Microsoft warns hackers turning to IIS exploits to create backdoors in businesses

Door in a wall in a black room painted with computer code leading to a digital red background
(Image credit: Shutterstock)

Microsoft has warned of hackers increasingly embracing the use of internet information services (IIS) modules to gain a more efficient foothold within a victim’s IT estate.

The company expects hackers to continue to use IIS backdoors and have encouraged all cyber security experts and incident responders to understand the mechanics of these attacks, and how to mitigate them.

IIS modules are more difficult to detect than other mechanisms, such as web shells, during an attack sequence because the backdoors are typically located in the same directories as legitimate modules and also follow the same code structure too.

“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” said Hardik Suri, senior security researcher at Microsoft.

Such backdoors using IIS extensions have the capability to monitor incoming and outgoing requests and execute code remotely on victim machines.

IIS modules have been used in attacks on Microsoft Exchange servers this year, in place of using web shells, Microsoft said, although malicious IIS extensions are less commonly used in attacks against servers.

A typical attack would see a hacker exploiting a vulnerability in order to gain initial access, before dropping a script web shell as the first malicious payload and then installing an IIS backdoor for additional covert access.

How to improve defences

Malicious IIS extensions can be difficult to detect due to the similarities they share with legitimate web servers, but there are a number of recommendations the company has made for businesses looking to reinforce their cyber defences.

Organisations should identify their exposure to any security vulnerabilities that impact servers, applying the latest updates to minimise the risk of exploitation. Ensuring basic protections are also enabled such as having active antivirus solutions and enforcing rules to prohibit known attack behaviours is also key.

Adopting the principle of least privilege, part of a zero trust model, is also a good idea, Microsoft said. The list of individuals with privileged access should be reviewed regularly to ensure cyber criminals have the least number of targets possible to target in attacks.

Catching attacks in the ‘exploratory phase’ is key and businesses can be in the best position to do that by prioritising alerts related to the distinct patterns of server compromise can help stifle attacks before any damage can be done.

The exploratory phase is when a hacker gains initial access to a system and investigates laterally to understand how it works. This phase can last several days, Microsoft said.

Inspecting the web.config and ApplicationHost.config files of a target application, looking for any suspicious additions such as a handler for image files, can also help to identify attacks.

A comprehensive list of the indicators of compromise (IOCs) known to Microsoft can be found in its full blog post.

What are IIS extensions?

IIS is a Microsoft-made general-purpose web server designed to work with the Windows NT systems. It has been a major, non-malicious part of Windows for years and acts as a platform to host web services and applications. IIS can deliver information to users through different methods, including HTML web pages, documents, images, and file exchanges.


Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space


IIS has a modular architecture that allows admins to extend and customise web servers according to whatever functionality they need to perform.

In the form of a backdoor, IIS can be used in different variants. There is a web shell-based variant, the most famous of which is perhaps China Chopper – a web shell that’s seen an uptick in usage in recent years.

There are also various open-source variants that can be found on code-sharing sites like GitHub, as well as credential stealers and IIS handlers which can be configured to respond to specific extensions or requests in the IIS pipeline.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.