Potent OWA backdoor scores 11,000 corporate creds from single biz

DLL hell means all your Outlook Web Access user creds can be siphoned

Security researchers Yonatan Striem-Amit and Yoav Orot say attackers have cooked a dangerous backdoor capable of hosing organisations using Microsoft Outlook Web Access (OWA).

The pair from Boston outfit Cybereason detected the attack in a malicious .dll file that siphoned decrypted HTTPS server requests.

Chief technology officer Amit and senior researcher Orot say attackers maintained months of access to the unnamed customer's network and domain credentials.

"The hacker’s first goal was to use the visibility they had gained into the OWA authentication process to steal the passwords of users logging into OWA - namely everyone," the pair say (PDF)

"By using this approach, the hackers managed to collect and retain ownership over a large set of credentials, allowing them to maintain persistent control over the organisation's environment.

"The customer was using OWA to enable remote user access to Outlook [which] created an ideal attack platform because the server was exposed both internally and externally."

They found more than 11,000 username and password pairs that the attackers had access to, amounting to every identity and asset in the popped organisation.

The pair point out that OWA server admins are owners of an organisation's domain credentials, making it a juicy attack vector.

They further note that the attacker's malicious owaauth.dll file also installed a ISAPI filter that handed attackers the post encryption cleartext requests.

It is unclear but likely that the backdoored .dll file will be thrown at other organisations in a bid to exploit and gain corporate access through OWA, a system that Amit and Orot say requires lax weak security "almost by definition".

The customer's security team detected "behavioural abnormalities" across its network before reaching out to Cybereason to deploy its kit across some 19,000 end points.

The research duo says the hackers also used a .NET assembly cache to hide binaries that only ran on the machines on which it was generated - a clever feat that attempted to fool casual human security inspection. ®

Biting the hand that feeds IT © 1998–2021