Microsoft says that many attackers are now abusing IIS (Internet Information Services) backdoor server extensions to create a “strong persistence mechanism.”
This is because the Microsoft 365 Defender research team warns that “IIS backdoors are harder to detect because they are mostly located in the same directories as legitimate modules used by targeted applications and have the same code structure as pure modules.” “.
The attack chains start by exploiting a significant vulnerability in a hosted early access application, using a script web shell dump as a payload in the first step.
The web shell then becomes the conduit used to install the rogue IIS module to provide persistent and covert access to the server, including monitoring outgoing and incoming requests and executing remote commands.
In early July, Kaspersky Lab researchers discovered that the Gelsemium group’s campaign was discovered using flaws in ProxyLogon Exchange Server to install IIS malware called SessionManager.
The Microsoft 365 Defender research team also observed another set of attacks from January to May 2022. In this case, the attackers targeted Exchange servers with web shells in an attempt to exploit weaknesses in ProxyShell.
This caused the deployment of a backdoor known as “FinanceSvcModel.dll”, however, this did not happen before the exploration period.
For Hardik Suri, a security researcher, “the backdoor had the built-in ability to perform Exchange management operations such as listing installed mailbox accounts and exporting mailboxes for exfiltration.”
Meanwhile, to mitigate or eliminate such attacks, it is recommended to use the latest and premium security updates for server components, enable antivirus and other protection, check sensitive groups and roles, restrict access using the least privilege action, and maintain good credentials. hygiene.
IIS is a web server software developed by Microsoft to run on Windows systems. Organizations and companies use IIS to host static websites and ASP.NET web applications.
IIS, which stands for Internet Information Services, can also be used to host WCF services, serve as an FTP server, and extend to host web applications developed on other platforms such as PHP.
It basically receives requests from remote client computers and returns the correct response.
Image by Pete Linforth from Pixabay