Attackers Use Webmail Server for Access to Firm’s Systems

Malicious actors breached an organization’s systems and maintained persistent control over its network for months via an Internet-facing webmail server.

The attack was analyzed in detail by Cybereason, a company that provides real-time cyber attack detection and response solutions. The security firm launched an investigation after one of its customers’ security team spotted anomalies on a server.

Cybereason has not named the targeted organization in its report, but told SecurityWeek that the victim in this case was a midsize public services company based in the United States.

Shortly after it was alerted, Cybereason deployed its product on the victim’s 19,000 endpoints in an effort to detect the source of the attack and contain the breach. An analysis revealed the existence of a suspicious DLL file loaded into the organization’s Microsoft Outlook Web App (OWA) server, which had been utilized to enable remote user access to Outlook.

A component of Microsoft Exchange Server, OWA is an email client designed to allow users to access their Exchange Server mailbox from almost any web browser. The fact that OWA acts as an intermediary between internal systems and the Internet made it a perfect target.

“Because OWA authentication is based on domain credentials, whoever gains access to the OWA server becomes the owner of the entire organization’s domain credentials,” Cybereason explained in its report.

Experts noticed that the suspicious DLL file had the same name as a legitimate DLL used as part of OWA’s authentication mechanism, but it was unsigned and loaded from a different folder. The said DLL file, “OWAAUTH.dll,” is normally designed for authenticating users against the Active Directory server, but the malicious version used by attackers was set up to install an ISAPI filter on the IIS server and filter HTTP requests. By installing the filter in the registry, the attackers ensured that the malware was loaded after every restart of the server.

This setup allowed the attackers to obtain all requests in cleartext and determine which of them contained usernames and passwords. The malware collected authentication credentials and stored them in an encrypted text file.

After decrypting the file, researchers found more than 11,000 credential sets, which gave the hackers complete access to every identity, and implicitly every asset, in the breached company.

The malware used in this attack also provided backdoor functionality, including for reading, writing and executing commands on SQL servers, and for writing and executing arbitrary code on the OWA server itself.

“Almost by definition, OWA requires organizations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed internet-facing access to the server. This enabled the hackers to establish persistent control over the entire organization’s environment without being detected for a period of several months,” Cybereason researchers said.