According to the experts at the Cybereason security firm threat actors breached an unnamed organization network and maintained persistence for months via a webmail server.
The victim was a midsize public services company based in the United States that contacted the Cybereason firm to investigate possible intrusions.
Cybereason deployed its product on the victim’s 19,000 endpoints in an effort to identify the source of the attack and mitigate it.
The investigation allowed Cybereason to discover a suspicious DLL file loaded into the organization’s Microsoft Outlook Web App (OWA) server.
The server was used by the organization to enable remote user access to Outlook.
OWA is a webmail component of Microsoft Exchange Server starting with version 5.0 that allows users to access their Exchange Server mailbox by using any web browser. The attackers backdoored a web-accessible server in the demilitarized zone.
“OWA is unique: it is a critical internal infrastructure that also faces the Internet, making it an intermediary between the internal, allegedly protected DMZ, and the web” states the report issued by Cybereason. “This configuration of OWA created an ideal attack platform because the server was exposed both internally and externally. “
“Because OWA authentication is based on domain credentials, whoever gains access to the OWA server becomes the owner of the entire organization’s domain credentials,”
The experts at Cybereason discovered a suspicious DLL, the “OWAAUTH.dll,” having the same name as a legitimate OWA DLL used for the authentication mechanism. The experts noticed something of strange because the code of this DDL was unsigned and loaded from a different folder.
“The hackers installed a backdoored malicious OWAAUTH.dll which was used by OWA as part of the authentication mechanism, and was responsible for authenticating users against the Active Directory (A/D) server used in the environment. In addition, the malicious OWAAUTH.DLL also installed an ISAPI filter into the IIS server, and was filtering HTTP requests.” states the report.
This setting enabled the hackers to get all requests in clear text after SSL/TLS decryption and syphon users’ credentials, the threat actors installed the filter in the registry to ensure persistence of its infection, the malicious code is then loaded after every restart of the server.
Syphoned authentication credentials are stored in an encrypted text file. The experts decrypted the file and discovered more than 11,000 credentials belonging to the hacked organization company.
The malicious code provided full functional backdoor in the targeted system, it allows to manipulate files on the OWA server and execute commands and arbitrary code.
“Almost by definition, OWA requires organizations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed internet-facing access to the server. This enabled the hackers to establish persistent control over the entire organization’s environment without being detected for a period of several months,” continues the Cybereason report.
(Security Affairs – OWA server, hacking)