Tuesday, December 17, 2024
HomeBackdoorAttackers Use Malicious IIS Extensions to Deploy Covert Backdoors into Exchange Servers

Attackers Use Malicious IIS Extensions to Deploy Covert Backdoors into Exchange Servers

Published on

SIEM as a Service

As opposed to web shells, malicious extensions for the IIS web server have a lower detection rate, which means attackers are increasingly using them to backdoor unpatched Exchange servers.

Since they can be hidden deep within a compromised server, and are often very difficult to detect. As they are installed in the same location as legitimate modules and use the same structure, attackers can provide themselves with the perfect and durable persistence mechanism that they need. 

Since they use the same structure as legitimate modules in order to achieve the same effect as legitimate modules. The actual mechanism used to create a backdoor is usually quite minimal and the logic is not regarded as malicious in most cases.

- Advertisement - SIEM as a Service

Continued Access and built-in Capability

It is rare that attackers will use unpatched security flaws in an app that is hosted to inject such malicious extensions into a server after successfully compromising it.

These types of attacks are usually deployed after the initial payload for the attack is deployed, usually a web shell. Later on, the IIS module is deployed on the compromised server so that it can be accessed more stealthily and persistently.

Previously, Microsoft experienced the installation of custom IIS backdoors after hackers exploited the following products:-

  • ZOHO ManageEngine ADSelfService Plus
  • SolarWinds Orion

There are several things that can be harvested by malicious IIS modules once they have been deployed, and here they are listed below:- 

  • From the memory of the system, credentials are retrieved
  • Data collection from infected devices and the victims’ network
  • Payloads are delivered at a higher rate

Types of IIS Backdoors

Here below we have mentioned all the types of IIS backdoors:-

  • Web shell-based variants
  • Open-source variants
  • IIS handlers
  • Credential stealers

As a result of Kaspersky’s recent analysis of IIS extensions delivered onto Microsoft Exchange servers, it has been observed that malware performs the following actions:-

  • Execute commands
  • Steal credentials remotely

It has been at least since March 2021 that a similar piece of IIS malware has been detected in the wild, and this malware is referred to as SessionManager. 

Recommendations

It is recommended that you consider the following mitigations in order to protect your system against attacks that use malicious IIS modules:- 

  • Make sure to keep Exchange servers up to date
  • It is important to keep anti-malware and security solutions enabled at all times
  • Make sure that roles and groups that are sensitive are reviewed
  • IIS virtual directories can be restricted in order to prevent unauthorized access
  • Alerts should be prioritized based on their importance
  • Ensure that the configuration files and bin folders are in order
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cyber Criminals Exploit Windows Management Console to Deliver Backdoor Payloads

A recent campaign dubbed FLUX#CONSOLE has come to light, leveraging Microsoft Common Console Document (.MSC) files...

Texas Tech Systems Breach, Hackers Accessed System Folders & Files

The Texas Tech University Health Sciences Center (TTUHSC) and Texas Tech University Health Sciences...

Beware of Malicious Ads on Captcha Pages that Deliver Password Stealers

Malicious actors have taken cybercrime to new heights by exploiting captcha verification pages, a...

Hitachi Authentication Bypass Vulnerability Allows Attackers to Hack the System Remotely

Critical Authentication Bypass Vulnerability Identified in Hitachi Infrastructure Analytics Advisor and Ops Center Analyzer.A...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Cyber Criminals Exploit Windows Management Console to Deliver Backdoor Payloads

A recent campaign dubbed FLUX#CONSOLE has come to light, leveraging Microsoft Common Console Document (.MSC) files...

Texas Tech Systems Breach, Hackers Accessed System Folders & Files

The Texas Tech University Health Sciences Center (TTUHSC) and Texas Tech University Health Sciences...

Beware of Malicious Ads on Captcha Pages that Deliver Password Stealers

Malicious actors have taken cybercrime to new heights by exploiting captcha verification pages, a...