Malicious Use of Internet Information Services (IIS) Extensions Likely to Grow

Exploit Tools and Targets: Malicious Use of Internet Information Services (IIS) Extension

Microsoft published a report on July 26th alerting defenders to the malicious use of Internet Information Services (IIS) extensions. As with many other attacks, threat actors will first exploit a critical vulnerability in the application to gain initial access, then drop a script web shell as the first stage payload. The threat actor eventually installs the IIS extension, establishing a backdoor which grants covert and persistent access into a targeted server. This type of exploit is often difficult to detect because it is less common than web shell-based exploits, the backdoors live in the directories as legitimate modules, and the code structure often resembles that of clean modules. (1)

EclecticIQ analysts assess using IIS extensions will become increasingly popular with threat actors due to the relative ease of using IIS-based exploits undetected. Network defenders can guard against IIS-based attacks by employing security best practices, such as staying up to date on security procedures, closely managing highly privileged accounts and using anti-virus software. In addition, admins can detect indicators of an IIS-based exploit by reviewing the web.config and ApplicationHost.config on the target application for any unusual activity. Microsoft also advised regularly scanning the installed paths such as the application's bin directory and default GAC location. (1)

Policy and Governance: North Korean Threat Actor Groups in the Spotlight Due to Ransom Seizure and Reward Offer

The U.S. Department of Justice announced on July 26 that it seized approximately half a million dollars’ worth of cryptocurrency assets from North Korean based threat actors, who receive the funds as ransom following a ransomware operation against U.S. based hospitals. In the public announcement, the Justice Department credits the victim’s quick reporting with not only helping recover the ransom, but also with helping to identify the Maui ransomware strain. (2, 3) In late July, the U.S. State Department increased the reward amount offered via its Rewards for Justice program from $5 million to $10 million in exchange for tips to counter North Korea state-sponsored cybercrime. North Korea’s state sponsored cybercriminal behavior is well documented; authorities attributed 2017’s WannaCry attack to APT38, also known as Lazarus Group, as well as numerous other malware related incidents since then. (5) More recently, the U.S. government in April warned of North Korean threat actors targeting blockchain companies (6) and in May alerted tech companies against inadvertently hiring North Korean tech workers who may be surreptitiously working for Pyongyang. (7)

The recovery of ransom funds highlights the potential for mutual benefit when victims and governments overcome barriers to information sharing about cyberattacks. Victims of cybercrime—especially ransomware—are probably more likely to report the crime if they are confident law enforcement can recover and return at least part of the ransom payment, as happened with this ransom recovery event. Unfortunately, success against cyber criminals in high profile cases like these may be the exception; one recent news report from the Netherlands claimed that cybercrimes are often not investigated due to the difficulty of prosecuting the responsible party; for every six cybercrimes investigated, only one case on average led to an arrest. (4)

The fact that ransoms were recovered demonstrates authorities’ intent to recover ransomware payments wherever and whenever possible—even when they are converted into cryptocurrency. Check out these blog posts to learn all about cryptocurrency, including features and vulnerabilities of decentralized finance, attack patterns, exfiltration off the blockchain, and the threat actors targeting cryptocurrency assets.

Threat Actor Update: Austria-Based Knotweed Highlights the Threat from Private Sector Cyber Actors

Like many, EclecticIQ analysts are very interested in Microsoft’s 27 July blog post detailing its research into an Austria-based actor dubbed KNOTWEED. According to the article, Knotweed—which is the name Microsoft assigned to activity of Austrian company DSIRF—has been active against Europe and Latin American targets since 2021. Researchers documented Knotweed’s “Subzero” malware leveraging several exploits (including CVEs 2022-22047, 2021-31199, 2021-28550, 2021-31201, and 2021-36948), as well as deploying obfuscated code in malicious Microsoft Excel documents. The malware’s main payload, dubbed Corelump, captures screenshots, exfiltrates files, and logs keystrokes, among others. (8) On July 29, DSIRF issued a statement saying that the Subero malware is “developed exclusively for official use in states of the EU” and not available for commercial use. Furthermore, DSIRF “resolutely rejects the impression that it has misused Subzero software,” according to the statement. (9)

Focus on Europe-based threat actors and on threats specifically aimed at Europe can at best be overlooked and at worst be collection gaps. As a Dutch company, EclecticIQ is wholly supportive of efforts to investigate more deeply threats to Europe, and to share information on these threats more easily. Subzero, and DSIRF’s use of it, merits more study to better understand the depth of the threat posed and the TTPs used, especially given Subzero’s penchant for using a wide variety of tools and exploits. In the short term, network defenders are advised to heed the recommendations at the bottom of Microsoft’s post to reduce the risk of a Subzero compromise. (8)

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery 
Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.

Appendix

1. https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
2. https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors
3. https://www.bbc.com/news/technology-62239638
4. https://www.dutchnews.nl/news/2022/07/police-have-no-time-for-stolen-bikes-and-cybercrime-nos/
5. https://www.cisa.gov/uscert/northkorea
6. https://www.cisa.gov/uscert/ncas/alerts/aa22-108a
7. https://www.reuters.com/world/asia-pacific/us-warns-against-inadvertently-hiring-north-korean-it-workers-2022-05-16/
8. https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
9. https://www.reuters.com/technology/austrian-spy-firm-accused-by-microsoft-says-hacking-tool-was-eu-states-2022-07-29/?utm_source=Sailthru&utm_medium=newsletter&utm_campaign=technology-roundup&utm_term=Technology%20Roundup%20-%202021%20-%20Master%20List