OWA Server Attacked

Wednesday, October 7, 2015 @ 03:10 PM gHale

A Microsoft Outlook Web Application (OWA) attack allowed hackers to get in and record authentication credentials.

The Microsoft Outlook Web Application (OWA) is an Internet-facing webmail server, a component of Microsoft Exchange Server, which can end up deployed in private companies to provide internal emailing capabilities.

Unsupported ICS: Not an Easy Upgrade
Remedy to Fix Unsupported PKS Hole
Age of New and Different
German Steel Mill Attack: Inside Job

In this case, security vendor Cybereason discovered the attack when a company asked for its services after their IT personnel detected suspicious behavior on the OWA server.

While this was an enterprise level attack, this could be just one of multiple entry points into any company in the manufacturing automation sector that could pivot into the industrial control system. That is another case of expanding the communication capabilities between the IT and OT sectors.

In this case, attackers replaced the OWAAUTH.dll with one that contained a backdoor, and collected information about authentication procedures against the local Active Directory server (a server for managing shared authentication procedures), said researchers at Cybereason in a report.

Even if the OWA server handled all authentication procedures correctly using SSL/TLS encryption, the DLL file allowed hackers to get all login information in clear text, the DLL working after the SSL/TLS decryption stage.

All user login credentials ended up logged and sent to the attackers. Every user that ever authenticated against the hacked server had his user and password logged by the attackers.

All logged data ended up stored in a log.txt file in the server’s “C:\” partition. Cybereason researchers found more than 11,000 user password pairs in this file. The company that owned the OWA server had around 19,000 employees.

The hackers also took steps to prevent end users from removing their backdoor, creating an IIS (Microsoft’s Web server) filter through which they loaded the malicious version of the OWAAUTH.dll file every time the server restarted.

Additionally, they’ve also added special capabilities to the DLL, which watched over HTTP connections and executed commands on the server whenever specific instructions ended up sent disguised as regular Internet traffic.