pixel_dreams - Fotolia

Researchers find credential-stealing webmail server APT attack

Security researchers have discovered a new and unique advanced persistent threat (APT) technique that involves a malicious module loaded onto a webmail server

Security researchers have discovered a webmail server attack that enables attackers to steal corporate credentials and underlines the need for continuous monitoring.

The attack, which the researchers described as a new and unique advanced persistent threat (APT) technique, involves a malicious module loaded onto a webmail server.

Using a malicious dynamic link library (DLL) loaded into a company’s Outlook Web Application (OWA) server, attackers were able to record authentication credentials and gain complete backdoor capabilities, according to researchers at security firm Cybereason.

“By using this approach, the hackers managed to collect and retain ownership over a large set of credentials, allowing them to maintain persistent control over the organisation’s environment,” said Cybereason chief technology officer Yonatan Striem-Amit and senior researcher Yoav Orot in a report.

The researchers discovered the malicious DLL after deploying monitoring across a customer’s entire environment of 19,000 endpoints.

Although it had the same name as another benign DLL, the malicious DLL was unsigned and loaded from a different directory.

The attack exploits the fact that unlike other web servers that typically only have a web interface, OWA has a critical internal infrastructure that also faces the internet, making it an intermediary between the internal, allegedly protected DMZ and the web.

The targeted company was using OWA to enable remote user access to Outlook. This configuration of OWA created an ideal attack platform because the server was exposed both internally and externally, the researchers said.

“As OWA authentication is based on domain credentials, whoever gains access to the OWA server becomes the owner of the entire organisation’s domain credentials,” they said.

The hackers installed a backdoor malicious owaauth.dll, which was used by OWA as part of the authentication mechanism, and was responsible for authenticating users against the Active Directory server used in the environment.

The researchers found the malicious owaauth.dll also installed an ISAPI filter into the IIS server and was filtering HTTP requests.

“This enabled the hackers to get all requests in clear text after SSL/TLS decryption. The malware replaced the owaauth.dll by installing an IIS filter in the registry, which enabled the malware to automatically load and persist on every subsequent server restart,” the researchers said.

The final touch was the hackers choosing the .NET assembly cache to store locally compiled native binaries to accelerate the loading and execution of .Net applications.

These locally compiled binaries were only used on the computer in which they were generated, and thus had no reputation or digital signatures in an attempt to avoid detection.

Access to users’ identity

The researchers said the hackers’ first goal was to use the visibility they had gained into the OWA authentication process to steal the passwords of users logging into OWA. From this, the attackers gained complete access to every identity and therefore every asset in the organisation.

To gain access to the usernames and passwords and to ensure the hackers could gain more control over the environment, the researchers said the malware also possessed covert backdoor functionalities.

“Only by automating detection and analysis was this clever hack detected, understood and contained,” the researchers said.

Ken Westin, senior security analyst at Tripwire, said this attack shows the importance of being hyper-vigilant when it comes to monitoring critical assets in an organisation’s environment.

“Organisations need to pay special attention to what is happening on these critical endpoints, as they can easily lead to an entire network being compromised,” he said.

According to Westin, mail servers, active directory servers, databases and other critical systems need to be monitored for any and all system configuration changes, as well as new binaries added to these systems.

“IT and security teams should be alerted to these changes immediately. They should have a workflow established for quickly verifying if these changes are authorised and verified as part of a scheduled patch, or if it is a potential malicious piece of malware,” he said.

Westin said the malware the attackers used to target infrastructure typically has customised code that will not have signatures. They may also simply use tools available on the systems themselves to harvest data.

“Although threat intelligence can help tell organisations if a particular threat or indicator has been seen by others, they still need strong security intelligence in their own networks to identify anomalies and potential threats that may not have been seen before,” he said.

Read more about advanced persistent threats

  • More than two-thirds of all advanced cyber attacks in the UK are targeted at the education, energy and financial services sectors, according to a report by security firm FireEye.
  • Intelligence and forensics will become the most important differentiators for companies selling APT defence systems and services, says Frost & Sullivan.
  • If you take some simple steps, you can help prevent advanced persistent threats from plaguing your network.
  • The prevalence and continued success of so-called APTs often represents a failure of risk management calculations.

Read more on Hackers and cybercrime prevention