Microsoft says many threat actors are now abusing IIS (Internet Information Services) extensions to backdoor servers to create a “durable persistence mechanism.”
This comes as the Microsoft 365 Defender Research Team warns that “IIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.”
The attack chains start with weaponizing a significant vulnerability in the hosted application for early access, utilizing the foothold to drop a script web shell as the first stage payload.
Then, the web shell becomes the conduit used to install a rogue IIS module to offer persistent and covert access to the server, including tracking outgoing and incoming requests and operating remote commands.
In early July, Kaspersky researchers revealed that a campaign by the Gelsemium group was found using the advantage of the ProxyLogon Exchange Server flaws to establish an IIS malware termed SessionManager.
Microsoft 365 Defender Research Team also observed another set of attacks from January to May 2022. In that, attackers targeted Exchange servers with web shells by trying to exploit the ProxyShell flaws.
This caused the deployment of a backdoor known as “FinanceSvcModel.dll,” however, it was not before the reconnaissance period.
For Hardik Suri, the security researcher, “The backdoor had the built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration.”
Meanwhile, to reduce or eliminate such attacks, it’s advisable to use the latest and premium security updates for server components, enable antivirus and other protections, review sensitive groups and roles, limit access by employing the act of least-privilege, and maintain nice credential hygiene.
IIS is a web-server software designed to run on Windows systems by Microsoft. Organizations and companies use IIS to host ASP.NET static websites and web applications.
IIS, which means Internet Information Services, can also be used to host WCF services, serve as an FTP server, and be extended to hosting web applications designed on other platforms like PHP.
It majorly receives requests from remote client computers and gives back the right response.
Image by Pete Linforth from Pixabay