Microsoft IIS Web Server: The New Target for Malware Attacks
Discover the latest research by #ESETresearch exposing the IIStealer, a malicious extension for Microsoft's Internet Information Services (IIS) web server.
UltraViolet Cyber
July 17, 2023
In a recent announcement, Microsoft shed light on a zero-day vulnerability (CVE-2021-40444) discovered in Microsoft MSHTML, which nefarious actors are actively exploiting through Microsoft Office documents.
According to Microsoft, this vulnerability has already been exploited in targeted attacks against users of Microsoft Office. In their attempt to take advantage of this vulnerability, attackers create a document containing a meticulously crafted object. Once a user opens the document, MS Office proceeds to download and execute a malicious script.
Although Microsoft claims that Office opens documents from the internet within the protective confines of Protected View or Application Guard for Office, both of which can thwart the current attack, the RTF attack vector remains vulnerable to exploitation. Adversaries can exploit various bypasses for Protected View. Nonetheless, it is crucial for administrators to ensure that Protected View is enabled. Microsoft has offered temporary workarounds to mitigate the issue until an official patch is released.
These attacks continue to transpire across the globe. We are presently witnessing endeavors to exploit the CVE-2021-40444 vulnerability, targeting companies spanning diverse sectors, including research and development, energy, large-scale industrial enterprises, banking, medical technology development, telecommunications, and the IT sector.
According to Microsoft, both Microsoft Defender Antivirus and Microsoft Defender for Endpoint can detect malicious files as long as the definitions are kept up-to-date. Organizations relying solely on Microsoft Defender for Endpoint should ensure that their EDR (Endpoint Detection and Response) is set to block mode.
The vulnerability in question, CVE-2021-40444, pertains to remote code execution and was uncovered in MSHTML—the Internet Explorer browser engine. This component is integral to modern Windows systems, encompassing both user and server environments. Moreover, various programs utilize this engine to interact with web content, such as MS Word or MS PowerPoint.
To exploit the vulnerability, attackers embed a specialized object in a Microsoft Office document, which includes a URL pointing to a malicious script. If a victim opens the document, Microsoft Office retrieves the malevolent script from the URL and executes it using the MSHTML engine. The script can then employ ActiveX controls to carry out malicious actions on the victim's computer. For example, the initial zero-day exploit employed in targeted attacks at the time of discovery utilized ActiveX controls to download and execute a Cobalt Strike payload. Presently, we are observing the delivery of various types of malware, predominantly backdoors, by capitalizing on the CVE-2021-40444 vulnerability.
Within the security center, the presence of the following alert titles can indicate potential threat activity on your network:
To mitigate the risk, it is advisable to enable cloud-delivered protection to combat rapidly evolving attacker tools and techniques. Cloud-based machine learning protections effectively block the majority of new and unknown variants. Staying up-to-date with the latest Threat Intelligence information is crucial to remain informed about the Tactics, Techniques, and Procedures (TTPs) employed by threat actors.
Businesses should adopt a comprehensive security solution that incorporates vulnerability management, patch management, and exploit prevention components. For instance, the Automatic Exploit Prevention component in Kaspersky Endpoint Security for Business effectively monitors suspicious activities within applications and prevents the execution of malicious files. [Text Wrapping Break][Text Wrapping Break]Solutions like Ultraviolet Cyber MDR-as-a-service and our customized Built to Suit Services can assist in early detection and prevention of attacks before the perpetrators achieve their ultimate objectives. The Ultraviolet Cyber teams provide invaluable support in pre-implementation discovery, planning, design activities, and execution using the "Outcome-based - Built to Suit Services" model.
At Ultraviolet Cyber, we employ distinct methodologies to assist our customers in securing their organizations. Our endpoint security solutions encompass data security, network security, advanced threat prevention, forensics, endpoint detection and response (EDR), and remote access VPN solutions. In addition to incident response, vulnerability management, and various other security services, we offer threat hunting capabilities that expose Advanced Persistent Threats (APTs) and potential risks. Our machine-learning classification enables the near real-time detection of zero-day threats.
Our centralized endpoint management platform provides enhanced visibility and simplifies operations. We urge administrators to conduct an enterprise-wide IoC (Indicators of Compromise) sweep to determine if their organizations have been targeted. Ultraviolet Cyber is well aware of targeted attacks exploiting CVE-2021-40444, and our products are designed to counter such attacks. On September 7, 2021, Microsoft shared a partial workaround for this flaw, and within a mere 24 hours, an upsurge in exploitation attempts was observed. Since an official patch is yet to be released and bypasses exist for existing mitigations, enterprise defenders must remain vigilant and proactively hunt for threats within their networks.
Zero-day vulnerabilities are software security flaws unknown to the vendor and the public. Cybercriminals exploit these vulnerabilities before developers can release patches or updates, making them particularly dangerous. Organizations must be vigilant and proactive in their cybersecurity efforts to defend against potential attacks exploiting zero-day vulnerabilities.
One of the most prominent examples of a zero-day attack is the Stuxnet worm, discovered in 2010. It targeted Iran's nuclear facilities, exploiting multiple zero-day vulnerabilities in Windows and Siemens industrial control systems. Stuxnet showcased the potential of sophisticated cyberweapons and highlighted the significance of zero-day vulnerabilities in cyber warfare.
Microsoft employs several strategies to protect against zero-day attacks. These include:
We’re here to help. Get in touch for an initial conversation with one of our security experts and learn more about how UltraViolet Cyber can help you take cyber readiness and resilience to new levels.