Hidden parasite: Kaspersky uncovers credential-stealing Microsoft Exchange add-on
December 2021 by Kaspersky
Kaspersky has uncovered a previously unknown IIS module (a piece of software aimed at providing additional features to Microsoft web servers) they have since dubbed Owowa that steals credentials entered by a user when logging into Outlook Web Access (OWA); it also allows the attackers to gain remote control access to the underlying server. Compiled sometime between late 2020 and April 2021, this module is a stealthy theft method that is difficult to detect with network monitoring. It’s also resistant to software updates from Exchange, meaning it can stay hidden on a device for a long time.
In 2021, advanced threat actors were increasingly exploiting vulnerabilities of Microsoft Exchange Server. In March, four critical vulnerabilities in the servers allowed attackers to gain access to all registered email accounts and execute arbitrary code. While searching for additional potentially malicious implants in Exchange, Kaspersky experts uncovered a malicious module that allows the attackers to steal login credentials for Outlook Web Access and gain remote access control to the underlying server. Kaspersky has dubbed this malicious module Owowa, and its malicious capabilities can easily be launched by sending seemingly innocuous requests - in this case, OWA authentication requests. Kaspersky experts believe the module was compiled between late 2020 and April 2021, and it has been seen targeting victims in Malaysia, Mongolia, Indonesia, and the Philippines. Most of the victims were connected with government organisations and another to a state transportation company. It is likely there are additional victims located in Europe.
Detected Owowa targets are located in several regions in Asia
The cybercriminals only need to access the OWA log-in page of a compromised server to enter specially crafted commands into the username and password fields. This is an efficient option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server.
Kaspersky researchers could not associate Owowa to any known threat actor. Yet, they did find that it was associated with the username “S3crt”, a developer that may be behind several other malicious binary loaders. However, “S3crt” is a simple derivation of the English word “secret” and could very well be used by multiple individuals. Therefore, it’s also possible that these malicious binary files and Owowa are not connected.
“The particular danger with Owowa is that an attacker can use the module to passively steal credentials from users who are legitimately accessing web services. This is a far stealthier way to gain remote access than sending phishing emails. In addition, while IIS configuration tools can be leveraged to detect such threats, they are not part of standard file and network monitoring activities, so Owowa might be easily overlooked by security tools,” comments Pierre Delcher, Senior Security Researcher with Kaspersky’s Global Research and Analysis Team (GReAT).
“Since Owowa is an IIS module, this also means it persists even if Microsoft Exchange is updated. The good news is, the attackers don’t appear highly sophisticated. Companies should closely monitor Exchange servers since they are highly sensitive and contain all corporate emails. We also recommend considering all running modules as critical and checking them regularly,” comments Paul Rascagneres Senior Security Researcher with Kaspersky’s GReAT.
To protect yourself from such threats, Kaspersky recommends:
• Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from from the IIS servers suite. In any case, check for such modules as part of threat hunting activities, every time a major vulnerability is announced on Microsoft server products.
• Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency.
• Use solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and Response service which help to identify and stop the attack in the early stages, before the attackers achieve their goals.
• Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.