December 3, 2023

Threat actors are exploiting the IIS web servers to install backdoors and steal credentials in their latest campaign.

Microsoft 365 Defender Research Team has revealed hackers are now using Microsoft’s IIS extensions as a backdoor to infiltrate its servers and hide deep into the system to ensure persistence on the device.

Advertisements

These extensions are payloads for MS Exchange server that can be used by threat actors because IIS extensions have the same structure and location as legit modules and both the extensions and modules are present in the same directories. 

They might not appear malicious as the main IIS-hosted target application is MS Outlook on the MS Exchange Server. An attacker can gain complete access to the victim’s email communications if it gets compromised.

Microsoft noted that in one campaign targeting Exchange servers and examined between Jan and May 2022, attackers installed customized IIS modules. Once the attacker registers with the targeted app, the backdoor and incoming, outgoing requests can be easily monitored. They may execute remote commands or put credentials in the background.

Advertisements

Critical protection features are essential for core components such as threat and vulnerability management or antivirus solutions to adopt a comprehensive solution for protecting identities and secure emails, cloud, domains, and endpoints.

Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – November, 2023

December 2, 2023

Staples affected by a Cyber Attack

December 2, 2023

CISA KEV Update Part I – December 2023

December 1, 2023 2

Dollar Tree Affected by a Third Party Breach

December 1, 2023

Apple Patches iOS zerodays – CVE-2023-42916 and CVE-2023-42917

December 1, 2023

TheCyberThrone Security Week In Review – November 25, 2023

November 30, 2023
%d bloggers like this: