Microsoft have warned customers of a form of attack capable of targeting unpatched Microsoft Exchange servers. The attacks taking place in the first 5 months of this year saw threat actors using Internet Information Services (IIS) extension modules to: access their victim’s email mailboxes, execute commands remotely, harvest credentials from within the system memory, steal information from the infected device and connected network, and deliver more malicious payloads.  

Microsoft warns in a recent blog post: 

Attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers, which hide deep in target environments and provide a durable persistence mechanism for attackers. 

IIS extensions are being used by malicious actors to create backdoors into servers because they have a fairly low detection rate compared to web shells. IIS extensions are not only harder to detect due to their lower use rate, but also due to the way they hide within the directories used by legitimate modules of the target applications, utilising the same code structure too.  

Legitimate IIS extensions are used as a modular, user-friendly platform to host websites, services and applications on Windows Server. These are usually coded and managed in C, C++, C#, and VB.NET. Attackers can customise these to create a targeted campaign, as was detected in the attacks against Microsoft Exchange servers. This campaign involved the attackers establishing a remote access method, which they then used to install a custom IIS backdoor named inanceSvcModel.dll into the folder C:\inetpub\wwwroot\bin\.  

The attackers then had the capabilities to perform Exchange management operations, including enumerating mailbox accounts, and exporting mailboxes for exfiltration. Attackers were also able to force the system to use WDigest protocol for authentication, through enabling WDigest registry settings. This resulted in the attackers being able to steal the actual password of the victim, not just the hash, as it triggered lsass.exe to store a copy of the plaintext password in the memory. 

Despite reporting on attacks from January to May 2022 only, Microsoft stated that this is an ongoing threat, and they expect threat actors to “increasingly leverage IIS backdoors”. Their advice on how to protect devices is to install security updates as soon as possible after their release, especially for server components such as Microsoft Exchange. Further advice on protection against this threat can be found on Microsoft’s security blog.