Microsoft: Hackers are Using Malicious IIS Extensions to Backdoor Exchange Servers

July 28, 2022

2 minute read

According to Microsoft, hackers are exploiting the IIS web servers to install backdoors and steal credentials in their latest campaign.

Microsoft 365 Defender Research Team has published a report revealing that hackers are now using Microsoft’s Internet Information Services (IIS) extensions as a backdoor to infiltrate its servers and hide deep into the system to ensure persistence on the device.

IIS Platform Used as Backdoor

Microsoft has warned in its report that the IIS web server is exploited to install backdoors and steal credentials. This entire mechanism is hard to detect, making removing malicious IIS extensions all the more difficult.

These extensions are payloads for MS Exchange servers but aren’t as popular as web shells as first-stage payloads when targeting servers. Still, these can be used by threat actors because IIS extensions have the same structure and location as legit modules and both the extensions and modules are present in the same directories.

IIS extensions are essential for organizations as their modular structure allows users to customize/extend web services per their needs. The extensions may be managed through C#, VB.NET code structures, and can be categorized as handlers.

How does the Attack Works?

Malicious IIS extensions use minimal backdoor logic. Therefore, it becomes a challenge to determine the extension’s infection source. These extensions may not appear malicious as the main IIS-hosted target application is MS Outlook on the MS Exchange Server. An attacker can gain complete access to the victim’s email communications if it gets compromised.

Generally, hackers start by exploiting a critical flaw in the app to gain initial access and then drop a script web shell as a first stage payload before installing the IIS backdoor to provide hidden and persistent access to the server.

Microsoft noted that in one campaign targeting Exchange servers and examined between Jan and May 2022, attackers installed customized IIS modules.

When the attacker registers with the targeted app, the backdoor and incoming/outgoing requests can be easily monitored. They may execute remote commands or put credentials in the background.

Mitigation Strategies

IIS modular web server is a core component of the MS Windows platform. Critical protection features are essential, such as threat and vulnerability management or antivirus solutions to adopt a comprehensive solution for protecting identities and secure emails, cloud, domains, and endpoints.

Furthermore, organizations must install defenders and ramp up their security measures/capabilities while ensuring early detection of server compromise. For additional mitigation strategies and technical details visit Microsoft’s blog post about the ongoing attack taking advantage of malicious IIS extensions.