Protect your Microsoft IIS servers from malware attacks

Microsoft Internet Information Services (IIS) is a web server software package designed for Windows Server. Organizations commonly use Microsoft IIS servers to host websites, files, and other content on the web. Threat actors are increasingly targeting these Internet-accessible resources as easy ways to find and exploit vulnerabilities that facilitate access to computing environments.

Recently, much of the Lazarus Group’s (APT) activity has focused on finding vulnerable Microsoft IIS servers and infecting them with malware or using them to distribute malicious code. This article describes the details of malware attacks and offers actionable suggestions for protecting Microsoft IIS servers against them.

An Overview of Microsoft IIS Servers

IIS was first introduced with Windows NT 3.51 as an optional package in 1995. Since then, several iterations, enhancements, and features have been added to align with the evolution of the Internet, including support for HTTPS requests (secure HTTP). In addition to being a web server and serving HTTP and HTTPS requests, Microsoft IIS also comes with an FTP server for file transfers and an SMTP server for email services.

Microsoft IIS integrates tightly with the company’s popular .NET Framework, making it particularly suitable for hosting ASP.NET web applications. Businesses use ASP.NET to create dynamic websites or web applications that interact with databases. These applications, built with ASP.NET and running on Microsoft IIS, provide excellent scalability, performance, and compatibility with the Microsoft ecosystem.

Although it is less popular than web server packages like Nginx or Apache, Microsoft IIS remains in use at 5.4% of all websites whose web server is known. Some claimed Renowned Microsoft IIS Users include Accenture, Alibaba Travels, Mastercard and Intuit.

Lazarus attacks on Microsoft IIS servers

Lazarus is a North Korean cyberespionage and cybercrime group that was recently observed exploiting specific Microsoft IIS vulnerabilities. The gang has previously carried out some of the most notorious cyberattacks in history, including the WannaCry ransomware incident in 2017 and the theft of $100 million in virtual currency as recently as June 2022.

Although Microsoft IIS has built-in security features, it is essential to keep it up to date. Historically, attackers have exploited vulnerable IIS servers that did not have the latest patches applied. Lazarus’ latest wave of attacks mirrors this pattern, with a few other added subtleties.

First wave of malicious activity

A May 2023 investigation by South Korean cybersecurity firm ASEC confirmed that Lazarus threat actors are actively seeking and exploiting vulnerable Microsoft IIS servers. Initial activity focused on DLL sideloading techniques that exploited vulnerable servers to execute arbitrary code. DLL sideloading attacks work by taking advantage of the way the IIS web server process, w3wp.exe, loads dynamic link libraries (DLLs).

By manipulating this process, Lazarus actors inserted malware into vulnerable servers. Once loaded, the DLL executes a portable file in the server’s memory space. This file is a backdoor that communicates with the gang’s command and control (C2) server.

On a particular note, for security teams, the vulnerabilities targeted in these attacks for the initial breach were typically analyzed and high-profile vulnerabilities included Log4Shell, a vulnerability in the 3CX desktop VoIP solution, and a code execution vulnerability at distance in the digital domain. MagicLine4NX certificate solution.

Other attacks using IIS servers to distribute malware

A new series of malware attacks involving Microsoft IIS servers has targeted financial security and integrity monitoring software INISAFE CrossWeb EX. The program, developed by Initech, is vulnerable from version 3.3.2.41 or earlier to code injection.

The research found that 47 companies were affected by malware resulting from running vulnerable versions of the Initech software process, inisafecrosswebexsvc.exe. Vulnerable versions of CrossWeb EX load a malicious DLL, SCSKAppLink.dll. This malicious DLL then fetches another malicious payload, and the interesting point is that the payload URL points to a Microsoft IIS server.

All of this leads to the conclusion that Lazarus actors are not only exploiting common vulnerabilities to compromise Microsoft IIS servers (as discussed in the previous section), but they are also exploiting the trust that most systems place in these servers. applications to distribute malware. via compromised IIS servers.

How to protect your Microsoft IIS servers

The technical complexities and intricacies of these Lazarus attacks can obscure the rather fundamental nature of how they can occur in the first place. There is always an initial point of violation, and it’s surprising how often that point of violation comes down to ineffective patch management.

For example, a CISA Notice of March 2023 describes similar breaches of the US government’s Microsoft IIS servers that occurred when hackers exploited a vulnerability for which a patch has been available since 2020. The vulnerability, in this case, affected servers running Progress Telerik, a set user interfaces (User Interface). ) application development frameworks and tools.

So here’s what you can do to protect the Microsoft IIS servers running in your environment:

• Implement effective patch management that keeps software up to date with the latest versions and patches, ideally using some form of automation.
• Use a patch management solution that takes an accurate and complete inventory of all software running in your IT environment to avoid any missed patches or updates from so-called shadow IT.
• Use least privilege for service accounts so that all services on your Microsoft IIS servers run only with the minimum necessary permissions.
• Analyze network security logs from systems such as intrusion detection systems, firewalls, data loss prevention tools, and virtual private networks. Also analyze Microsoft IIS server logs and look for unexpected error messages indicating attempts to move lateral or write files to additional directories.
• Harden user endpoints with specialized endpoint detection and response tools that can detect advanced attacks and evasion techniques of the type that Lazarus actors focus on.
• Check the functionality of patches after you apply them, because sometimes a patch may not install correctly for various reasons, such as system compatibility issues, interruptions during installation, or software conflicts.

Finally, refine your approach to vulnerability management with continuous web application security testing. As demonstrated by the Lazarus attacks, common vulnerabilities in web applications hosted on Microsoft IIS can be exploited by adversaries to compromise the server, gain unauthorized access, steal data, or launch other attacks.

Continuous testing of web applications ensures that with each change to your web applications or configurations, you reassess the security state of your infrastructure and detect vulnerabilities introduced during the changes.

Another advantage of continuous application security testing is the depth of its coverage. Manual pen testing of your web applications reveals technical and business logic flaws that automated scanners might miss. This coverage takes into account that traditional vulnerability scanners may have limitations in detecting vulnerabilities in certain cases, such as in atypical software installations where file paths may deviate from the norm. Traditional periodic security assessments can leave vulnerabilities undetected for months. A continuous approach significantly reduces the time between the introduction of a vulnerability and its discovery. Get Web Application Security Testing with SWAT Continuous web application security testing provides a proactive and effective solution for identifying and mitigating vulnerabilities in the applications you run on Microsoft IIS and the underlying server infrastructure. SWAT by Outpost 24 gives you automated analysis that provides continuous vulnerability monitoring along with contextual risk scoring to prioritize remediation efforts. You also have access to a team of highly trained and experienced testers who will scan your applications for vulnerabilities that are harder to detect with automated scanners. All these features are available in a single user interface with configurable notifications. Get a live demo of SWAT in action here and learn how you can achieve a deeper level of security monitoring and risk detection.