Patch and harden IIS, restrict write access to web roots, and deploy file-integrity monitoring that flags timestomping. Hunt for the three-shell framework and centralized callback traffic per ReliaQuest.

China-linked spy group has been quietly breaking into government Exchange servers across Asia and one NATO country since 2024

Trend Micro disclosed a China-aligned espionage cluster called SHADOW-EARTH-053 that has been targeting government and defense organizations across South, East, and Southeast Asia plus one NATO European country since at least December 2024. The group breaks in by exploiting unpatched Microsoft Exchange and IIS servers (using known flaws like ProxyLogon), drops a Godzilla web shell for persistent access, then uses DLL sideloading to load ShadowPad - a long-running Chinese implant. The targeting overlaps with Earth Alux and REF7707, suggesting either a shared operator or shared infrastructure across China-aligned groups. Targets include journalists and activists alongside government agencies.

Check
If you run Microsoft Exchange or IIS, confirm every server is patched against ProxyLogon and recent Exchange CVEs - the entry point is unpatched 2-3 year old flaws, not zero-days.
Affected
Government and defense organizations in South, East, and Southeast Asia and the NATO European country are the named targets. Any organization running internet-facing Microsoft Exchange or IIS that has fallen behind on patching is at risk. Diaspora communities and journalists working on China-related stories are at acute risk - the campaign extends transnational repression alongside conventional espionage.
Fix
Patch Microsoft Exchange and IIS to current versions and confirm with active scanning. Hunt for Godzilla web shell artifacts: unusual .aspx files in Exchange's web directories, suspicious POSTs with encrypted payloads, and outbound HTTPS to unfamiliar domains from Exchange/IIS processes. For journalists and activists working on China topics, follow Citizen Lab guidance: hardware MFA, encrypted communications, skepticism of unsolicited story tips.