Microsoft Web Servers Targeted By Hacker ‘Praying Mantis’: Cybersecurity Firm

Cybersecurity firm Sygnia said that the threat actor’s campaign focused on Windows IIS servers, and has involved a ‘custom malware framework tailor-made for IIS servers.’


A new threat actor is targeting Microsoft Windows web servers, suggesting that users should patch .NET deserialization vulnerabilities and look for suspicious activity on web-facing Microsoft Internet Information Services servers, according to cybersecurity technology and services provider Sygnia.

Tel Aviv-based Sygnia recently issued a report stating that researchers found “an advanced memory-resident attack commonly associated with nation-state actors.”

The hacker, which Sygnia is calling “Praying Mantis” or “TG1021,” uses “a variety of deserialization exploits targeting Windows IIS servers and vulnerabilities targeting web applications” and “a completely volatile and custom malware framework tailor-made for IIS servers.”

Sponsored post

[Related: Hackers Attack Microsoft Cloud Customer Apps Via Synnex]

IIS (Internet Information Services) is a web server on the Microsoft .NET platform on the Windows operating system.

In a statement provided to CRN over email, responding to the Sygnia report, Microsoft said that “there are no vulnerabilities in our products involved in this technique. The zero-day exploits discussed refer to issues with third-party applications.”

The company also said it encourages customers to choose applications “to ensure they are developed and maintained with security as a top priority.”

For the “Praying Mantis” campaign, malware intercepts and handles HTTP requests the server receives-- adding backdoor and post-exploitation modules for network reconnaissance, credential harvesting and moving laterally inside of networks, among other activities, according to the Sygnia report. Praying Mantis is seemingly “highly familiar with the Windows IIS software and equipped with zero-day exploits.” Sygnia has dubbed the malware “NodellSWeb.”

Praying Mantis uses similar tactics, techniques and procedures to the “Copy-Paste Compromises” state-sponsored hacker, which were disclosed by the Australian Cyber Security Centre in June 2020, according to Sygnia. That attacker targeted Australian public and private sector organizations. The Cyber Security Centre deemed the activity “the most significant, coordinated cyber-targeting against Australian institutions the Australian Government has ever observed.”

Praying Mantis has targeted unidentified “high-profile public and private entities” in two major Western markets, according to the report. The discovery of this latest threat actor follows a spate of attacks targeting commercial organizations and allegedly sponsored by other nations.

Even with Microsoft’s large portfolio of security products and services, channel partners must turn to other vendors for redundancy and providing the high level of protection customers need today, said Phil Walker, CEO of Manhattan Beach, Calif.-based Network Solutions Provider, in an interview with CRN.

“Now we’re dealing with customers on the internet for banking, retail,” said Walker, whose company is a Microsoft partner and member of CRN’s Managed Service Provider 500 for 2021. “There is a level of protection that everyone needs.”

Even if cybersecurity tools and protecting client systems appear to have more costs and headaches compared with the revenue partners can generate from doing so, having a robust cybersecurity portfolio and not overpromising what one’s portfolio can deliver for customers are requirements for managed service providers in 2021, Walker said.

“We’re an involuntary force,” Walker said of MSPs. “Because of what we’re protecting, we have to be more cybersecurity functional.”

Microsoft products have seen a flurry of high-profile attacks this year. In March, Chinese hackers reportedly took advantage of four Microsoft Exchange Server vulnerabilities to steal emails from at least 30,000 organizations across the United States. In July, hackers attempted to use Synnex to gain access to customer applications within the Microsoft cloud environment in an attack possibly tied to the Kaseya ransomware campaign.

The tech giant and its customers have also continued to feel the effects of last year’s massive SolarWinds hack, which ensnared Microsoft’s platforms in numerous ways.

Still, Microsoft is seeing “accelerated demand” for its “end-to-end” cybersecurity solutions, which have gained recognition from analysts in more categories than any other vendor, CEO Satya Nadella said last week during the company’s quarterly call with analysts.

Microsoft’s momentum around security is “reflected in our sales growth – with annual revenue continuing to increase 40 percent year over year,” Nadella said.