Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Attackers Use Webmail Server for Access to Firm’s Systems

Malicious actors breached an organization’s systems and maintained persistent control over its network for months via an Internet-facing webmail server.

Malicious actors breached an organization’s systems and maintained persistent control over its network for months via an Internet-facing webmail server.

The attack was analyzed in detail by Cybereason, a company that provides real-time cyber attack detection and response solutions. The security firm launched an investigation after one of its customers’ security team spotted anomalies on a server.

Cybereason has not named the targeted organization in its report, but told SecurityWeek that the victim in this case was a midsize public services company based in the United States.

Shortly after it was alerted, Cybereason deployed its product on the victim’s 19,000 endpoints in an effort to detect the source of the attack and contain the breach. An analysis revealed the existence of a suspicious DLL file loaded into the organization’s Microsoft Outlook Web App (OWA) server, which had been utilized to enable remote user access to Outlook.

A component of Microsoft Exchange Server, OWA is an email client designed to allow users to access their Exchange Server mailbox from almost any web browser. The fact that OWA acts as an intermediary between internal systems and the Internet made it a perfect target.

“Because OWA authentication is based on domain credentials, whoever gains access to the OWA server becomes the owner of the entire organization’s domain credentials,” Cybereason explained in its report.

Experts noticed that the suspicious DLL file had the same name as a legitimate DLL used as part of OWA’s authentication mechanism, but it was unsigned and loaded from a different folder. The said DLL file, “OWAAUTH.dll,” is normally designed for authenticating users against the Active Directory server, but the malicious version used by attackers was set up to install an ISAPI filter on the IIS server and filter HTTP requests. By installing the filter in the registry, the attackers ensured that the malware was loaded after every restart of the server.

This setup allowed the attackers to obtain all requests in cleartext and determine which of them contained usernames and passwords. The malware collected authentication credentials and stored them in an encrypted text file.

Advertisement. Scroll to continue reading.

After decrypting the file, researchers found more than 11,000 credential sets, which gave the hackers complete access to every identity, and implicitly every asset, in the breached company.

The malware used in this attack also provided backdoor functionality, including for reading, writing and executing commands on SQL servers, and for writing and executing arbitrary code on the OWA server itself.

“Almost by definition, OWA requires organizations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed internet-facing access to the server. This enabled the hackers to establish persistent control over the entire organization’s environment without being detected for a period of several months,” Cybereason researchers said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.