Cybersecurity investigators have detected malware that could deploy backdoor Internet Information Services (IIS) on Microsoft’s Web server software. Labeled IISpy, the malware employs several tools to interfere with the logging and identification of the server so that it can undertake long-term spying.
The backdoor has also been operational since July 2020, at least, and is employed as a privileged escalation mechanism with Juicy Potato (detected as Win64/HackTool.JuicyPotato by ESET security solutions).
Threat actors first get initial access to the IIS server by exploiting a flaw and then employ Juicy Potato as a Native IIS extension to gain the administrative rights needed for IISpy to be installed. IISpy impacts a tiny percentage of the IIS platforms in Canada, the U.S., and Holland as per the telemetry. However, it might not be the whole picture, as administrators are still using no server security software and the IIS servers’ sight is limited.
Since IISpy is designed to be an IIS extension, each HTTP request received by the affected IIS server can be viewed and the server would respond. IISpy utilizes its C&C-Communication channel to act as passive implantation in the network.
Whilst submitting an HTTP request to the affected server, attackers start a connection. The backdoor detects the request from the attacker, retrieves and performs the built-in backdoor commands, and changes the HTTP response to include the output of the command.
The backdoor provides attackers with system information, file or shell commands, and much more. The malware does not include all valid HTTP visitor requests made to the infected IIS server, which are handled by the harmless server modules. However, the OnLogRequest event handler, executed shortly before the IIS server logs a finished HTTP request, is implemented with an anti-logging function. The backdoor employs this handler to change the system logs for requests from the attackers, as per the researchers.
Researchers have suggested firms dealing with sensitive information should look for such malware on their systems. Companies who use Outlook on their Exchange email servers on the web (OWA) service specifically should be aware.
Further researchers added, “OWA is implemented via IIS and makes an interesting target for espionage. In any case, the best way to keep IISpy out of your servers is to keep them up to date, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation.”
Source: https://www.ehackingnews.com/2021/08/iispy-installs-backdoor-on-microsofts.html
- 2020
- access
- All
- backdoor
- BEST
- BP
- Canada
- change
- Companies
- dealing
- espionage
- Event
- exchange
- First
- flaw
- function
- HTTPS
- Identification
- information
- Internet
- Investigators
- IT
- July
- Limited
- malware
- Microsoft
- network
- Outlook
- picture
- Platforms
- reduce
- response
- Risk
- security
- Security software
- Services
- Shell
- So
- Software
- Solutions
- spying
- start
- system
- Systems
- Target
- u.s.
- web
- web server
- WHO
More from E Hacking News
BlackMatter & Haron Targeting Firms with Revenue of $100 Million and More
Source Node: 995493
Time Stamp: Jul 29, 2021
Russian IT specialists have reliably protected the online voting system from hackers
Source Node: 1018440
Time Stamp: Aug 12, 2021
Agrius – The Iranian Hacking Group Targets Israel Using Data Wipers
Source Node: 874564
Time Stamp: May 26, 2021
Microsoft Azure Credentials Exposed in Plaintext by Windows 365
Source Node: 1022278
Time Stamp: Aug 15, 2021
IT expert warned about the danger of pirated files downloaded via torrent
Source Node: 1089500
Time Stamp: Sep 22, 2021
How Cybercriminals are Hacking ATM Machines? Here’s a Quick Look
Source Node: 874568
Time Stamp: May 25, 2021
Lubbock County Denies Data Leak, Says Data Temporarily Attainable Under New Software System
Source Node: 1875200
Time Stamp: Sep 20, 2021
Secrets from Public Repositories Were Exposed Due to Travis CI Flaw
Source Node: 1867175
Time Stamp: Sep 20, 2021
IISerpent Trojan Manipulates Search Engine Optimization
Source Node: 1864186
Time Stamp: Aug 13, 2021