Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Attackers Use Webmail Server for Access to Firm’s Systems

Malicious actors breached an organization’s systems and maintained persistent control over its network for months via an Internet-facing webmail server.

Malicious actors breached an organization’s systems and maintained persistent control over its network for months via an Internet-facing webmail server.

The attack was analyzed in detail by Cybereason, a company that provides real-time cyber attack detection and response solutions. The security firm launched an investigation after one of its customers’ security team spotted anomalies on a server.

Cybereason has not named the targeted organization in its report, but told SecurityWeek that the victim in this case was a midsize public services company based in the United States.

Shortly after it was alerted, Cybereason deployed its product on the victim’s 19,000 endpoints in an effort to detect the source of the attack and contain the breach. An analysis revealed the existence of a suspicious DLL file loaded into the organization’s Microsoft Outlook Web App (OWA) server, which had been utilized to enable remote user access to Outlook.

A component of Microsoft Exchange Server, OWA is an email client designed to allow users to access their Exchange Server mailbox from almost any web browser. The fact that OWA acts as an intermediary between internal systems and the Internet made it a perfect target.

“Because OWA authentication is based on domain credentials, whoever gains access to the OWA server becomes the owner of the entire organization’s domain credentials,” Cybereason explained in its report.

Experts noticed that the suspicious DLL file had the same name as a legitimate DLL used as part of OWA’s authentication mechanism, but it was unsigned and loaded from a different folder. The said DLL file, “OWAAUTH.dll,” is normally designed for authenticating users against the Active Directory server, but the malicious version used by attackers was set up to install an ISAPI filter on the IIS server and filter HTTP requests. By installing the filter in the registry, the attackers ensured that the malware was loaded after every restart of the server.

This setup allowed the attackers to obtain all requests in cleartext and determine which of them contained usernames and passwords. The malware collected authentication credentials and stored them in an encrypted text file.

After decrypting the file, researchers found more than 11,000 credential sets, which gave the hackers complete access to every identity, and implicitly every asset, in the breached company.

The malware used in this attack also provided backdoor functionality, including for reading, writing and executing commands on SQL servers, and for writing and executing arbitrary code on the OWA server itself.

“Almost by definition, OWA requires organizations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed internet-facing access to the server. This enabled the hackers to establish persistent control over the entire organization’s environment without being detected for a period of several months,” Cybereason researchers said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...