(416) 825-2120
info@veiliant.com
Free IT Assessment
  • About
  • Services
    • Fully Managed IT
    • Cloud Services
    • Software Development
    • Business Continuity
    • Cyber Security
    • Professional IT Consulting
  • Our Team
  • Blog
  • Contact
Remote Support

Microsoft Exchange Servers Increasingly Hacked with IIS Backdoors

Posted on July 26, 2022

Microsoft says attackers increasingly use malicious Internet Information Services (IIS) web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells.

Because they’re hidden deep inside the compromised servers and often very hard to detect being installed in the exact location and using the same structure as legitimate modules, they provide attackers’ with a perfect and durable persistence mechanism.

“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” the Microsoft 365 Defender Research Team said Tuesday.

Persistent access to compromised servers

Threat actors rarely deploy such malicious extensions after compromising a server using exploits for various unpatched security flaws in a hosted app.

They’re usually deployed after a web shell is deployed as the first payload in the attack. The IIS module is deployed later to provide stealthier and persistent (update resistant) access to the hacked server.

Microsoft previously saw custom IIS backdoors installed after threat actors exploited ZOHO ManageEngine ADSelfService Plus and SolarWinds Orion vulnerabilities.

After deployment, malicious IIS modules allow threat actors to harvest credentials from system memory, collect information from the victims’ network and infected devices, and deliver more payloads.

More recently, in a campaign between January and May 2022 that targeted Microsoft Exchange servers, attackers deployed malicious IIS extensions to gain access to victims’ email mailboxes, run commands remotely, and steal credentials and confidential data.

“After a period of doing reconnaissance, dumping credentials, and establishing a remote access method, the attackers installed a custom IIS backdoor called FinanceSvcModel.dll in the folder C:\inetpub\wwwroot\bin\,” Microsoft added.

“The backdoor had built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration.”

Example IIS backdoor installed as an IIS handler
Example IIS backdoor installed as an IIS handler (Microsoft)

Malware deployed on Exchange servers as malicious IIS modules

Kaspersky has also recently spotted malware delivered as IIS extensions onto Microsoft Exchange servers to execute commands and steal credentials remotely.

In December, a malicious IIS web server module named Owowa was used to target government organizations and public transportation companies across Southeast Asia and Europe.

Another IIS malware dubbed SessionManager was used in the wild without being detected since at least March 2021 (right after the start of last year’s massive wave of ProxyLogon attacks) in attacks against government and military orgs from Europe, the Middle East, Asia, and Africa.

“Once dropped into the victim’s system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malware or clandestinely manage compromised servers, which can be leveraged as malicious infrastructure,” Kaspersky said at the time.

“IIS modules are not a common format for backdoors, especially when compared to typical web application threats like web shells and can therefore easily be missed during standard file monitoring efforts.”

ESET researchers have also analyzed 14 native IIS malware families, outlining their capabilities in a report published in August 2021 (research paper available here).

To defend against attacks using malicious IIS modules, Microsoft advises customers to keep their Exchange servers up to date, keep anti-malware and security solutions enabled, review sensitive roles and groups, restrict access to IIS virtual directories, prioritize alerts, and inspect config files and bin folders.

Previous Post
Microsoft warns Windows 10 USB Printing Breaks Due to Recent Updates
Next Post
VMware Urges Admins to Patch Critical Auth Bypass Bug Immediately

Recent Posts

  • Google Extends Security Update Support for Chromebooks to 10 Years September 17, 2023
  • MGM Casino’s ESXi Servers Allegedly Encrypted in Ransomware Attack September 16, 2023
  • Caesars Entertainment Confirms Ransom Payment, Customer Data Theft September 15, 2023
  • Fake Cisco Webex Google Ads Abuse Tracking Templates to Push Malware September 14, 2023
  • Microsoft Teams Down: Ongoing Outage Behind Message Failures, Delays September 13, 2023

Categories

  • Cybersecurity (198)
  • Machine Learning (1)
  • News (115)
  • Robotic Process Automation (4)

Partners and Affiliates

Manufacturers matter. We partner with industry leaders that focus on business technology solutions. Let us help you find the right fit for your organization. Our partners offer great support, education, and benefits that we pass down to our clients.

 

About Us

Veiliant Inc. is a Managed Service Provider that offers many flexible services. We strive to meet the growing demand for computer support services needed for business success.

Veiliant has a proactive approach to help create innovative solutions devised  with your business goals in mind.

Our Services

  • Fully Managed IT
  • Cloud Services
  • Software Development
  • Business Continuity
  • Professional IT Consulting
  • Cyber Security

Related Links

  • FAQ
  • Privacy Policy

Contact Information

5155 Spectrum Way, Unit 1, Mississauga, ON, L4W 5A1
(416) 825-2120

Customer Support

  • Remote Support
  • Free IT Assessment

© 2023 Veiliant Inc. All rights reserved.