New attack on Microsoft Exchange mail server allows you to steal passwords

An Outlook Web Application (OWA) attack gives attackers access to passwords and mail accounts of the entire organization.

A team of information security specialists from the Cybereason organization discovered a malicious module in the files of the OWA server of a company with more than 19,000 accounts. The name of the company is not called.

Cybereason client noticed suspicious activity on its internal network and turned to security experts for help. During the audit on the fact of infection of the internal network, a substitution of one of the DLL files on the OWA-server of the customer organization was detected. Unlike the original OWAAUTH.dll DLL file, the backdoor DLL did not contain a digital signature and was located in a different directory.

The OWAAUTH.dll file, which contained a backdoor, allowed the attackers to receive in decrypted form all the information that was transmitted through OWA using HTTPS. Thus, attackers could steal any personal data of everyone who accessed the server, including account passwords.
')
"In this case, the hackers managed to consolidate a strategically important position on the OWA server," comment on what happened at Cybereason in its report , in which they analyze the attack conducted on the Outlook Web Application. “In fact, OWA requires a relatively soft policy of restricting access to the network from an organization. In this case, Outlook Web App was configured in such a way that access to the server could be obtained remotely via the Internet. This is the main reason that hackers were able to establish permanent control over the entire ecosystem of the company, while remaining undetected for many months. ”

OWA is a “tidbit” for attackers, since it is corporate mail that acts as an intermediary between the global network and the corporate Intranet. Since OWA was used for remote user access to their accounts through the network, this is exactly what allowed attackers to gain access to the domain data of the entire organization. Cybereason did not comment on how widely this attack can be spread. Considering that malware is rarely written for one specific purpose, other large organizations may also be victims of hackers.

Perhaps administrators in organizations using OWA should check their mail server for a backdoor.