{"id":10377,"date":"2021-12-16T17:11:00","date_gmt":"2021-12-16T14:11:00","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=10377"},"modified":"2022-05-05T14:25:13","modified_gmt":"2022-05-05T11:25:13","slug":"owwa-weapizing-web-mail-outlook","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/owwa-weapizing-web-mail-outlook\/10377\/","title":{"rendered":"OWOWA k\u00f6t\u00fc niyetli IIS mod\u00fcl\u00fc"},"content":{"rendered":"

K\u00f6t\u00fc niyetli bir \u0130nternet Bilgi Servisleri (Internet Information Services \u2013 IIS) mod\u00fcl\u00fc, web \u00fczerinde Outlook\u2019u kimlik bilgilerini \u00e7alan ve uzaktan eri\u015fim panelini ele ge\u00e7iren bir araca d\u00f6n\u00fc\u015ft\u00fcr\u00fcyor. Ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z\u0131n OWOWA ad\u0131n\u0131 verdi\u011fi mod\u00fcl, bilinmeyen ki\u015filer taraf\u0131ndan hedefli sald\u0131r\u0131lar ger\u00e7ekle\u015ftirmek i\u00e7in kullan\u0131l\u0131yor.<\/p>\n

Web \u00fczerinde Outlook neden sald\u0131rganlar\u0131n ilgisini \u00e7ekiyor?<\/h2>\n

Web \u00fczerinde Outlook (daha \u00f6nceki ad\u0131yla Exchange Web Connect, Outlook Web Access ve Outlook Web App veya k\u0131saca OWA), Microsoft\u2019un Ki\u015fisel Bilgi Y\u00f6neticisi hizmetine eri\u015fmek i\u00e7in kullan\u0131lan web tabanl\u0131 bir ara birimdir. Uygulama, IIS \u00e7al\u0131\u015ft\u0131ran Web sunucular\u0131na da\u011f\u0131t\u0131l\u0131r.<\/p>\n

Bir\u00e7ok \u015firket, \u00e7al\u0131\u015fanlar\u0131n\u0131n \u00f6zel bir istemci kurmak zorunda kalmadan kurumsal e-posta kutular\u0131na ve takvimlere uzaktan eri\u015febilmesini sa\u011flamak i\u00e7in bu uygulamay\u0131 kullan\u0131yor. Web \u00fczerinde Outlook\u2019un uygulamas\u0131na y\u00f6nelik birka\u00e7 farkl\u0131 y\u00f6ntem bulunuyor; bunlardan biri, siber su\u00e7lular\u0131n ilgisini \u00e7eken sitede Exchange Server kullan\u0131lmas\u0131. Teoride, bu uygulaman\u0131n kontrol\u00fcn\u00fc ele ge\u00e7irmek, sald\u0131rganlara, altyap\u0131ya y\u00f6nelik sald\u0131r\u0131lar\u0131n\u0131 geni\u015fletmek ve ek BEC sald\u0131r\u0131lar\u0131 ba\u015flatmak i\u00e7in sonsuz say\u0131da f\u0131rsatla birlikte t\u00fcm kurumsal yaz\u0131\u015fmalara eri\u015fim sa\u011fl\u0131yor.<\/p>\n

OWOWA nas\u0131l \u00e7al\u0131\u015f\u0131yor?<\/h2>\n

OWAWA, g\u00fcvenli\u011fi ihlal edilmi\u015f IIS Web sunucular\u0131na t\u00fcm uyumlu uygulamalar y\u00f6nelik bir mod\u00fcl olarak y\u00fcklense de as\u0131l amac\u0131, OWA\u2019ya girilen kimlik bilgilerini ele ge\u00e7irmek. K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, Web \u00fczerinde Outlook oturum a\u00e7ma sayfas\u0131ndaki istekleri ve yan\u0131tlar\u0131 kontrol ediyor ve bir kullan\u0131c\u0131n\u0131n kimlik bilgilerini girdi\u011fini ve d\u00f6n\u00fc\u015f olarak bir kimlik do\u011frulama token\u2019\u0131 ald\u0131\u011f\u0131n\u0131 g\u00f6rd\u00fc\u011f\u00fcnde, kullan\u0131c\u0131 ad\u0131n\u0131 ve parolay\u0131 (\u015fifreli bi\u00e7imde) bir dosyaya yaz\u0131yor.<\/p>\n

Ek olarak, OWOWA, ayn\u0131 kimlik do\u011frulama formu arac\u0131l\u0131\u011f\u0131yla sald\u0131rganlar\u0131n Web \u00fczerinde Outlook\u2019un fonksiyonlar\u0131n\u0131 do\u011frudan kontrol etmesine izin veriyor. Bir sald\u0131rgan, kullan\u0131c\u0131 ad\u0131 ve parola alanlar\u0131na belirli komutlar\u0131 girerek, toplanan bilgileri alabilir, g\u00fcnl\u00fck dosyas\u0131n\u0131 silebilir veya g\u00fcvenli\u011fi ihlal edilmi\u015f sunucuda PowerShell arac\u0131l\u0131\u011f\u0131yla rastgele komutlar y\u00fcr\u00fctebilir.<\/p>\n

Mod\u00fcl\u00fcn risk g\u00f6stergeleriyle birlikte daha ayr\u0131nt\u0131l\u0131 teknik a\u00e7\u0131klamas\u0131 i\u00e7in Securelist g\u00f6nderimize<\/a> g\u00f6z at\u0131n.<\/p>\n

Kimler OWOWA sald\u0131r\u0131lar\u0131n\u0131n kurban\u0131 oluyor?<\/h2>\n

Uzmanlar\u0131m\u0131z Malezya, Mo\u011folistan, Endonezya ve Filipinler gibi birka\u00e7 Asya \u00fclkesindeki sunuculara OWOWA tabanl\u0131 sald\u0131r\u0131lar d\u00fczenlendi\u011fini tespit etti. Ancak ancak uzmanlar\u0131m\u0131z, siber su\u00e7lular\u0131n Avrupa\u2019daki kurulu\u015flarla da ilgilendi\u011fini d\u00fc\u015f\u00fcn\u00fcyor.<\/p>\n

Ger\u00e7ekle\u015ftirilen sald\u0131r\u0131lardaki hedeflerin \u00e7o\u011fu, en az bir devlete ait nakliye \u015firketi olmak \u00fczere (ayr\u0131ca devlete aitti) genellikle devlet kurumlar\u0131ndan olu\u015fuyordu.<\/p>\n

OOWA\u2019ya kar\u015f\u0131 nas\u0131l korunursunuz?<\/h2>\n

IIS Web sunucusundaki k\u00f6t\u00fc ama\u00e7l\u0131 OWOWA mod\u00fcl\u00fcn\u00fc (veya ba\u015fka bir \u00fc\u00e7\u00fcnc\u00fc taraf IIS mod\u00fcl\u00fcn\u00fc) tespit etmek i\u00e7in appcmd.exe komutunu veya normal IIS yap\u0131land\u0131rma arac\u0131n\u0131 kullanabilirsiniz. Ancak, her bilgisayar gibi internetle ba\u011flant\u0131s\u0131 olan herhangi bir sunucunun da korumaya<\/a> ihtiyac\u0131 oldu\u011funu unutmay\u0131n.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

K\u00f6t\u00fc niyetli \u0130nternet Bilgi Servisleri (Internet Information Services – IIS) mod\u00fcl\u00fc, web \u00fczerinde Outlook’u bir siber su\u00e7 arac\u0131na d\u00f6n\u00fc\u015f\u00fcyor. <\/p>\n","protected":false},"author":2706,"featured_media":10378,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194],"tags":[1921,2376,2453,2521,2170],"class_list":{"0":"post-10377","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"tag-e-posta","10":"tag-exchange","11":"tag-outlook","12":"tag-web-tehditleri","13":"tag-web-uygulamalari"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/owwa-weapizing-web-mail-outlook\/10377\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/web-uygulamalari\/","name":"web uygulamalar\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=10377"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10377\/revisions"}],"predecessor-version":[{"id":10379,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10377\/revisions\/10379"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/10378"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=10377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=10377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=10377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}