Security News > 2023 > May > Lazarus hackers target Windows IIS web servers for initial access
The notorious North Korean state-backed hackers, known as the Lazarus Group, are now targeting vulnerable Windows Internet Information Services web servers to gain initial access to corporate networks.
The latest tactic of targeting Windows IIS servers was discovered by South Korean researchers at the AhnLab Security Emergency Response Center.
Windows Internet Information Services web servers are used by organizations of all sizes for hosting web content like sites, apps, and services, such as Microsoft Exchange's Outlook on the Web.
Previously, Symantec reported about hackers deploying malware on IIS to execute commands on the breached systems via web requests, evading detection from security tools.
A separate report revealed that a hacking group named 'Cranfly' was employing an unknown technique of malware control by using IIS web server logs.
Lazarus' attacks on IIS. Lazarus first gains access to IIS servers using known vulnerabilities or misconfigurations that allow the threat actors to create files on the IIS server using the w3wp.
News URL
Related news
- Week in review: Windows Server 2025 gets hotpatching option, PoC for SolarWinds WHD flaw released (source)
- Rackspace internal monitoring web servers hit by zero-day (source)
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)
- CISA: Hackers abuse F5 BIG-IP cookies to map internal servers (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- Finland seizes servers of 'Sipultie' dark web drugs market (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Ransomware hits web hosting servers via vulnerable CyberPanel instances (source)