Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Microsoft: Attackers Increasingly Using IIS Extensions as Server Backdoors

Microsoft has warned of an increase in malicious Internet Information Services (IIS) extensions used as backdoors on Exchange servers.

Microsoft has warned of an increase in malicious Internet Information Services (IIS) extensions used as backdoors on Exchange servers.

While not as commonly used in attacks against servers as web shells, IIS extensions provide a durable persistence mechanism, as they hide deep in target environments, Microsoft notes.

IIS extensions also have a relatively low detection rate compared to web shells, and are more difficult to detect because they closely resemble and behave like legitimate modules: they are deployed in the same directories and have the same code structure.

“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” Microsoft explains.

Attackers typically exploit a critical vulnerability in the hosted application for initial access, and then deploy a web shell. Later, they install an IIS backdoor for persistent access to the server.

After being registered with the target application, the backdoor would monitor incoming and outgoing requests, while also providing support for running remote commands and background credential dumping.

“We expect attackers to continue to increasingly leverage IIS backdoors,” Microsoft notes.

Between January and May 2022, threat actors targeting Exchange servers were seen using an IIS backdoor in coordination with other custom IIS modules, the tech giant says.

Advertisement. Scroll to continue reading.

Following initial access, the attackers would perform operations such as reconnaissance, credential dumping, and establishing a remote access channel.

Next, they were seen installing a custom IIS backdoor that could perform Exchange management operations, including enumerating mailboxes and exporting them for exfiltration.

The attackers were using the command line connection tool plink.exe for remote access and the open source project PowerShDLL for remote command execution, and enabled WDigest registry settings to force the retaining of plaintext passwords in memory.

Over the past year, Microsoft has observed at least four types of IIS backdoors, including IIS module-based versions of web shells, open source projects, IIS handlers, and credential stealers – modules that monitor for sign-in patterns in network traffic and dump credentials in encrypted form.

To stay protected from IIS backdoors, organizations are advised to deploy software updates in a timely manner, to use security solutions, review highly privileged groups, apply the principle of least privilege, prioritize alerts, and regularly inspect the config file and bin folder.

Related: ‘IceApple’ Post-Exploitation Framework Created for Long-Running Operations

Related: Zero-Days Under Attack: Microsoft Plugs Exchange Server, Excel Holes

Related: ‘ProxyToken’ Exchange Server Vulnerability Leads to Email Compromise

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.