Attackers take over org’s OWA server, harvest domain credentials with malicious DLL

Researchers from cyber attack detection and response outfit Cybereason have discovered a novel APT technique that was used by attackers to gain persistence in an (unnamed) organization’ environment and to harvest employees’ authentication credentials.

“The attack involved a malicious module that was loaded onto Microsoft Outlook Web Application (OWA), an internet-facing web-mail server,” they explained. The module came in the form of a malicious, unsigned DLL that had the same name as another benign one (OWAAUTH.dll).

“The customer was using OWA to enable remote user access to Outlook. This configuration of OWA created an ideal attack platform because the server was exposed both internally and externally,” they noted. “Moreover, because OWA authentication is based on domain credentials, whoever gains access to the OWA server becomes the owner of the entire organization’s domain credentials.”

The malicious module was capable of getting all requests in cleartext after SSL/TLS decryption, and to install an ISAPI filter into the IIS server, so that the malicious .dll would be loaded every time the server was restarted.

The recorded login credentials, along with the client host address and the client user agent, were stored in an DES-encrypted file (log.txt) stored in C:\.

The file that they found while helping this organization contained over 11,000 username/password combinations, which meant that every identity and every asset in the organization was effectively compromised.

The module also has backdoor capabilities, and allowed attackers to modify the OWA server.

“Almost by definition, OWA requires organizations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed internet-facing access to the server,” the researchers explained. “This enabled the hackers to establish persistent control over the entire organization’s environment without being detected for a period of several months.”

They didn’t say whether this technique has been spotted being used anywhere else, but chances are good that there are other compromised OWA servers out there.

Share this