Microsoft Internet Information Services (IIS) is a web server software package designed for Windows Server. Organizations commonly use Microsoft IIS servers to host websites, files, and other content on the web. Threat actors increasingly target these Internet-facing resources as low-hanging fruit for finding and exploiting vulnerabilities that facilitate access to IT environments.
Recently, a slew of activity by the advanced persistent threat (APT) group Lazarus has focused on finding vulnerable Microsoft IIS servers and infecting them with malware or using them to distribute malicious code. This article describes the details of the malware attacks and offers actionable suggestions for protecting Microsoft IIS servers against them.
An Overview on Microsoft IIS Servers
IIS was first introduced with Windows NT 3.51 as an optional package back in 1995. Since then, it has seen several iterations, improvements, and features added to align with the evolving Internet, including support for HTTPS (secure HTTP) requests. In addition to being a web server and serving HTTP and HTTPS requests, Microsoft IIS also comes with an FTP server for file transfers and an SMTP server for email services.
Microsoft IIS tightly integrates with the company's popular .NET Framework, which makes it especially suitable for hosting ASP.NET web applications. Companies use ASP.NET to build dynamic websites or web applications that interact with databases. These apps, built with ASP.NET and running on Microsoft IIS, offer excellent scalability, performance, and compatibility with the Microsoft ecosystem.
Despite being less popular than web server packages like Nginx or Apache, Microsoft IIS remains in use at 5.4% of all the websites whose web server is known. Some purported big-name users of Microsoft IIS include Accenture, Alibaba Travels, Mastercard, and Intuit.
Lazarus Attacks on Microsoft IIS Servers
Lazarus is a North Korean cyber espionage and cybercrime group that has recently been observed exploiting specific Microsoft IIS vulnerabilities. The gang previously conducted some of the most notorious cyberattacks in history, including 2017's WannaCry ransomware incident and the theft of $100 million of virtual currency as recently as June 2022.
While Microsoft IIS has built-in security features, it's essential to keep it updated. Historically, attackers have exploited vulnerable IIS servers that didn't have the latest patches applied. The latest spate of attacks by Lazarus mirrors this pattern, with some other added intricacies.
Initial Round of Malicious Activity
A May 2023 investigation conducted by South Korean cybersecurity company ASEC confirmed Lazarus threat actors actively scanning for and exploiting vulnerable Microsoft IIS servers. The initial activity centered around DLL side-loading techniques that exploited vulnerable servers to execute arbitrary code. The DLL side-loading attacks work by taking advantage of the way the IIS web server process, w3wp.exe, loads dynamic link libraries (DLLs).
By manipulating this process, Lazarus actors inserted malware into vulnerable servers. Once loaded, the DLL executes a portable file within the server's memory space. This file is a backdoor that communicates with the gang's command and control (C2) server.
On a particular note, for security teams is that the vulnerabilities targeted in these attacks for the initial breach were commonly scanned for and high-profile vulnerabilities that included Log4Shell, a vulnerability in desktop VoIP solution 3CX, and a remote code execution vulnerability in the digital certificate solution MagicLine4NX.
Further Attacks Using IIS Servers to Distribute Malware
A further round of malware attacks involving Microsoft IIS servers targeted the financial security and integrity-checking software, INISAFE CrossWeb EX. The program, developed by Initech, is vulnerable from version 3.3.2.41 or earlier to code injection.
Research uncovered 47 companies hit by malware that stemmed from running vulnerable versions of the Initech software process, inisafecrosswebexsvc.exe. Vulnerable versions of the CrossWeb EX load a malicious DLL, SCSKAppLink.dll. This malicious DLL then fetches a further malicious payload, and the interesting point is that the URL for the payload points to a Microsoft IIS server.
All of this adds up to the conclusion that Lazarus actors are not only exploiting common vulnerabilities to compromise Microsoft IIS servers (as per the previous section), but they are then piggy backing off the trust that most systems place in these application servers to distribute malware via compromised IIS servers.
How to Protect Your Microsoft IIS Servers
The technical complexities and intricacies of these Lazarus attacks can obscure the rather basic nature of how they are able to occur in the first place. There is always an initial breach point, and it's surprising how often this breach point comes down to ineffective patch management.
For example, a CISA advisory from March 2023 describes similar breaches of US government Microsoft IIS servers that arose when hackers exploited a vulnerability for which a patch has been available since 2020. The vulnerability, in this case, was in servers running Progress Telerik, a set of UI (User Interface) frameworks and app development tools.
So, here's what you can do to protect Microsoft IIS servers running in your environment:
- Implement effective patch management that keeps software up to date with the latest versions and patches, ideally using some form of automation.
- Use a patch management solution that accurately and comprehensively takes an inventory of all software running in your IT environment to avoid any missed patches or updates from so-called shadow IT.
- Use the principle of least privileges for service accounts so that any services on your Microsoft IIS servers only run with the minimum permissions necessary.
- Analyze network security logs from systems like intrusion detection systems, firewalls, data loss prevention tools, and virtual private networks. Also, analyze logs from Microsoft IIS servers and look for unexpected error messages that indicate attempts to move laterally or write files to extra directories.
- Harden user endpoints with specialized endpoint detection and response tools that can detect advanced attacks and evasive techniques of the kind that Lazarus actors focus on.
- Verify the functionality of patches after applying them because sometimes a patch may not install correctly due to various reasons, such as system compatibility issues, interruptions during installation, or software conflicts.
Lastly, refine your approach to vulnerability management through continuous web application security testing. As is evidenced by Lazarus' attacks, common vulnerabilities in web applications hosted on Microsoft IIS can be leveraged by adversaries to compromise the server, gain unauthorized access, steal data, or launch further attacks.
Continuous web application testing ensures that with every change in your web apps or configurations, you reassess the security posture of your infrastructure and catch vulnerabilities introduced during modifications.
Another benefit of continuous app security testing is its depth of coverage. Manual pen testing of your web apps uncovers technical and business-logic flaws that automated scanners might miss. This coverage addresses the fact that traditional vulnerability scanners may have limitations in detecting vulnerabilities in certain cases, such as in atypical software installations where file paths may deviate from the norm. Traditional periodic security assessments might leave vulnerabilities undetected for months. A continuous approach significantly reduces the time between a vulnerability's introduction and its discovery. Get Web App Security Testing with SWAT Continuous web application security testing offers a proactive and efficient solution to identify and mitigate vulnerabilities in both the apps you run on Microsoft IIS and the underlying server infrastructure. SWAT by Outpost 24 equips you with automated scanning that provides continuous vulnerability monitoring along with context-aware risk scoring to prioritize remediation efforts. You also get access to a highly skilled and experienced team of pen testers who'll scour your apps for vulnerabilities that are harder to detect with automated scanners. All these features are available in a single user interface with configurable notifications. Get a live demo of SWAT in action here and see how you can achieve a deeper level of security monitoring and risk detection.