Threat actors are increasingly abusing Internet Information Services (IIS) extensions for servers. back door as a means of establishing a “long-term persistence mechanism”.
That’s according to a new warning from the Research Team Microsoft 365 Defender, states that “IIS backdoors are also harder to detect because they are mostly in the same directory as the legitimate modules used by the target applications and they follow the same code structure like clean module. “
Attack chains using this approach begin with weaponizing a critical vulnerability in a hosted application for initial access, using this foothold to drop a script web shell as a payload in first stage.
This web shell then becomes the conduit for installing a rogue IIS module that provides constant and secret access to the server, in addition to monitoring incoming and outgoing requests and running commands. from far away.
Indeed, earlier this month, Kaspersky researchers revealed a campaign carried out by the Gelsemium group, which was found to be abusing the vulnerabilities of the company. ProxyLogon Exchange Server to launch an IIS malware called SessionManager.
In another series of attacks observed by the tech giant from January to May 2022, Exchange servers were targeted using web shells by exploiting ProxyShell vulnerabilities, eventually leading to to implementing a backdoor named “FinanceSvcModel.dll” but no. before a scouting period.
“The backdoor has built-in capabilities to perform Exchange management operations, such as listing installed mailbox accounts and exporting mailboxes for filtering,” explains security researcher Hardik Suri. Security researcher Hardik Suri explains.
To mitigate such attacks, you should apply the latest security updates to server components as soon as possible, keep antivirus and other protections enabled, see Review sensitive roles and groups and restrict access by practicing the principle of least privileges and maintaining good credential hygiene.