IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft warns hackers turning to IIS exploits to create backdoors in businesses

Internet information service modules formed part of the attack of Microsoft's own Exchange servers earlier this year

Microsoft has warned of hackers increasingly embracing the use of internet information services (IIS) modules to gain a more efficient foothold within a victim’s IT estate.

The company expects hackers to continue to use IIS backdoors and have encouraged all cyber security experts and incident responders to understand the mechanics of these attacks, and how to mitigate them.

IIS modules are more difficult to detect than other mechanisms, such as web shells, during an attack sequence because the backdoors are typically located in the same directories as legitimate modules and also follow the same code structure too.

“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” said Hardik Suri, senior security researcher at Microsoft.

Such backdoors using IIS extensions have the capability to monitor incoming and outgoing requests and execute code remotely on victim machines.

IIS modules have been used in attacks on Microsoft Exchange servers this year, in place of using web shells, Microsoft said, although malicious IIS extensions are less commonly used in attacks against servers.

A typical attack would see a hacker exploiting a vulnerability in order to gain initial access, before dropping a script web shell as the first malicious payload and then installing an IIS backdoor for additional covert access.

How to improve defences

Malicious IIS extensions can be difficult to detect due to the similarities they share with legitimate web servers, but there are a number of recommendations the company has made for businesses looking to reinforce their cyber defences.

Organisations should identify their exposure to any security vulnerabilities that impact servers, applying the latest updates to minimise the risk of exploitation. Ensuring basic protections are also enabled such as having active antivirus solutions and enforcing rules to prohibit known attack behaviours is also key.

Adopting the principle of least privilege, part of a zero trust model, is also a good idea, Microsoft said. The list of individuals with privileged access should be reviewed regularly to ensure cyber criminals have the least number of targets possible to target in attacks.

Catching attacks in the ‘exploratory phase’ is key and businesses can be in the best position to do that by prioritising alerts related to the distinct patterns of server compromise can help stifle attacks before any damage can be done.

The exploratory phase is when a hacker gains initial access to a system and investigates laterally to understand how it works. This phase can last several days, Microsoft said.

Inspecting the web.config and ApplicationHost.config files of a target application, looking for any suspicious additions such as a handler for image files, can also help to identify attacks.

A comprehensive list of the indicators of compromise (IOCs) known to Microsoft can be found in its full blog post.

What are IIS extensions?

IIS is a Microsoft-made general-purpose web server designed to work with the Windows NT systems. It has been a major, non-malicious part of Windows for years and acts as a platform to host web services and applications. IIS can deliver information to users through different methods, including HTML web pages, documents, images, and file exchanges.

Related Resource

Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space

Whitepaper cover with title over a grey rectangle and a dark header banner with turquoise lines and ESG logoFree Download

IIS has a modular architecture that allows admins to extend and customise web servers according to whatever functionality they need to perform.

In the form of a backdoor, IIS can be used in different variants. There is a web shell-based variant, the most famous of which is perhaps China Chopper – a web shell that’s seen an uptick in usage in recent years.

There are also various open-source variants that can be found on code-sharing sites like GitHub, as well as credential stealers and IIS handlers which can be configured to respond to specific extensions or requests in the IIS pipeline.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022