Security News > 2023 > May > Lazarus hackers target Windows IIS web servers for initial access
The notorious North Korean state-backed hackers, known as the Lazarus Group, are now targeting vulnerable Windows Internet Information Services web servers to gain initial access to corporate networks.
The latest tactic of targeting Windows IIS servers was discovered by South Korean researchers at the AhnLab Security Emergency Response Center.
Windows Internet Information Services web servers are used by organizations of all sizes for hosting web content like sites, apps, and services, such as Microsoft Exchange's Outlook on the Web.
Previously, Symantec reported about hackers deploying malware on IIS to execute commands on the breached systems via web requests, evading detection from security tools.
A separate report revealed that a hacking group named 'Cranfly' was employing an unknown technique of malware control by using IIS web server logs.
Lazarus' attacks on IIS. Lazarus first gains access to IIS servers using known vulnerabilities or misconfigurations that allow the threat actors to create files on the IIS server using the w3wp.
News URL
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Microsoft fixes Windows Server 2022 bug breaking device boot (source)
- Microsoft issues out-of-band fix for Windows Server 2022 NUMA glitch (source)
- Hackers use Windows RID hijacking to create hidden admin account (source)
- Attackers compromise IIS servers by leveraging exposed ASP.NET machine keys (source)
- XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells (source)
- DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects (source)
- Russian military hackers deploy malicious Windows activators in Ukraine (source)