threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/malicious-exchange-server-module-outlook-credentials/177077/
Submission: On December 15 via api from US — Scanned from DE
Submission: On December 15 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /malicious-exchange-server-module-outlook-credentials/177077/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/malicious-exchange-server-module-outlook-credentials/177077/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Name</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177077" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="58a9525bc0"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="WIQeVBdQjGNdDFvRvTjT9erPM" name="r99EsdkRzoSTCRFwYZaTEIjiX">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1639597279195">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Name
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* SAP Kicks Log4Shell Vulnerability Out of 20 AppsPrevious article
*
MALICIOUS EXCHANGE SERVER MODULE HOOVERS UP OUTLOOK CREDENTIALS
Author: Tara Seals
December 15, 2021 2:34 pm
4 minute read
Write a comment
Share this article:
*
*
“Owowa” stealthily lurks on IIS servers, waiting to harvest successful logins
when an Outlook Web Access (OWA) authentication request is made.
Researchers have uncovered a previously unknown malicious IIS module, dubbed
Owowa, that steals credentials when users log into Microsoft Outlook Web Access
(OWA).
Internet Information Services (IIS), Microsoft’s web server/web-hosting
software suite, can be extended via various add-ons that are known as modules.
Like plugins for WordPress or Chrome extensions, IIS modules offer an attractive
way to side-load malicious features into web-facing applications. In this case,
Owowa infects Exchange servers, exposing Exchange’s OWA function. Beyond
credential theft, it allows remote attackers to run commands on the underlying
server and to establish a foothold for access to the broader network,
researchers warned.
“[It] allows the attackers to steal login credentials for Outlook Web Access and
gain remote access control to the underlying server,” according to researchers
at Kaspersky, in a Tuesday writeup. “Its malicious capabilities can easily be
launched by sending seemingly innocuous requests – in this case, OWA
authentication requests.”
The module is also stealthy and difficult to detect, and it offers persistence
even in the face of software updates from Exchange, according to Pierre Delcher,
senior security researcher with Kaspersky’s Global Research and Analysis Team
(GReAT).
“The particular danger with Owowa is that an attacker can use the module to
passively steal credentials from users who are legitimately accessing web
services,” he explained. “This is a far stealthier way to gain remote access
than sending phishing emails. In addition, while IIS configuration tools can be
leveraged to detect such threats, they are not part of standard file and network
monitoring activities, so Owowa might be easily overlooked by security tools.”
The malicious module can be loaded by a cyberattacker that has initial access to
the server environment (perhaps by exploiting the ProxyLogon or ProxyShell
vulnerabilities), researchers explained. It’s loaded using the PowerShell script
shown below:
Source: Kaspersky.
“The module is first registered in the global assembly cache, and can then be
loaded by the IIS server that is running the OWA application,” according to
Kaspersky.
Once installed, the module monitors HTTP requests and responses for OWA traffic
by hooking the “PreSendRequestContent” event, according to Kaspersky. When an
OWA authentication request is made, it springs into action, first checking that
the login attempt was successful by checking that the OWA application is sending
an authentication token back to the user. If that’s the case, the username,
password, user’s IP address and current timestamp are stored in a file and
encoded with RSA encryption.
Cybercriminals can interact with Owowa and exfiltrate the harvested logins by
entering specially crafted commands – detailed below – into the username and
password fields in the OWA log-in page of the compromised server, according to
Kaspersky’s analysis.
* If the OWA username is jFuLIXpzRdateYHoVwMlfc, Owowa will return the
encrypted credentials log, encoded in base64;
* If the OWA username is Fb8v91c6tHiKsWzrulCeqO, the malicious module deletes
the content of the encrypted credentials log, and returns the OK string
(encrypted using RSA);
* If the OWA username is dEUM3jZXaDiob8BrqSy2PQO1, Owowa executes the command
that is typed in the OWA password field using PowerShell on the compromised
server. The result of the command is encrypted (as previously described) and
returned to the operator.
TRACKING OWOWA’S DEVELOPMENT
Researchers uncovered that Owowa was compiled sometime between late 2020 and
April 2021, ironically around the same time that the aforementioned ProxyLogon
set of four critical vulnerabilities in Microsoft Exchange servers were found,
giving attackers the ability to gain access to registered email accounts and
execute arbitrary code. The module has been used since then to target government
and public-sector victims in Indonesia, Malaysia, Mongolia and the Philippines,
including a state transportation company. Researchers suspect there are also
victims in Europe.
Kaspersky researchers could not link Owowa to any specific threat actor, beyond
noting the use of the username “S3crt” in the coding. The name is linked to the
development of other malicious binary loaders, researchers noted. However, the
handle could very well be used by multiple individuals. It’s also the username
on an account on RAID Forums, which specializes in Core Impact: a popular
penetration-testing software suite.
Whatever may be the case with S3crt, the operator is unlikely to be an advanced
persistent threat (APT) despite the victimology and obvious goal of espionage,
according to the analysis. That’s because the development shows some rookie
mistakes.
For instance, the creators ignored explicit warnings from Microsoft regarding
several risky development practices for HTTP modules, which may result in server
crashes (thus alerting admins to Owowa’s presence). And, they left behind
sensitive information on the development environment, clearly visible in
publicly available samples. These can be used to find links to further samples
or online profiles.
“The good news is the attackers don’t appear highly sophisticated,” said Paul
Rascagneres, senior security researcher with Kaspersky’s GReAT. “Companies
should closely monitor Exchange servers since they are highly sensitive and
contain all corporate emails. We also recommend considering all running modules
as critical and checking them regularly.”
HOW TO PROTECT AGAINST MALICIOUS IIS MODULES
To defend against the threat, Kaspersky recommended that organizations:
* Regularly check loaded IIS modules on exposed IIS servers (notably Exchange
servers), leveraging existing tools from the IIS server suite. Malicious IIS
modules, and Owowa in particular, can be identified by using the command
“appcmd.exe” or the IIS configuration tool, which lists all the loaded
modules on a given IIS server.
* Check for such modules as part of regular threat-hunting activities, and
every time a major vulnerability is announced on Microsoft server products.
* Focus the defense strategy on detecting lateral movement and data
exfiltration to the internet, paying special attention to outgoing traffic to
detect cybercriminal connections.
* Back up data regularly and make sure it can be quickly accessed in an
emergency.
Check out our free upcoming live and on-demand online town halls – unique,
dynamic discussions with cybersecurity experts and the Threatpost community.
Write a comment
Share this article:
* Malware
* Privacy
* Web Security
SUGGESTED ARTICLES
SAP KICKS LOG4SHELL VULNERABILITY OUT OF 20 APPS
SAP’s still feverishly working to patch another 12 apps vulnerable to the
Log4Shell flaw, while its Patch Tuesday release includes 21 other fixes, some
rated at 9.9 criticality.
December 15, 2021
APACHE’S FIX FOR LOG4SHELL CAN LEAD TO DOS ATTACKS
Not only is the jaw-dropping flaw in the Apache Log4j logging library
ubiquitous; Apache’s blanket of a quickly baked patch for Log4Shell also has
holes.
December 15, 2021
ACTIVELY EXPLOITED MICROSOFT ZERO-DAY ALLOWS APP SPOOFING, MALWARE DELIVERY
December’s Patch Tuesday updates address six publicly known bugs and seven
critical security vulnerabilities.
December 14, 2021
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* IN 2022, EXPECT MORE SUPPLY CHAIN PAIN AND CHANGING SECURITY ROLES
December 14, 2021
* NEXT-GEN MALDOCS & HOW TO SOLVE THE HUMAN VULNERABILITY
December 10, 2021
* NOT WITH A BANG BUT A WHISPER: THE SHIFT TO STEALTHY C2
December 8, 2021
* ARE YOU GUILTY OF THESE 8 NETWORK-SECURITY BAD PRACTICES?
December 6, 2021
* PANDEMIC-INFLUENCED CAR SHOPPING: JUST USE THE MANUFACTURER API
December 3, 2021
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
There’s a sea of unstructured data on the internet relating to the latest
#cybersecurity threats. Join Threatpost’s… https://t.co/y6ZfyTh5I0
5 days ago
Follow @threatpost
NEXT 00:02 01:34 360p 720p HD 1080p HD Auto (360p) About Connatix V142603 Closed
Captions About Connatix V142603 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2021 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE