#ESETresearch reveals #IIStealer, a malicious IIS web server extension targeting credit card information from e-commerce transactions. IIStealer is implemented as a native module for Internet Information Services, Microsoft’s web server software.
It handles the server’s BeginRequest post-event notification, which means its code is called every time the IIS server starts processing a new HTTP request.
IIStealer intercepts all the server traffic and logs payment information from e-commerce transactions, targeting POST requests made to payment URIs. The attacker then exfiltrates the logs by sending a special request to the compromised IIS server with an embedded password.
The malware affects e-commerce websites that don’t use third-party payment gateways.
Even with SSL/TLS and encrypted communication channels, IIStealer can access all data handled by the server, including credit card information being processed in its unencrypted state.
Eset has published all the IOCs at the following location: click here
Read Eset’s full guide into analyzing malicious native IIS modules at: click here
Metmox's Recommendations and best practices
The best way to harden an IIS server is to:
- Analyze dependencies and uninstall unneeded IIS modules after upgrading
- Properly configure web server user/group accounts - Use dedicated accounts with strong, unique passwords for the administration of the IIS server
- Regularly patch your OS, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation
- Configure HTTP Request Filtering Options
- Dynamic IP address restrictions use a requestor’s IP addresses and domain name to determine whether or not to restrict access
- Only install native IIS modules from trusted sources
- Consider using a web application firewall, and/or endpoint security solution on your IIS server.
- Do not send the password itself to the server (not even over SSL/TLS); use a protocol such as Secure Remote Password (SRP) to authenticate users without the need for the unencrypted password to be transmitted to the server, nor data that could be used to reauthenticate. IIS infostealers are a good example of why server-side hashing is not good enough.
- Avoid unnecessarily sending sensitive information from the web application; use payment gateways.
Metmox’s Cybersecurity Practitioners, Professional Services (PS), and Security Specialists are available to help determine the next steps beyond the guidance/guidelines. We provide you with proactive, contextual and effective Hardening and Standardization w.r.t IIS Webserver STIG click here, OWASP guide to hardening IIS. click here, Center for Internet Security IIS 10 Benchmark. Benchmarks and click here for pdf.
As a part of our Managed Security Services, we collect Web site activity data in the W3C log file format from Microsoft IIS servers, along with these logs, we also ingest W3C-compliant log files generated by standard logging as well as advanced logging in IIS. This will be relevant to comply with technical, regulatory, and compliance reports such as PCI DSS, HIPAA, OWASP Top 10, and many others.
Metmox is also capable of performing a full-fledged security assessment of a website or web application and discovers server misconfigurations and vulnerabilities