Malicious IIS Extensions Backdooring Exchange Servers
Threat actors are exploiting the IIS web servers to install backdoors and steal credentials in their latest campaign.
Microsoft 365 Defender Research Team has revealed hackers are now using Microsoft’s IIS extensions as a backdoor to infiltrate its servers and hide deep into the system to ensure persistence on the device.
These extensions are payloads for MS Exchange server that can be used by threat actors because IIS extensions have the same structure and location as legit modules and both the extensions and modules are present in the same directories.
They might not appear malicious as the main IIS-hosted target application is MS Outlook on the MS Exchange Server. An attacker can gain complete access to the victim’s email communications if it gets compromised.
Microsoft noted that in one campaign targeting Exchange servers and examined between Jan and May 2022, attackers installed customized IIS modules. Once the attacker registers with the targeted app, the backdoor and incoming, outgoing requests can be easily monitored. They may execute remote commands or put credentials in the background.
Critical protection features are essential for core components such as threat and vulnerability management or antivirus solutions to adopt a comprehensive solution for protecting identities and secure emails, cloud, domains, and endpoints.