lockbit3 attacks iis
Incident Date:
July 14, 2022
Overview
Title
lockbit3 attacks iis
Victim
iis
Attacker
Lockbit3
Location
First Reported
July 14, 2022
The Institute of Ismaili Studies (IIS) Ransomware Attack
The Institute of Ismaili Studies (IIS), a UK-based academic institution dedicated to the study of Islam, has recently fallen victim to the ransomware group Lockbit3. The attack was disclosed on the group's dark web leak site. The IIS is recognized for its contributions to the Education sector, with a particular emphasis on the history, philosophy, law, and mysticism of Ismaili and broader Shi‘i intellectual and cultural heritages within the larger Muslim ummah.
Company Size and Unique Features
Founded in 1977, the IIS offers graduate programs and short courses in Islamic Studies, drawing students from Ismaili communities worldwide. Its distinctive focus on Ismaili and broader Shi‘i intellectual and cultural heritages distinguishes it within the Education sector.
Vulnerabilities and Targeting
The Lockbit3 ransomware group, known for exploiting vulnerabilities in Microsoft Internet Information Services (IIS) web servers, targeted the IIS. The attackers gained initial access through known vulnerabilities or misconfigurations, enabling them to create files on the server using the w3wp.exe process. Subsequently, they introduced a malicious DLL file and an encoded file, executing malicious code in memory, evading detection by antivirus tools.
Mitigation Strategies
To avert similar incidents, organizations are advised to vigilantly monitor for abnormal process executions, especially those involving DLL sideloading, a technique frequently employed by attackers, including the Lazarus group. Inspecting web.config and ApplicationHost.config files, along with scanning installed paths such as the application's bin directory and the default GAC location, is crucial for identifying potential suspicious additions or malicious modules.
The Lockbit3 ransomware attack on the Institute of Ismaili Studies underscores the critical need for securing web servers, especially those utilizing Microsoft IIS, against known vulnerabilities and misconfigurations. By adopting comprehensive security measures and staying abreast of evolving threats, organizations can enhance their defenses against cyber attacks.
Sources
- The Institute of Ismaili Studies
- Microsoft IIS Web Server: The New Target for Malware Attacks - https://www.microsoft.com/security/blog/2021/06/30/protecting-iis-servers-from-malware-and-exploits/
- Lazarus hackers target Windows IIS web servers for initial access - https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-windows-iis-web-servers-for-initial-access/
- Malicious IIS extensions quietly open persistent backdoors into servers - https://www.bleepingcomputer.com/news/security/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.