Threat actors are increasingly abusing Internet Information Services (IIS) extensions to backdoor servers as a means of establishing a "durable persistence mechanism."

攻击者越来越多地滥用 Internet Information Services ( IIS ) 扩展为后门服务器，以此作为建立“持久性机制”的一种手段。

That's according to a new warning from the Microsoft 365 Defender Research Team, which said that "IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules."

这是根据 Microsoft 365 Defender 研究团队的新警告，该团队表示“IIS 后门也更难检测，因为它们大多与目标应用程序使用的合法模块位于同一目录中，并且它们遵循与无害模块相同的代码结构。”

Attack chains taking this approach commence with weaponizing a critical vulnerability in the hosted application for initial access, using this foothold to drop a script web shell as the first stage payload.

采用这种方法的攻击链首先将托管应用程序中的一个关键漏洞武器化以进行初始访问，使用此立足点将脚本 Web shell 作为第一阶段的有效攻击载荷。

This web shell then becomes the conduit for installing a rogue IIS module to provide highly covert and persistent access to the server, in addition to monitoring incoming and outgoing requests as well as running remote commands.

然后，此 Web shell 成为安装IIS 恶意模块的管道，以提供对服务器的高度隐蔽和持久的访问，此外还监控传入和传出请求以及运行远程命令。

Indeed, earlier this month, Kaspersky researchers disclosed a campaign undertaken by the Gelsemium group, which was found taking advantage of the ProxyLogon Exchange Server flaws to launch a piece of IIS malware called SessionManager.

事实上，本月早些时候，卡巴斯基研究人员披露了 Gelsemium 小组开展的一项活动，该活动被发现利用 ProxyLogon Exchange Server 漏洞启动了一款名为SessionManager的 IIS 恶意软件。

In another set of attacks observed by the tech giant between January and May 2022, Exchange servers were targeted with web shells by means of an exploit for the ProxyShell flaws, which ultimately led to the deployment of a backdoor called "FinanceSvcModel.dll" but not before a period of reconnaissance.

这家科技巨头在 2022 年 1 月至 2022 年 5 月期间观察到的另一组攻击中，通过利用ProxyShell漏洞作为Exchange 服务器的Web Shell目标，最终部署了一个名为“FinanceSvcModel.dll”的后门。

"The backdoor had built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration," security researcher Hardik Suri explained.

“后门具有执行 Exchange 管理操作的内置功能，例如枚举已安装的邮箱帐户和导出邮箱以进行渗透，”安全研究员 Hardik Suri 解释说。

To mitigate such attacks, it's recommended to apply the latest security updates for server components as soon as possible, keep antivirus and other protections enabled, review sensitive roles and groups, and restrict access by practicing the principle of least-privilege and maintaining good credential hygiene.

为缓解此类攻击，建议尽快为服务器组件，应用最新的安全更新，保持防病毒和其他防护处于启用状态，检查敏感角色和用户组，并通过施行最小权限原则和保持良好的凭证来限制访问.

坚强者死之徒，柔弱者生之徒。

——《道德经.第七十六章》

本文翻译自：

https://thehackernews.com/2022/07/malicious-iis-extensions-gaining.html

如若转载，请注明原文地址

翻译水平有限 :(

有歧义的地方，请以原文为准 ：）