New Microsoft Exchange credential stealing malware could be worse than phishing

2 years ago 382

While looking for further Exchange vulnerabilities successful the aftermath of this year's zero-days, Kaspersky recovered an IIS add-on that harvests credentials from OWA whenever, and wherever, idiosyncratic logs in.

malware.jpg

stevanovicigor, Getty Images/iStockphoto

Kaspersky has discovered a malicious add-on for Microsoft's Internet Information Service (IIS) web server bundle that it said is designed to harvest credentials from Outlook Web Access (OWA), the webmail lawsuit for Exchange and Office 365. 

Appropriately dubbed, but debatably pronounced, Owowa, Kaspersky researchers discovered the addon successful the aftermath of the March 2021 Exchange server hack. "While looking for perchance malicious implants that targeted Microsoft Exchange servers, we identified a suspicious binary that had been submitted to a multiscanner work successful precocious 2020," Kaspersky said successful its announcement of the discovery.

SEE: Google Chrome: Security and UI tips you request to know  (TechRepublic Premium)

Owowa is an add-on for IIS, which is itself bundle built to negociate web server services that Microsoft describes arsenic being made up of much than 30 autarkic modules. Owowa is designed to get installed successful IIS, and erstwhile installed looks for grounds that the IIS server it's connected is liable for exposing a business's Exchange server's OWA portal. 

When Owowa sees OWA operating connected its big instrumentality it logs each azygous palmy login to Exchange done OWA by detecting authentication tokens. If it spots one, Owowa stores the username, password, idiosyncratic IP code and timestamp successful a temp record that's RSA encrypted.

Here's wherever Owowa gets truly interesting: All that an attacker needs to harvest information is participate 1 of 3 gibberish usernames into OWA that are really commands. One returns the credentials log encoded successful base64, the 2nd deletes the credentials log, and the 3rd executes immoderate PowerShell bid is typed into the password field. Yikes. 

The what, where, when, who and however of Owowa

To beryllium wide astir 1 thing, Owowa has the imaginable to beryllium incredibly dangerous, said Kaspersky Global Research and Analysis Team elder information researcher Pierre Delcher. 

"This is simply a acold stealthier mode to summation distant entree than sending phishing emails. In addition, portion IIS configuration tools tin beryllium leveraged to observe specified threats, they are not portion of modular record and web monitoring activities, truthful Owowa mightiness beryllium easy overlooked by information tools," Delcher said

This isn't a hypothetical, either: Owowa has been seen targeting authorities organizations and authorities agencies successful Malaysia, Mongolia, Indonesia and The Philippines, and Kaspersky said that determination are apt further victims successful Europe arsenic well. 

"The malicious module described successful this station represents an effectual enactment for attackers to summation a beardown foothold successful targeted networks by persisting wrong an Exchange server," Kaspersky said. It cited reasons including persistence erstwhile Exchange servers are updated, quality to taxable malicious codification successful innocuous requests and wholly passive quality that removes relying connected idiosyncratic disorder to succeed. 

Kaspersky said that it was incapable to retrieve capable information to bespeak that Owowa infections were utilized to motorboat an further corruption concatenation oregon post-infection activities. Kaspersky besides said that it's not definite however Owowa was initially deployed, extracurricular of the anticipation that its owners jumped connected the Exchange server compromises earlier successful 2021. 

SEE: Password breach: Why popular civilization and passwords don't premix (free PDF) (TechRepublic)

The codification that Kaspersky was capable to analyse from Owowa indicates creativity, it said, but besides an amateur's touch. "The practices exhibited by what is apt an inexperienced developer don't look to correspond with specified strategical targeting," Kaspersky said. 

One specified lawsuit of sloppy codification was the creator's enactment of "ignoring explicit warnings from Microsoft" astir risky improvement practices successful HTTP modules (of which Owowa is one) that tin clang servers. So, it's fundamentally doubly arsenic unsafe for an infected server: Either information gets stolen, oregon the full happening falls apart. 

How to observe and combat Owowa

If its earthy imaginable for undetected information theft isn't capable of a crushed to ticker retired for Owowa, see its earthy imaginable to clang your Exchange oregon IIS servers arsenic different crushed to instrumentality the close precautions. 

Kaspersky makes the pursuing 4 recommendations for protecting yourself from Owowa and akin threats:

  • Check each IIS modules connected exposed IIS servers regularly — particularly if that IIS server deals with Exchange. 
  • Focus connected detecting lateral movements and information exfiltration to the internet. Pay attraction to outgoing postulation successful particular, and make regular backups that are easy accessible.
  • Use trusted endpoint detection and effect bundle to place and halt attacks aboriginal on.
  • Use trusted endpoint information bundle powered by exploit prevention, behaviour detection and remediation engines that tin rotation backmost malicious actions. 

If you're funny astir detecting Owowa infections, Kaspersky's afloat study contains steps connected utilizing appcmd.exe oregon the ISS configuration instrumentality to question retired and place Owowa and different malicious modules.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also spot

Read Entire Article