Multiple security researchers have discovered that threat actors are increasingly employing malicious Internet Information Services (IIS) web server extensions to backdoor unpatched Exchange servers. These malicious IIS extensions provide adversaries with a durable persistence tool and are harder to detect than web shells with traditional security tools “since they mainly reside in the same directories as legitimate modules used by target applications,” according to Microsoft. After being deployed, the malicious IIS modules allow attackers to steal credentials, collect data from the compromised network and devices, and deliver additional malicious payloads. To defend against this threat, Microsoft recommends patching Exchange servers with the latest updates, use an anti-malware tool, review sensitive roles and groups, practice the principle of least-privilege, prioritize alerts, and inspect configuration files and bin folder of the target application. Read more at BleepingComputer.