threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/malicious-exchange-server-module-outlook-credentials/177077/
Submission: On December 15 via api from US — Scanned from DE
Submission: On December 15 via api from US — Scanned from DE
Form analysis
4 forms found in the DOMPOST /malicious-exchange-server-module-outlook-credentials/177077/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/malicious-exchange-server-module-outlook-credentials/177077/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Name</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>
GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>
POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177077" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="58a9525bc0"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="WIQeVBdQjGNdDFvRvTjT9erPM" name="r99EsdkRzoSTCRFwYZaTEIjiX">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1639597279195">
</form>
GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>
Text Content
Newsletter SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER Join thousands of people who receive the latest breaking cybersecurity news every day. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. * * * * * * * I agree to my personal data being stored and used to receive the newsletter * * * I agree to accept information and occasional commercial offers from Threatpost partners * Name This field is for validation purposes and should be left unchanged. This iframe contains the logic required to handle Ajax powered Gravity Forms. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. Threatpost * Cloud Security * Malware * Vulnerabilities * InfoSec Insiders * Webinars * * * * * * * Search * SAP Kicks Log4Shell Vulnerability Out of 20 AppsPrevious article * MALICIOUS EXCHANGE SERVER MODULE HOOVERS UP OUTLOOK CREDENTIALS Author: Tara Seals December 15, 2021 2:34 pm 4 minute read Write a comment Share this article: * * “Owowa” stealthily lurks on IIS servers, waiting to harvest successful logins when an Outlook Web Access (OWA) authentication request is made. Researchers have uncovered a previously unknown malicious IIS module, dubbed Owowa, that steals credentials when users log into Microsoft Outlook Web Access (OWA). Internet Information Services (IIS), Microsoft’s web server/web-hosting software suite, can be extended via various add-ons that are known as modules. Like plugins for WordPress or Chrome extensions, IIS modules offer an attractive way to side-load malicious features into web-facing applications. In this case, Owowa infects Exchange servers, exposing Exchange’s OWA function. Beyond credential theft, it allows remote attackers to run commands on the underlying server and to establish a foothold for access to the broader network, researchers warned. “[It] allows the attackers to steal login credentials for Outlook Web Access and gain remote access control to the underlying server,” according to researchers at Kaspersky, in a Tuesday writeup. “Its malicious capabilities can easily be launched by sending seemingly innocuous requests – in this case, OWA authentication requests.” The module is also stealthy and difficult to detect, and it offers persistence even in the face of software updates from Exchange, according to Pierre Delcher, senior security researcher with Kaspersky’s Global Research and Analysis Team (GReAT). “The particular danger with Owowa is that an attacker can use the module to passively steal credentials from users who are legitimately accessing web services,” he explained. “This is a far stealthier way to gain remote access than sending phishing emails. In addition, while IIS configuration tools can be leveraged to detect such threats, they are not part of standard file and network monitoring activities, so Owowa might be easily overlooked by security tools.” The malicious module can be loaded by a cyberattacker that has initial access to the server environment (perhaps by exploiting the ProxyLogon or ProxyShell vulnerabilities), researchers explained. It’s loaded using the PowerShell script shown below: Source: Kaspersky. “The module is first registered in the global assembly cache, and can then be loaded by the IIS server that is running the OWA application,” according to Kaspersky. Once installed, the module monitors HTTP requests and responses for OWA traffic by hooking the “PreSendRequestContent” event, according to Kaspersky. When an OWA authentication request is made, it springs into action, first checking that the login attempt was successful by checking that the OWA application is sending an authentication token back to the user. If that’s the case, the username, password, user’s IP address and current timestamp are stored in a file and encoded with RSA encryption. Cybercriminals can interact with Owowa and exfiltrate the harvested logins by entering specially crafted commands – detailed below – into the username and password fields in the OWA log-in page of the compromised server, according to Kaspersky’s analysis. * If the OWA username is jFuLIXpzRdateYHoVwMlfc, Owowa will return the encrypted credentials log, encoded in base64; * If the OWA username is Fb8v91c6tHiKsWzrulCeqO, the malicious module deletes the content of the encrypted credentials log, and returns the OK string (encrypted using RSA); * If the OWA username is dEUM3jZXaDiob8BrqSy2PQO1, Owowa executes the command that is typed in the OWA password field using PowerShell on the compromised server. The result of the command is encrypted (as previously described) and returned to the operator. TRACKING OWOWA’S DEVELOPMENT Researchers uncovered that Owowa was compiled sometime between late 2020 and April 2021, ironically around the same time that the aforementioned ProxyLogon set of four critical vulnerabilities in Microsoft Exchange servers were found, giving attackers the ability to gain access to registered email accounts and execute arbitrary code. The module has been used since then to target government and public-sector victims in Indonesia, Malaysia, Mongolia and the Philippines, including a state transportation company. Researchers suspect there are also victims in Europe. Kaspersky researchers could not link Owowa to any specific threat actor, beyond noting the use of the username “S3crt” in the coding. The name is linked to the development of other malicious binary loaders, researchers noted. However, the handle could very well be used by multiple individuals. It’s also the username on an account on RAID Forums, which specializes in Core Impact: a popular penetration-testing software suite. Whatever may be the case with S3crt, the operator is unlikely to be an advanced persistent threat (APT) despite the victimology and obvious goal of espionage, according to the analysis. That’s because the development shows some rookie mistakes. For instance, the creators ignored explicit warnings from Microsoft regarding several risky development practices for HTTP modules, which may result in server crashes (thus alerting admins to Owowa’s presence). And, they left behind sensitive information on the development environment, clearly visible in publicly available samples. These can be used to find links to further samples or online profiles. “The good news is the attackers don’t appear highly sophisticated,” said Paul Rascagneres, senior security researcher with Kaspersky’s GReAT. “Companies should closely monitor Exchange servers since they are highly sensitive and contain all corporate emails. We also recommend considering all running modules as critical and checking them regularly.” HOW TO PROTECT AGAINST MALICIOUS IIS MODULES To defend against the threat, Kaspersky recommended that organizations: * Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS server suite. Malicious IIS modules, and Owowa in particular, can be identified by using the command “appcmd.exe” or the IIS configuration tool, which lists all the loaded modules on a given IIS server. * Check for such modules as part of regular threat-hunting activities, and every time a major vulnerability is announced on Microsoft server products. * Focus the defense strategy on detecting lateral movement and data exfiltration to the internet, paying special attention to outgoing traffic to detect cybercriminal connections. * Back up data regularly and make sure it can be quickly accessed in an emergency. Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community. Write a comment Share this article: * Malware * Privacy * Web Security SUGGESTED ARTICLES SAP KICKS LOG4SHELL VULNERABILITY OUT OF 20 APPS SAP’s still feverishly working to patch another 12 apps vulnerable to the Log4Shell flaw, while its Patch Tuesday release includes 21 other fixes, some rated at 9.9 criticality. December 15, 2021 APACHE’S FIX FOR LOG4SHELL CAN LEAD TO DOS ATTACKS Not only is the jaw-dropping flaw in the Apache Log4j logging library ubiquitous; Apache’s blanket of a quickly baked patch for Log4Shell also has holes. December 15, 2021 ACTIVELY EXPLOITED MICROSOFT ZERO-DAY ALLOWS APP SPOOFING, MALWARE DELIVERY December’s Patch Tuesday updates address six publicly known bugs and seven critical security vulnerabilities. December 14, 2021 DISCUSSION LEAVE A COMMENT CANCEL REPLY This site uses Akismet to reduce spam. Learn how your comment data is processed. INFOSEC INSIDER * IN 2022, EXPECT MORE SUPPLY CHAIN PAIN AND CHANGING SECURITY ROLES December 14, 2021 * NEXT-GEN MALDOCS & HOW TO SOLVE THE HUMAN VULNERABILITY December 10, 2021 * NOT WITH A BANG BUT A WHISPER: THE SHIFT TO STEALTHY C2 December 8, 2021 * ARE YOU GUILTY OF THESE 8 NETWORK-SECURITY BAD PRACTICES? December 6, 2021 * PANDEMIC-INFLUENCED CAR SHOPPING: JUST USE THE MANUFACTURER API December 3, 2021 Newsletter SUBSCRIBE TO THREATPOST TODAY Join thousands of people who receive the latest breaking cybersecurity news every day. Subscribe now Twitter There’s a sea of unstructured data on the internet relating to the latest #cybersecurity threats. Join Threatpost’s… https://t.co/y6ZfyTh5I0 5 days ago Follow @threatpost NEXT 00:02 01:34 360p 720p HD 1080p HD Auto (360p) About Connatix V142603 Closed Captions About Connatix V142603 1/1 Skip Ad Continue watching after the ad Visit Advertiser website GO TO PAGE SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY! Get the latest breaking news delivered daily to your inbox. Subscribe now Threatpost The First Stop For Security News * Home * About Us * Contact Us * Advertise With Us * RSS Feeds * Copyright © 2021 Threatpost * Privacy Policy * Terms and Conditions * Advertise * * * * * * * TOPICS * Black Hat * Breaking News * Cloud Security * Critical Infrastructure * Cryptography * Facebook * Government * Hacks * IoT * Malware * Mobile Security * Podcasts * Privacy * RSAC * Security Analyst Summit * Videos * Vulnerabilities * Web Security Threatpost * * * * * * * TOPICS * Cloud Security * Malware * Vulnerabilities * Privacy Show all * Black Hat * Critical Infrastructure * Cryptography * Facebook * Featured * Government * Hacks * IoT * Mobile Security * Podcasts * RSAC * Security Analyst Summit * Slideshow * Videos * Web Security AUTHORS * Tara Seals * Tom Spring * Lisa Vaas THREATPOST * Home * About Us * Contact Us * Advertise With Us * RSS Feeds Search * * * * * * * InfoSec Insider INFOSEC INSIDER POST Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. Sponsored SPONSORED CONTENT Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content. We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information. ACCEPT AND CLOSE