Password-stealing malware targeting Microsoft Outlook Web App email

Lock up your email servers - or use Office 365 instead

Password-stealing malware has been found in the wild targeting Outlook Web App, Microsoft's web-based email system.

Researchers from security firm Cybereason claim that the advanced persistent threat (APT) can enable patient attackers to steal an organisation's email passwords over time.

The attack was found by the company when it investigated the email server of an organisation whose security team had spotted "behavioural abnormalities".

The analysis continues: "The Cybereason platform found a suspicious DLL loaded into the Outlook Web App (OWA) server (a webmail component of Microsoft Exchange Server), with several interesting characteristics. Although it had the same name as another benign DLL, the suspicious DLL went unsigned and was loaded from a different directory. Since OWA servers typically load only legitimately signed DLLs, the Cybereason behavioural engine immediately elevated this event to a suspicion."

The attack on OWA is significant, claims Cybereason, because OWA authentication is based on domain credentials. "Whoever gains access to the OWA server becomes the owner of the entire organisation's domain credentials," it suggests.

"The hackers installed a back-doored malicious OWAAUTH.DLL which was used by OWA as part of the authentication mechanism, and was responsible for authenticating users against the Active Directory (A/D) server used in the environment. In addition, the malicious OWAAUTH.DLL also installed an ISAPI filter into the IIS server, and was filtering HTTP requests.

"This enabled the hackers to get all requests in cleartext after SSL/TLS decryption. The malware replaced the OWAAUTH by installing an IIS filter in the registry, which enabled the malware to automatically load and persist on every subsequent server restart," warns Cybereason.

However, one of the mistakes made by the attackers was to use the weak and outdated DES encryption algorithm in order to store information in a log file. This enabled the investigators to uncover what the attackers were looking for - namely, all the organisation's email passwords.

According to Ken Westin, senior security analyst at rival security company Tripwire, the finding indicates that organisation need to step up their security monitoring.

"Organisations need to pay special attention to what is happening on these critical endpoints, as they can easily lead to an entire network being compromised. Mail servers, active directory servers, databases and other critical systems need to be monitored for any and all system configuration changes, as well as new binaries added to these systems," he said.

He continued: "IT and security teams should be alerted to these changes immediately and have a workflow established for quickly verifying if these changes are authorized and verified as part of a scheduled patch, or if it is a potential malicious piece of malware.

"When dealing with a sophisticated adversary, the malware they use to target infrastructure will use customised code that will not have signatures, or they may simply use tools available on the systems themselves to harvest data.

"Although threat intelligence can help tell organisations if a particular threat or indicator has been seen by others, they still need strong security intelligence within their own network to identify anomalies and potential threats that may not have been seen before."

Feeling secure? Whether you are or not, catch up with the latest threats and trends in IT security at Computing's forthcoming Enterprise Security & Risk Management Summit, in London in November.

Register here: It's FREE for qualifying end-users, including CISOs, CIOs, CEOs and other senior security and IT staff