Recently security researchers have disclosed reports of a new vulnerability in OWA (i.e. Outlook Web Access). This has been the headline of many security bulletins throughout internet since October 5, 2015.
OWA is a component of Microsoft Exchange Server which is an Internet-facing webmail server and is deployed in private companies and organisations to provide internal emailing capabilities.
Important point to note here is that unlike other web servers that typically have only a web interface, OWA is different. It is a critical internal infrastructure that also faces the Internet, making it an intermediary between the internal, DMZ, and the web.
The victim company's customer was using OWA to enable remote user access to Outlook and this created an ideal attack platform because the server was exposed both internally and externally.The zero-day vulnerability is believed to have allowed the hackers to retain ownership over a large set of credentials, allowing them to maintain persistent control over the organization's environment for several months.
As per reports, researchers from the security vendor named Cybereason have discovered a dangerous backdoor in Microsoft's Outlook Web Application that has allowed hackers to steal e-mail authentication credentials from the victim company for a long time. The unnamed company that detected "behavioural abnormalities" across its network before reaching out to security firm Cybereason had more than 19,000 endpoints!
The researchers were suspecting OWAAUTH.dll file to be malicious which was loaded into the victim company's OWA server. The file was found unsigned and loaded from another directory which elevated this event to a suspicion. Upon further analysis it was found that the file was siphoning decrypted HTTPS server requests.
According to the security firm, the attacker replaced the OWAAUTH.dll file with one that contained a dangerous backdoor which helped the attacker to gather all HTTPS-protected server requests, including login information after they had been decrypted, i.e., in clear text. Every user accessing the hacked server had his/her username & password compromised and stored by the attackers.
Researchers discovered more than 11,000 usernames and passwords combinations in a log.txt file in the server's "C:\" partition. Log.txt file is believed to be used by attackers to store all logged data.
To prevent their backdoor from being removed, the attackers also created an IIS (Microsoft's Web server) filter through which they loaded the malicious OWAAUTH.dll file every time the server was restarted. The advanced and persistent attackers utilized a .NET assembly cache in order to avoid auditing and security inspection.
The security firm did not say how widespread this attack was, but there are chances that the attack is or could be hitting other large organizations as well.
Microsoft has denied the vulnerability but at the same time has provided the recommendation below to ensure the security of its customers’ data.
-"IT administrators should use the latest products and services, in combination with industry best practices for IT management to avoid the condition outlined in these reports".
Despite the denial from Microsoft, the news has become a concern among many organisations that have been using the service and they are waking up to the question “Is your organisation's Microsoft Outlook Web Access secure?”