A new attack method targeting Microsoft Outlook Web Application (OWA) allows hackers to collect and retain ownership over a large set of credentials, allowing them to maintain persistent control over an organization's environment.
According to research from Cybereason, the attack involves a malicious module loaded onto Microsoft OWA, an internet-facing webmail server, which enabled the attackers to record authentication credentials and be provided with complete backdoor capabilities.
One specific attack was detected by way of a suspicious DLL loaded into the OWA server (a webmail component of Microsoft Exchange Server), with several interesting characteristics. Although it had the same name as another benign DLL, the suspicious DLL went unsigned.
“Contrary to other web servers that typically have only a web interface, OWA is unique: it is a critical internal infrastructure that also faces the internet, making it an intermediary between the internal, allegedly protected DMZ, and the web,” Cyberreason explained. “The customer was using OWA to enable remote user access to Outlook. This configuration of OWA created an ideal attack platform because the server was exposed both internally and externally.”
Moreover, because OWA authentication is based on domain credentials, whoever gains access to the OWA server becomes the owner of the entire organization’s domain credentials.
“This attack shows the importance of being hyper-vigilant when it comes to monitoring critical assets within an organization's environment,” said Ken Westin, senior security analyst with Tripwire, in an emailed comment. “Organizations need to pay special attention to what is happening on these critical endpoints, as they can easily lead to an entire network being compromised. Mail servers, active directory servers, databases and other critical systems need to be monitored for any and all system configuration changes, as well as new binaries added to these systems. IT and security teams should be alerted to these changes immediately and have a workflow established for quickly verifying if these changes are authorized and verified as part of a scheduled patch, or if it is a potential malicious piece of malware.”
When dealing with a sophisticated adversary, the malware they use to target infrastructure will use customized code that will not have signatures, or they may simply use tools available on the systems themselves to harvest data, he added.
“Although threat intelligence can help tell organizations if a particular threat or indicator has been seen by others, they still need strong security intelligence within their own network to identify anomalies and potential threats that may not have been seen before,” he said.