A targeted attack against Outlook Web Application (OWA) illustrates how far adversaries will go to establish persistent control over the organization's entire network.
As seen in recent breaches, attackers typically use stolen credentials or malware to get a foothold on the network, and then target the domain controller. Once attackers successfully compromise the domain controller, they can impersonate any user and move freely throughout the enterprise network. Since the OWA server, which provides companies with a Web interface for accessing Outlook and Microsoft Exchange, depends on the domain controller for authentication, whoever gains access to the OWA server automatically wins the domain credentials prize.
Israel-based Cybereason described in a research report how attackers uploaded backdoor malware to a company's OWA server and successfully stole 11,000 usernames and passwords over several months. Most security professionals understand that Active Directory contains sensitive data, but not many consider that OWA can be a source for the exact same sensitive data. And as this attack showed, OWA is not as securely protected as Active Directory.
Attackers were able to take advantage of the fact that organizations typically configure OWA servers with "a relatively lax set of restrictions," the researchers wrote.
In a typical organization, administrators place internal servers and critical business applications behind the firewall and use other security controls to prevent outsiders from getting access. However, organizations configure OWA to be Internet-facing, available internally and externally, to allow users to access their messages from anywhere. That dual-nature made OWA an ideal attack platform as it gave attackers complete backdoor functionality.
"OWA is unique: it is a critical internal infrastructure that also faces the Internet, making it an intermediary between the internal, allegedly protected DMZ, and the Web," Yoav Orot, a senior researcher with Cybereason Labs, and Yonatan Striem-Amit, CTO and co-founder of Cybereason, wrote in the report.
The attackers had uploaded malware with the same name as a legitimate Microsoft Dynamic Link library (DLL) file to the OWA server. Even though the malicious OWAAUTH.dll was unsigned, that itself wouldn't have raised any alarms because it was loaded from the .Net assembly cache. The cache is used to store locally compiled native binaries and the files typically are unsigned and have no reputation. This way, the attackers were able to keep the malware under the radar as if it was just another locally generated file.
"They were Obi-Wan practicing a little Jedi magic, convincing the defender to think: these are not the files you're looking for, move along," Orot and Striem-Amit wrote.
OWAAUTH is responsible for authenticating users against Active Directory. Users never realized their credentials were being stolen because their access to Outlook was not affected. The malware also installed an ISAPI filter into the IIS server to filter HTTP requests and get all the credentials being transferred in cleartext. The information was transferred to a command-and-control center, giving attackers a pool of credentials they could use to impersonate any user, move laterally throughout the network, and even write and execute code on the server.
Sign up for CIO Asia eNewsletters.