Security News > 2023 > May > Lazarus hackers target Windows IIS web servers for initial access
The notorious North Korean state-backed hackers, known as the Lazarus Group, are now targeting vulnerable Windows Internet Information Services web servers to gain initial access to corporate networks.
The latest tactic of targeting Windows IIS servers was discovered by South Korean researchers at the AhnLab Security Emergency Response Center.
Windows Internet Information Services web servers are used by organizations of all sizes for hosting web content like sites, apps, and services, such as Microsoft Exchange's Outlook on the Web.
Previously, Symantec reported about hackers deploying malware on IIS to execute commands on the breached systems via web requests, evading detection from security tools.
A separate report revealed that a hacking group named 'Cranfly' was employing an unknown technique of malware control by using IIS web server logs.
Lazarus' attacks on IIS. Lazarus first gains access to IIS servers using known vulnerabilities or misconfigurations that allow the threat actors to create files on the IIS server using the w3wp.
News URL
Related news
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- Recent Windows Server 2025 updates cause Remote Desktop freezes (source)
- Hijacked Microsoft web domain injects spam into SharePoint servers (source)
- WinRAR flaw bypasses Windows Mark of the Web security alerts (source)
- Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws (source)
- Microsoft fixes auth issues on Windows Server, Windows 11 24H2 (source)
- Microsoft: Windows Server 2025 restarts break connectivity on some DCs (source)
- New Windows Server emergency updates fix container launch issue (source)
- Microsoft fixes Windows Server 2025 blue screen, install issues (source)
- ASUS releases fix for AMI bug that lets hackers brick servers (source)