A targeted attack against Outlook Web Application (OWA) illustrates how far adversaries will go to establish persistent control over the organization's entire network.
As seen in recent breaches, attackers typically use stolen credentials or malware to get a foothold on the network, and then target the domain controller. Once attackers successfully compromise the domain controller, they can impersonate any user and move freely throughout the enterprise network. Since the OWA server, which provides companies with a Web interface for accessing Outlook and Microsoft Exchange, depends on the domain controller for authentication, whoever gains access to the OWA server automatically wins the domain credentials prize.
Israel-based Cybereason described in a research report how attackers uploaded backdoor malware to a company's OWA server and successfully stole 11,000 usernames and passwords over several months. Most security professionals understand that Active Directory contains sensitive data, but not many consider that OWA can be a source for the exact same sensitive data. And as this attack showed, OWA is not as securely protected as Active Directory.
Attackers were able to take advantage of the fact that organizations typically configure OWA servers with "a relatively lax set of restrictions," the researchers wrote.
In a typical organization, administrators place internal servers and critical business applications behind the firewall and use other security controls to prevent outsiders from getting access. However, organizations configure OWA to be Internet-facing, available internally and externally, to allow users to access their messages from anywhere. That dual-nature made OWA an ideal attack platform as it gave attackers complete backdoor functionality.
"OWA is unique: it is a critical internal infrastructure that also faces the Internet, making it an intermediary between the internal, allegedly protected DMZ, and the Web," Yoav Orot, a senior researcher with Cybereason Labs, and Yonatan Striem-Amit, CTO and co-founder of Cybereason, wrote in the report.
The attackers had uploaded malware with the same name as a legitimate Microsoft Dynamic Link library (DLL) file to the OWA server. Even though the malicious OWAAUTH.dll was unsigned, that itself wouldn't have raised any alarms because it was loaded from the .Net assembly cache. The cache is used to store locally compiled native binaries and the files typically are unsigned and have no reputation. This way, the attackers were able to keep the malware under the radar as if it was just another locally generated file.
"They were Obi-Wan practicing a little Jedi magic, convincing the defender to think: these are not the files you're looking for, move along," Orot and Striem-Amit wrote.
OWAAUTH is responsible for authenticating users against Active Directory. Users never realized their credentials were being stolen because their access to Outlook was not affected. The malware also installed an ISAPI filter into the IIS server to filter HTTP requests and get all the credentials being transferred in cleartext. The information was transferred to a command-and-control center, giving attackers a pool of credentials they could use to impersonate any user, move laterally throughout the network, and even write and execute code on the server.
"This treasure trove essentially gave the hackers complete access to every identity and therefore every asset in the organization," the researchers wrote.
Cybereason did not name the company targeted in the attack but described it as a "mid-sized public services company based in the U.S." Researchers believe it was a targeted campaign because the malware used very specific keywords. The report also did not explain how the attackers got the backdoored DLL file onto the company's network in the first place.
Even so, the attack illustrates how far attackers will go to get domain credentials, and they won't always take the most obvious approach. Critical assets need to be monitored for any changes to the system configuration, and all new files, especially binaries, need to be scrutinized. Attackers can also use existing tools as part of their attacks, making it even more critical that administrators be able to recognize anomalous behavior on the network.
OWA is designed to give remote users access to Outlook, but its flexible nature also made it easier for attackers. Organizations have to be hypervigilant when it comes to monitoring critical assets within the environment. Sometimes that cache file is not benign at all.