IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft warns hackers turning to IIS exploits to create backdoors in businesses

Internet information service modules formed part of the attack of Microsoft's own Exchange servers earlier this year

Microsoft has warned of hackers increasingly embracing the use of internet information services (IIS) modules to gain a more efficient foothold within a victim’s IT estate.

The company expects hackers to continue to use IIS backdoors and have encouraged all cyber security experts and incident responders to understand the mechanics of these attacks, and how to mitigate them.

IIS modules are more difficult to detect than other mechanisms, such as web shells, during an attack sequence because the backdoors are typically located in the same directories as legitimate modules and also follow the same code structure too.

“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” said Hardik Suri, senior security researcher at Microsoft.

Such backdoors using IIS extensions have the capability to monitor incoming and outgoing requests and execute code remotely on victim machines.

IIS modules have been used in attacks on Microsoft Exchange servers this year, in place of using web shells, Microsoft said, although malicious IIS extensions are less commonly used in attacks against servers.

A typical attack would see a hacker exploiting a vulnerability in order to gain initial access, before dropping a script web shell as the first malicious payload and then installing an IIS backdoor for additional covert access.

How to improve defences

Malicious IIS extensions can be difficult to detect due to the similarities they share with legitimate web servers, but there are a number of recommendations the company has made for businesses looking to reinforce their cyber defences.

Organisations should identify their exposure to any security vulnerabilities that impact servers, applying the latest updates to minimise the risk of exploitation. Ensuring basic protections are also enabled such as having active antivirus solutions and enforcing rules to prohibit known attack behaviours is also key.

Adopting the principle of least privilege, part of a zero trust model, is also a good idea, Microsoft said. The list of individuals with privileged access should be reviewed regularly to ensure cyber criminals have the least number of targets possible to target in attacks.

Catching attacks in the ‘exploratory phase’ is key and businesses can be in the best position to do that by prioritising alerts related to the distinct patterns of server compromise can help stifle attacks before any damage can be done.

The exploratory phase is when a hacker gains initial access to a system and investigates laterally to understand how it works. This phase can last several days, Microsoft said.

Inspecting the web.config and ApplicationHost.config files of a target application, looking for any suspicious additions such as a handler for image files, can also help to identify attacks.

A comprehensive list of the indicators of compromise (IOCs) known to Microsoft can be found in its full blog post.

What are IIS extensions?

IIS is a Microsoft-made general-purpose web server designed to work with the Windows NT systems. It has been a major, non-malicious part of Windows for years and acts as a platform to host web services and applications. IIS can deliver information to users through different methods, including HTML web pages, documents, images, and file exchanges.

Related Resource

Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space

Whitepaper cover with title over a grey rectangle and a dark header banner with turquoise lines and ESG logoFree Download

IIS has a modular architecture that allows admins to extend and customise web servers according to whatever functionality they need to perform.

In the form of a backdoor, IIS can be used in different variants. There is a web shell-based variant, the most famous of which is perhaps China Chopper – a web shell that’s seen an uptick in usage in recent years.

There are also various open-source variants that can be found on code-sharing sites like GitHub, as well as credential stealers and IIS handlers which can be configured to respond to specific extensions or requests in the IIS pipeline.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Why Japan finds it so hard to digitally transform
digital transformation

Why Japan finds it so hard to digitally transform

1 Dec 2022