Microsoft has warned of hackers increasingly embracing the use of internet information services (IIS) modules to gain a more efficient foothold within a victim’s IT estate.
The company expects hackers to continue to use IIS backdoors and have encouraged all cyber security experts and incident responders to understand the mechanics of these attacks, and how to mitigate them.
IIS modules are more difficult to detect than other mechanisms, such as web shells, during an attack sequence because the backdoors are typically located in the same directories as legitimate modules and also follow the same code structure too.
“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” said Hardik Suri, senior security researcher at Microsoft.
Such backdoors using IIS extensions have the capability to monitor incoming and outgoing requests and execute code remotely on victim machines.
IIS modules have been used in attacks on Microsoft Exchange servers this year, in place of using web shells, Microsoft said, although malicious IIS extensions are less commonly used in attacks against servers.
A typical attack would see a hacker exploiting a vulnerability in order to gain initial access, before dropping a script web shell as the first malicious payload and then installing an IIS backdoor for additional covert access.
How to improve defences
Malicious IIS extensions can be difficult to detect due to the similarities they share with legitimate web servers, but there are a number of recommendations the company has made for businesses looking to reinforce their cyber defences.
Organisations should identify their exposure to any security vulnerabilities that impact servers, applying the latest updates to minimise the risk of exploitation. Ensuring basic protections are also enabled such as having active antivirus solutions and enforcing rules to prohibit known attack behaviours is also key.
Adopting the principle of least privilege, part of a zero trust model, is also a good idea, Microsoft said. The list of individuals with privileged access should be reviewed regularly to ensure cyber criminals have the least number of targets possible to target in attacks.
Catching attacks in the ‘exploratory phase’ is key and businesses can be in the best position to do that by prioritising alerts related to the distinct patterns of server compromise can help stifle attacks before any damage can be done.
The exploratory phase is when a hacker gains initial access to a system and investigates laterally to understand how it works. This phase can last several days, Microsoft said.
Inspecting the web.config and ApplicationHost.config files of a target application, looking for any suspicious additions such as a handler for image files, can also help to identify attacks.
A comprehensive list of the indicators of compromise (IOCs) known to Microsoft can be found in its full blog post.
What are IIS extensions?
IIS is a Microsoft-made general-purpose web server designed to work with the Windows NT systems. It has been a major, non-malicious part of Windows for years and acts as a platform to host web services and applications. IIS can deliver information to users through different methods, including HTML web pages, documents, images, and file exchanges.
Introducing IBM Security QRadar XDR
A comprehensive open solution in a crowded and confusing space
IIS has a modular architecture that allows admins to extend and customise web servers according to whatever functionality they need to perform.
In the form of a backdoor, IIS can be used in different variants. There is a web shell-based variant, the most famous of which is perhaps China Chopper – a web shell that’s seen an uptick in usage in recent years.
There are also various open-source variants that can be found on code-sharing sites like GitHub, as well as credential stealers and IIS handlers which can be configured to respond to specific extensions or requests in the IIS pipeline.
