Attackers target OWA for domain credentials

Why spend time targeting Active Directory for domain credentials when Outlook Web Application is just as good -- and far easier to compromise?

A targeted attack against Outlook Web Application (OWA) illustrates how far adversaries will go to establish persistent control over the organization's entire network.

As seen in recent breaches, attackers typically use stolen credentials or malware to get a foothold on the network, and then target the domain controller. Once attackers successfully compromise the domain controller, they can impersonate any user and move freely throughout the enterprise network. Since the OWA server, which provides companies with a Web interface for accessing Outlook and Microsoft Exchange, depends on the domain controller for authentication, whoever gains access to the OWA server automatically wins the domain credentials prize.

Israel-based Cybereason described in a research report how attackers uploaded backdoor malware to a company's OWA server and successfully stole 11,000 usernames and passwords over several months. Most security professionals understand that Active Directory contains sensitive data, but not many consider that OWA can be a source for the exact same sensitive data. And as this attack showed, OWA is not as securely protected as Active Directory.

Attackers were able to take advantage of the fact that organizations typically configure OWA servers with "a relatively lax set of restrictions," the researchers wrote.

In a typical organization, administrators place internal servers and critical business applications behind the firewall and use other security controls to prevent outsiders from getting access. However, organizations configure OWA to be Internet-facing, available internally and externally, to allow users to access their messages from anywhere. That dual-nature made OWA an ideal attack platform as it gave attackers complete backdoor functionality.

 "OWA is unique: it is a critical internal infrastructure that also faces the Internet, making it an intermediary between the internal, allegedly protected DMZ, and the Web," Yoav Orot, a senior researcher with Cybereason Labs, and Yonatan Striem-Amit, CTO and co-founder of Cybereason, wrote in the report.

The attackers had uploaded malware with the same name as a legitimate Microsoft Dynamic Link library (DLL) file to the OWA server. Even though the malicious OWAAUTH.dll was unsigned, that itself wouldn't have raised any alarms because it was loaded from the .Net assembly cache. The cache is used to store locally compiled native binaries and the files typically are unsigned and have no reputation. This way, the attackers were able to keep the malware under the radar as if it was just another locally generated file.

"They were Obi-Wan practicing a little Jedi magic, convincing the defender to think: these are not the files you're looking for, move along," Orot and Striem-Amit wrote.

OWAAUTH is responsible for authenticating users against Active Directory. Users never realized their credentials were being stolen because their access to Outlook was not affected. The malware also installed an ISAPI filter into the IIS server to filter HTTP requests and get all the credentials being transferred in cleartext. The information was transferred to a command-and-control center, giving attackers a pool of credentials they could use to impersonate any user, move laterally throughout the network, and even write and execute code on the server.

 "This treasure trove essentially gave the hackers complete access to every identity and therefore every asset in the organization," the researchers wrote.

Cybereason did not name the company targeted in the attack but described it as a "mid-sized public services company based in the U.S." Researchers believe it was a targeted campaign because the malware used very specific keywords. The report also did not explain how the attackers got the backdoored DLL file onto the company's network in the first place.

Even so, the attack illustrates how far attackers will go to get domain credentials, and they won't always take the most obvious approach. Critical assets need to be monitored for any changes to the system configuration, and all new files, especially binaries, need to be scrutinized. Attackers can also use existing tools as part of their attacks, making it even more critical that administrators be able to recognize anomalous behavior on the network.

OWA is designed to give remote users access to Outlook, but its flexible nature also made it easier for attackers. Organizations have to be hypervigilant when it comes to monitoring critical assets within the environment. Sometimes that cache file is not benign at all.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftexchange

More about APTCybereasonMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place