Security News > 2023 > May > Lazarus hackers target Windows IIS web servers for initial access
The notorious North Korean state-backed hackers, known as the Lazarus Group, are now targeting vulnerable Windows Internet Information Services web servers to gain initial access to corporate networks.
The latest tactic of targeting Windows IIS servers was discovered by South Korean researchers at the AhnLab Security Emergency Response Center.
Windows Internet Information Services web servers are used by organizations of all sizes for hosting web content like sites, apps, and services, such as Microsoft Exchange's Outlook on the Web.
Previously, Symantec reported about hackers deploying malware on IIS to execute commands on the breached systems via web requests, evading detection from security tools.
A separate report revealed that a hacking group named 'Cranfly' was employing an unknown technique of malware control by using IIS web server logs.
Lazarus' attacks on IIS. Lazarus first gains access to IIS servers using known vulnerabilities or misconfigurations that allow the threat actors to create files on the IIS server using the w3wp.
News URL
Related news
- Hackers abuse Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- New Windows Server updates cause domain controller crashes, reboots (source)
- Microsoft confirms Windows Server issue behind domain controller crashes (source)
- Microsoft releases emergency fix for Windows Server crashes (source)
- Microsoft confirms memory leak in March Windows Server security update (source)
- Hackers exploit Ray framework flaw to breach servers, hijack resources (source)
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
- New HTTP/2 DoS attack can crash web servers with a single connection (source)
- New Windows driver blocks software from changing default web browser (source)