Microsoft IIS Web Server: The New Target for Malware Attacks

Discover the latest research by #ESETresearch exposing the IIStealer, a malicious extension for Microsoft's Internet Information Services (IIS) web server.

IIStealer, implemented as a native module, specifically targets credit card information from e-commerce transactions.

By intercepting server traffic and logging payment information from e-commerce transactions, IIStealer focuses on capturing POST requests made to payment URIs. The attacker then exfiltrates the logs by sending a specially crafted request to the compromised IIS server, embedding a password for authentication.

It's important to note that this malware primarily affects e-commerce websites that do not utilize third-party payment gateways. Even with SSL/TLS encryption and secure communication channels, IIStealer gains access to all data handled by the server, including unencrypted credit card information.

ESET has shared all Indicators of Compromise (IOCs) for reference.

For a comprehensive guide on analyzing malicious native IIS modules, refer to ESET's detailed report.

Best Practices & Recommendations

To strengthen the security of your IIS server, it is crucial to follow these best practices:

• Analyze and Uninstall Unneeded IIS Modules: After upgrading, carefully assess dependencies and remove unnecessary IIS modules from the server.
• Properly Configure Web Server User/Group Accounts: Use dedicated accounts with strong, unique passwords for IIS server administration to prevent unauthorized access.
• Regularly Patch Your Operating System: Keep your OS up to date with the latest security patches to reduce the risk of server exploitation. Also, limit the exposure of services accessible from the internet.
• Configure HTTP Request Filtering Options: Utilize HTTP request filtering options to restrict access based on IP addresses and domain names, enhancing security.
• Install Trusted Native IIS Modules: Only install IIS modules from trusted sources to mitigate the risk of incorporating malicious modules.
• Consider Web Application Firewall and Endpoint Security: Implement a web application firewall and/or an endpoint security solution on your IIS server for an additional layer of protection.
• Use Secure Authentication Protocols: Avoid sending passwords directly to the server, even over SSL/TLS. Instead, employ secure protocols like Secure Remote Password (SRP) to authenticate users without transmitting the unencrypted password.
• Minimize Sensitive Information: Refrain from unnecessarily transmitting sensitive information within the web application. Utilize secure payment gateways to handle payment transactions securely.

UltraViolet Cyber's Expert Services

UltraViolet Cyber's team of cybersecurity practitioners, professional services, and security specialists are available to provide personalized guidance beyond general guidelines. We offer proactive and effective hardening and standardization services, following industry best practices such as IIS Webserver STIG, OWASP guide to hardening IIS, Center for Internet Security IIS 10 Benchmarks, and more.

Reach out to us for further assistance.

As part of our Managed Security Services, we collect web activity data in the W3C log file format from Microsoft IIS servers. By analyzing these logs, we ensure compliance with technical, regulatory, and compliance reports such as PCI DSS, HIPAA, OWASP Top 10, and others.

Additionally, UltraViolet Cyber conducts thorough security assessments for websites and web applications, identifying server misconfigurations and vulnerabilities. Trust us to safeguard your online assets.

Conclusion

Protecting your Microsoft IIS web server from malware attacks requires proactive measures and adherence to best practices. By following the recommendations provided by UltraViolet Cyber and staying informed about the latest threats, you can enhance your server's security and minimize the risk of falling victim to malicious actors. Contact us today for expert assistance in securing your IIS server and fortifying your overall cybersecurity posture.

Frequently Asked Questions