Security News > 2023 > September > Protecting Your Microsoft IIS Servers Against Malware Attacks

Recently, a slew of activity by the advanced persistent threat group Lazarus has focused on finding vulnerable Microsoft IIS servers and infecting them with malware or using them to distribute malicious code.
This article describes the details of the malware attacks and offers actionable suggestions for protecting Microsoft IIS servers against them.
On a particular note, for security teams is that the vulnerabilities targeted in these attacks for the initial breach were commonly scanned for and high-profile vulnerabilities that included Log4Shell, a vulnerability in desktop VoIP solution 3CX, and a remote code execution vulnerability in the digital certificate solution MagicLine4NX. Further Attacks Using IIS Servers to Distribute Malware#.
A further round of malware attacks involving Microsoft IIS servers targeted the financial security and integrity-checking software, INISAFE CrossWeb EX. The program, developed by Initech, is vulnerable from version 3.3.2.41 or earlier to code injection.
All of this adds up to the conclusion that Lazarus actors are not only exploiting common vulnerabilities to compromise Microsoft IIS servers, but they are then piggy backing off the trust that most systems place in these application servers to distribute malware via compromised IIS servers.
As is evidenced by Lazarus' attacks, common vulnerabilities in web applications hosted on Microsoft IIS can be leveraged by adversaries to compromise the server, gain unauthorized access, steal data, or launch further attacks.
News URL
https://thehackernews.com/2023/09/protecting-your-microsoft-iis-servers.html
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects (source)
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Microsoft says attackers use exposed ASP.NET keys to deploy malware (source)
- Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks (source)
- Attackers compromise IIS servers by leveraging exposed ASP.NET machine keys (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)