Malicious actors breached an organization’s systems and maintained persistent control over its network for months via an Internet-facing webmail server.
The attack was analyzed in detail by Cybereason, a company that provides real-time cyber attack detection and response solutions. The security firm launched an investigation after one of its customers’ security team spotted anomalies on a server.
Cybereason has not named the targeted organization in its report, but told SecurityWeek that the victim in this case was a midsize public services company based in the United States.
Shortly after it was alerted, Cybereason deployed its product on the victim’s 19,000 endpoints in an effort to detect the source of the attack and contain the breach. An analysis revealed the existence of a suspicious DLL file loaded into the organization’s Microsoft Outlook Web App (OWA) server, which had been utilized to enable remote user access to Outlook.
A component of Microsoft Exchange Server, OWA is an email client designed to allow users to access their Exchange Server mailbox from almost any web browser. The fact that OWA acts as an intermediary between internal systems and the Internet made it a perfect target.
“Because OWA authentication is based on domain credentials, whoever gains access to the OWA server becomes the owner of the entire organization’s domain credentials,” Cybereason explained in its report.
Experts noticed that the suspicious DLL file had the same name as a legitimate DLL used as part of OWA’s authentication mechanism, but it was unsigned and loaded from a different folder. The said DLL file, “OWAAUTH.dll,” is normally designed for authenticating users against the Active Directory server, but the malicious version used by attackers was set up to install an ISAPI filter on the IIS server and filter HTTP requests. By installing the filter in the registry, the attackers ensured that the malware was loaded after every restart of the server.
This setup allowed the attackers to obtain all requests in cleartext and determine which of them contained usernames and passwords. The malware collected authentication credentials and stored them in an encrypted text file.
After decrypting the file, researchers found more than 11,000 credential sets, which gave the hackers complete access to every identity, and implicitly every asset, in the breached company.
The malware used in this attack also provided backdoor functionality, including for reading, writing and executing commands on SQL servers, and for writing and executing arbitrary code on the OWA server itself.
“Almost by definition, OWA requires organizations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed internet-facing access to the server. This enabled the hackers to establish persistent control over the entire organization’s environment without being detected for a period of several months,” Cybereason researchers said.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
