InfoSec: Millions of Microsoft Web servers powered by vulnerable legacy software ─Report

*Security experts say recent investigation identified 7,335,868 potentially vulnerable Web servers across the world, running legacy versions of the Microsoft Internet Information Services (IIS) servers online

Gbenga Kayode | ConsumerConnect

Millions of Microsoft Web servers are reportedly running on unsupported and vulnerable versions of the Microsoft Internet Information Services (IIS).

Over a million still use an IIS version that had been discontinued by Microsoft last year, and most servers are located in Asia and North America.

The report stated that researchers identified more than two million Web servers worldwide still running on outdated and vulnerable versions of Microsoft Internet Information Services software, CyberNews report said.

RELATED: Microsoft Warns Consumers As Hackers Are Exploiting Windows Vulnerability

ConsumerConnect gathered the legacy versions are no longer supported by Microsoft, which makes millions of Web servers easy targets for threat actors and cybercriminals.

Photo: CyberNews

The Microsoft Internet Information Services, which boasts a market share of 12.4 percent, is regarded as the third-most-popular suite of Web server software, used to power at least 51.6million Web sites and web applications across the world.

When it comes to security, most Web servers running the latest versions of IIS will generally be in good shape.

However, not all versions of IIS are created equal, according to report.

While Microsoft keeps the newer versions relatively safe by releasing security updates and vulnerability hotfixes, older IIS versions from 7.5 downwards are no longer supported by the company.

Like other types of outdated server software, all legacy versions of Microsoft IIS suffer from numerous critical security vulnerabilities.

By implication, any Web site that runs on an unsupported IIS version is a lucrative target for threat actors, allowing them to easily infiltrate such sites, inject them with dangerous malware, and steal their visitors’ data, including login and payment information.

With that in mind, CyberNews researchers decided to unravel how many Web servers are still powered by discontinued versions of Microsoft IIS, making them sitting ducks for cybercriminals.

How experts collected and analysed the data

In order to conduct the investigation, researchers identified five different versions and subversions of IIS that have been discontinued by Microsoft and matched them with known Common Vulnerabilities and Exposures (CVEs) associated with those versions.

READ ALSO Infosec: Microsoft Data Leak Puts 38million Consumers’ Records At Risk ─Researchers

The team used an Internet of Things (IoT) search engine to look for open unpatched IIS web servers that were susceptible to known CVEs and investigated the results for statistical data.

According to the initial results, the researchers filtered out honeypots, which are decoy services or systems set up by security teams and researchers as bait for threat actors.

Research findings

From the investigation, experts discovered there are two million Microsoft IIS servers that are vulnerable to threat actors

In respect of the Vulnerable IIS servers online, researcher said during their investigation, they identified 7,335,868 potentially vulnerable Web servers across the world running legacy versions of IIS.

While 72 percent of these servers were honeypots used as bait by researchers and security teams, over two million of the instances they discovered were actually running on vulnerable software that is no longer supported by Microsoft, report stated.

Security researcher Mantas Sasnauskas said since Web servers that host public Web sites must be publicly accessible to function, they are also broadcasting their outdated IIS versions for everyone to see.

Sasnauskas stated: “This means that running these servers on visibly vulnerable software is tantamount to extending an invitation to threat actors to infiltrate their networks.”

Likewise, Terumi Laskowsky, a cybersecurity instructor at DevelopIntelligence, was quoted to have argued that having several vulnerable Web servers in the open makes it incredibly easy for threat actors to perform reconnaissance.

“If there are millions of unpatched IIS servers, the attackers feel like kids in a candy store,” Laskowsky noted.

According to researchers, being aware of a Web server’s vulnerabilities, threat actors can quickly collect data about the best way to attack the target.

Laskowsky further said: “Knowing the description and severity of a vulnerability is just one step in a series of steps that lead to the actual attack.

“The next logical step is to find ways to launch the attack. There are plenty of free sites that give this information, too.

“Not all attacks will succeed, but enough will to make the effort worthwhile for the attackers.”

Most vulnerable IIS Web servers located in China

The investigation also showed that mainland China tops the list of vulnerable server locations with 679,941 exposed instances running legacy versions of IIS.

Meanwhile, 581,708 unprotected servers reside in the US, which runs a close second, report said.

Hong Kong, where the researcher stated they identified 203,786 vulnerable IIS servers, comes third, while South Korea and Germany round out the top five with 54,981 and 43,857 servers respectively.

In view of this development, Andrew Useckas, Chief Technical Officer (CTO) at ThreatX, China’s staggering numbers could be explained by the country’s lax stance on software piracy and the massive proliferation of bootleg Windows copies throughout China.

Useckas said: “The reason why there are so many Microsoft IIS servers in China is the same reason why there are so many of them in Russia.

“It’s easier to install than Linux servers, and license costs are of no issue since these are mostly bootleg versions of Windows.

“Of course, it’s typical that the people who install these pirated versions have no idea how to maintain them and could not be bothered to upgrade them.”

Ben Carr, CISO of Qualys, adds that the meteoric pace of China’s economy may be another reason behind the massive number of unsecured Web servers across the country.

According to Carr, organisations based in Western countries have more regulations and compliance to follow in their markets, while publicly traded companies have fiduciary responsibilities to their shareholders.

The expert believes this situation forces companies to invest more time and resources in security as they develop and grow their operations.

“That process is still developing in China, where the rules are more about market access at the moment. As the economy there matures, there should be more compliance and security guidance in place for them to follow,” says Carr.

The report added, that every single legacy version of Microsoft IIS is susceptible to at least five known vulnerabilities, most of them critical and relatively easily exploitable by experienced threat actors.

However, version 7.0 is the most vulnerable version of Microsoft IIS, being susceptible to 17 known vulnerabilities with 47,620 legacy web servers running on this version of IIS, according to

Kindly Share This Story