Microsoft warns of stealthy backdoors used to target Exchange Servers

Microsoft is warning Outlook on the Web and Exchange Server customers to watch out for more malicious IIS extensions.
Written by Liam Tung, Contributing Writer
Image: Getty/10'000 Hours

There's been an uptick in malware native to Microsoft's Internet Information Services (IIS) web server that is being used to install backdoors or steal credentials and is hard to detect, warns Microsoft. 

Microsoft has offered insights into how to spot and remove malicious IIS extensions, which aren't as popular as web shells as a payload for Exchange servers, but are useful to an attacker as they "mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules," Microsoft notes

As such, they might not be seen as malicious and identifying the source of an infection can be difficult. Key target IIS-hosted applications are Outlook on the Web and Microsoft Exchange Server, which, if compromised, can give an attacker complete access to a target's email communications.  

SEE: These are the biggest cybersecurity threats. Make sure you aren't ignoring them

Security company ESET last year found 80 unique malicious IIS modules belonging to 14 malware families, most of which were previously undocumented. These included IIS backdoors, info stealers, injectors, proxies for C&C infrastructure, and modules that fraudulently modify content served to search engines. In all cases, the IIS malware intercepted HTTP requests incoming from the compromised IIS server and affected how the server responds to certain requests.     

Microsoft says IIS extension attacks typically start by the attacker exploiting a critical flaw in the hosted application and then drop a web shell. At some point after deploying the web shell, the attacker installs an IIS backdoor for stealthy, persistent access to the server. 

In a campaign targeting Exchange servers between January and May 2022, Microsoft saw attackers installing customized IIS modules. 

"Once registered with the target application, the backdoor can monitor incoming and outgoing requests and perform additional tasks, such as running remote commands or dumping credentials in the background as the user authenticates to the web application," Microsoft explains.

Between March and June 2021, ESET observed a wave of IIS backdoors spread via the Exchange ProxyLogon pre-authentication remote code execution vulnerabilities (CVE-2021-26855CVE-2021-26857CVE-2021-26858, and CVE-2021-27065). 

"Targeted specifically were Exchange servers that have Outlook on the web (aka OWA) enabled – as IIS is used to implement OWA, these were a particularly interesting target for espionage," ESET noted.

Microsoft provides incident response teams with details about how IIS works and the types of attacks it's seen, so customers can defend against them. Microsoft expects attackers will increasingly use IIS backdoors in future.

IIS is a modular web server that is a core part of the Windows platform. Users can customize IIS web servers as needed using extensions written in native (C/C++) and managed (C#, VB.NET) code structures. Microsoft focusses on C#, VB.NET extensions. 

Microsoft's technical rundown of how attackers use customer IIS backdoors cover command runs, credential access, remote access and exfiltration. 

SEE: These are the cybersecurity threats of tomorrow that you should be thinking about today

The main malicious .NET IIS extensions over the past year included: web shells used by the likes of Hafnium/China Chopper, the Chinese state-sponsored group exploiting Exchange zero-days; open-source IIS backdoor GitHub projects that are intended for red team exercises and lifted by attackers for their activity; IIS handlers that can be configured to respond to certain extensions or requests; and credential stealers, which monitor for specific requests to determine a sign-in activity.

Besides applying all software updates and running antivirus, Microsoft recommends reviewing highly privileged account groups like admins, remote desktop users, and enterprise admins. It also recommends enabling multi-factor authentication, restricting access to what's needed, and avoiding the use of domain-wide, admin-level service accounts. 

Editorial standards