For HomeFor BusinessFor Partners
Industry News
1 min read

Hackers Increasingly Use IIS Extensions as Exchange Backdoors, Microsoft Says

Vlad CONSTANTINESCU

July 27, 2022

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Hackers Increasingly Use IIS Extensions as Exchange Backdoors, Microsoft Says

Malicious Internet Information Services (IIS) extensions are increasingly becoming hackers’ favorite backdoor routes to vulnerable Exchange servers, according to Microsoft.

Unlike web shells, malware-laced IIS extensions have a lower detection rate, which makes it easier for perpetrators to slip by unnoticed.

Furthermore, they mimic legitimate modules closely by replicating their structure and using the same installation location as their counterparts. Due to their stealthy nature, detecting these extensions can be challenging, giving threat actors durable persistence on compromised systems.

“Typically, attackers first exploit a critical vulnerability in the hosted application for initial access before dropping a script web shell as the first stage payload,” according to a Microsoft 365 Defender Research Team blog post. “At a later point in time, the attackers then install an IIS backdoor to provide highly covert and persistent access to the server.”

The company says attackers still prefer using exclusively “script web shells as the first stage payload,” making malicious IIS extensions less likely to encounter. The extensions’ subterfuge abilities and a failure to understand how their legitimate analogs work could make it harder to accurately determine the infection source.

Besides their low detection rate and efficiency in achieving durable persistence on compromised systems, malware-ridden IIS extensions can perform various operations. After registering with the host application, perpetrators can use the backdoor to monitor incoming and outgoing requests, dump credentials, perform arbitrary code execution remotely, and exfiltrate data.

Microsoft released a series of security practices that system administrators can follow to boost their servers’ defenses:

  • Installing the latest security updates as soon as they're available
  • Enabling firewall and multi-factor authentication (MFA)
  • Enforcing attack surface reduction rules to block suspicious behaviors automatically
  • Enabling tamper protection to prevent threat actors from disabling security services
  • Regularly reviewing privileged and sensitive roles and groups
  • Implementing strong password policies
  • Regularly inspecting the list of installed modules and their configuration files
  • Prioritizing alerts to sensitive processes (e.g., net, cmd)

tags

Industry News

Author

Vlad CONSTANTINESCU

Vlad CONSTANTINESCU

Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

Right now Top posts

Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond
Scam How to Tips and Tricks

Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond

April 01, 2024

2 min read
Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts
Spam Industry News Threats

Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts

November 28, 2023

4 min read
Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting
Protecting Your Important How to Tips and Tricks

Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting

November 08, 2023

4 min read
3 in 5 travel-themed spam emails are scams, Bitdefender Antispam Lab warns
Industry News Spam

3 in 5 travel-themed spam emails are scams, Bitdefender Antispam Lab warns

August 10, 2023

4 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

Ukraine claims it hacked Russian Ministry of Defence, stole secrets and encryption ciphers
Industry News

Ukraine claims it hacked Russian Ministry of Defence, stole secrets and encryption ciphers
Graham CLULEY

March 06, 2024

2 min read
Crimemarket Taken Down by German Authorities
Industry News

Crimemarket Taken Down by German Authorities
Silviu STAHIE

March 05, 2024

1 min read
Judge Orders NSO Group to Surrender Pegasus Source Code to Meta
Industry News

Judge Orders NSO Group to Surrender Pegasus Source Code to Meta
Silviu STAHIE

March 04, 2024

1 min read

Bookmarks

loader