IIS "Frebniis" Malware -- Should we be concerned?

ChrisB3127 6 Reputation points
2023-02-18T19:26:47.8466667+00:00

Tech sites have started to post a few days ago about a new vulnerability in IIS, called "frebniis" malware that is pretty stealthy in how it operates in memory.

Is there any official MS response on this yet? Curious if it's something we should be concerned about with hosting public-facing websites via IIS.

Internet Information Services
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,117 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,720 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 32,501 Reputation points
    2023-02-19T10:52:56.1133333+00:00

    Hi @ChrisB3127

    Unfortunately there is no Microsoft article talking about this malware for the moment,

    For your information ,Frebniis was discovered by Symantec's Threat Hunter Team.

    I think you can get more details about this vulnerability from Symantec blog:

    Frebniis: New Malware Abuses Microsoft IIS Feature to Establish Backdoor

    Please don't forget to mark helpful answer as accepted

  2. Yurong Dai-MSFT 2,781 Reputation points Microsoft Vendor
    2023-02-20T04:34:09.7433333+00:00

    Hi @ChrisB3127

    There are currently no articles dedicated to an official response to this malware. But according to research from the Microsoft 365 Defender Research team, attackers are increasingly using Internet Information Services (IIS) extensions as covert backdoors to servers. These backdoors hide deep within the target environment and provide attackers with a persistent persistence mechanism.

    This Microsoft blog illustrates a new trend that attackers have been leveraging IIS extensions to covertly backdoor Windows servers. Malicious IIS extensions quietly open persistent backdoors into servers.

    As stated in this blog posted by Pieter Arntz, there are several steps you can take to minimize the risk and consequences of malicious IIS extensions:

    • Keep your server software up to date to minimize the risk of infection.
    • Use security software that also covers your server.
    • Regularly check for IIS modules loaded on exposed IIS servers, especially Exchange servers, using existing tools in the IIS server suite.
    • Deploy a backup strategy and create regular backups for easy deployment when needed.
    • Review licensing and access policies and incorporate credential hygiene.
    • Prioritize alerts for server compromise patterns. It helps catch attacks during the exploration phase, the period when an attacker spends time exploring the environment after gaining initial access.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.

    Best regards,

    Yurong Dai

    0 comments