Hackers are now reportedly using Internet Information Services or IIS extensions as backdoors to getting into servers as it helps them hide deep in the environments they want to target and gives a durable persistence mechanism for them.
While there is past research published regarding these incidents, there is still very little known about how hackers use the IIS platform as a backdoor.
Using IIS as Backdoor
According to Microsoft, malicious IIS extensions are not often encountered in attacks against servers, with hackers often only using script web shells as the first stage payload.
This then leads to a lower detection rate for malicious IIS extensions compared to script web shells, as they are also harder to detect since they reside in the same place as legitimate modules used by target applications.
Malicious IIS follows the exact same code structure as clean modules, and in most cases, the backdoor logic is minimal, and it can't be considered malicious without an understanding of how legitimate IIS extensions work.
This then makes it more challenging to determine the source of the infection in the extension.
Usually, hackers first exploit a critical vulnerability in the application for initial access before dropping a script web shell as the first stage payload.
Next, they will install the IIS backdoor to provide covert and persistent access to the server. Hackers can also install customized IIS modules that fit their purpose.
As soon as they are registered with the target application, the backdoor can easily monitor any incoming and outgoing requests and perform other tasks like running remote commands or placing credentials in the background.
How to Combat the Attack
Security experts expect hackers to continue using IIS backdoors, so the incident responders must understand the basics of how the function of the attack to identify and defend against them.
Organizations can install defenders with protection capabilities and unique visibility into server attacks and compromise, according to Bleeping Computer.
With critical protection features such as threat and vulnerability management and antivirus capabilities, defenders can give organizations a comprehensive solution that protects identities, spanning email, domains, cloud, and endpoints.
How IIS Extensions Work
IIS is a flexible, purpose web server that has been the main part of the Windows platform for several years now.
These servers are easy to manage, modular, and extensible platforms for hosting websites, applications, and services, according to CryptoCompass.
ISS also serves critical business logic for several organizations. The modular architecture of IIS allows users to extend and customize web services depending on their needs.
These extensions can be through C/C++ and managed through C#, VB.NET code structures. The extensions can further be categorized as handlers and modules.
The IIS pipeline is made up of extensible objects that are initiated by the ASP.NET runtime to process a request. IIS modules and handlers are .NET components that serve as the main points of the extensibility in the IIS pipeline.
Each request is processed by several IIS modules before being processed by one handler. It is like a set of building blocks, modules, and handlers are added to give the needed functionality for the target applications.
Related Article: Microsoft Big Email China Hacked: How to Know if You're Affected, What to Do Next
This article is owned by Tech Times
Written by Sophie Webster