More threat actors have been targeting vulnerable Exchange servers with Internet Information Services web server extensions instead of web shells to better evade detection, BleepingComputer reports.
Malicious IIS extensions could serve as persistent backdoors as they share identical structures with legitimate modules while being very difficult to identify, according to a report from the Microsoft 365 Defender Research Team.
"In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection," said Microsoft.
Attackers have been identified to have launched a malicious IIS extension deployment campaign between January and May aimed at email mailbox infiltration and remote command execution, as well as credential and confidential data theft.
"After a period of doing reconnaissance, dumping credentials, and establishing a remote access method, the attackers installed a custom IIS backdoor called FinanceSvcModel.dll in the folder C:inetpubwwwrootbin. The backdoor had built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration," added Microsoft.
Despite multiple high-impact vulnerabilities and repeated warnings from Microsoft, government agencies and news media, there are likely hundreds of thousands of internet-connected servers (at least) running older, exposed versions of Exchange today.
Microsoft’s security sales reached a historical high in 2022, delivering more than $20 billion in annual revenue. This comes amid industry debate about the company’s position as both targeted tech giant and security vendor.