lockbit3 attacks iis
The Institute of Ismaili Studies (IIS) Ransomware Attack
The Institute of Ismaili Studies (IIS), a UK-based academic institution dedicated to the study of Islam, has recently fallen victim to the ransomware group Lockbit3. The attack was disclosed on the group's dark web leak site. The IIS is recognized for its contributions to the Education sector, with a particular emphasis on the history, philosophy, law, and mysticism of Ismaili and broader Shi‘i intellectual and cultural heritages within the larger Muslim ummah.
Company Size and Unique Features
Founded in 1977, the IIS offers graduate programs and short courses in Islamic Studies, drawing students from Ismaili communities worldwide. Its distinctive focus on Ismaili and broader Shi‘i intellectual and cultural heritages distinguishes it within the Education sector.
Vulnerabilities and Targeting
The Lockbit3 ransomware group, known for exploiting vulnerabilities in Microsoft Internet Information Services (IIS) web servers, targeted the IIS. The attackers gained initial access through known vulnerabilities or misconfigurations, enabling them to create files on the server using the w3wp.exe process. Subsequently, they introduced a malicious DLL file and an encoded file, executing malicious code in memory, evading detection by antivirus tools.
Mitigation Strategies
To avert similar incidents, organizations are advised to vigilantly monitor for abnormal process executions, especially those involving DLL sideloading, a technique frequently employed by attackers, including the Lazarus group. Inspecting web.config and ApplicationHost.config files, along with scanning installed paths such as the application's bin directory and the default GAC location, is crucial for identifying potential suspicious additions or malicious modules.
The Lockbit3 ransomware attack on the Institute of Ismaili Studies underscores the critical need for securing web servers, especially those utilizing Microsoft IIS, against known vulnerabilities and misconfigurations. By adopting comprehensive security measures and staying abreast of evolving threats, organizations can enhance their defenses against cyber attacks.
Sources
- The Institute of Ismaili Studies
- Microsoft IIS Web Server: The New Target for Malware Attacks - https://www.microsoft.com/security/blog/2021/06/30/protecting-iis-servers-from-malware-and-exploits/
- Lazarus hackers target Windows IIS web servers for initial access - https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-windows-iis-web-servers-for-initial-access/
- Malicious IIS extensions quietly open persistent backdoors into servers - https://www.bleepingcomputer.com/news/security/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!