Skip to content ↓ | Skip to navigation ↓

 An advanced attack leveraging the Microsoft Outlook Web App (OWA) server could provide intruders with access to enterprise credentials, allowing them to gain persistent control over an organization’s environment.

Researchers at security firm Cybereason uncovered the APT attack when a customer alerted the company it had experienced several behavioral abnormalities on its network.

After searching for signs of infection, researchers discovered a suspicious DLL loaded into the company’s OWA server – a webmail component of the Microsoft Exchange server.

“Although it had the same name as another benign DLL, the suspicious DLL went unsigned and was loaded from a different directory,” read Cybereason’s report.

The malicious ‘OWAAUTH.DLL’ contained a backdoor. In addition, it installed an ISAPI filter into the IIS server and filtered HTTPS requests.

“This enabled the hackers to get all requests in cleartext after SSL/TLS decryption. The malware replaced the OWAAUTH by installing an IIS filter in the registry, which enabled the malware to automatically load and persist on every subsequent server restart.”

Ken Westin, Senior Security Analyst at Tripwire, said this attack shows the importance of being hyper-vigilant when it comes to monitoring critical assets within an organization’s environment.

“Organizations need to pay special attention to what is happening on these critical endpoints, as they can easily lead to an entire network being compromised,” Westin warned.

“Mail servers, active directory servers, databases and other critical systems need to be monitored for any and all system configuration changes, as well as new binaries added to these systems. IT and security teams should be alerted to these changes immediately and have a workflow established for quickly verifying if these changes are authorized and verified as part of a scheduled patch, or if it is a potential malicious piece of malware.”

Westin adds that when dealing with a sophisticated adversary, the malware [attackers] use to target infrastructure uses customized code that will not have signatures, or they may simply use tools available on the systems themselves to harvest data.

“Although threat intelligence can help tell organizations if a particular threat or indicator has been seen by others, they still need strong security intelligence within their own network to identify anomalies and potential threats that may not have been seen before,” urges Westin.

Cybereason told SecurityWeek that the victim in this case was a midsize public services company based in the United States.