New Outlook exploit exposed by Cybereason scientists. A large number of passwords stolen:
A new massive Outlook exploit has been uncovered. This time a mail server attack caused a large amount of passwords to get stolen. At present itโs still unclear just how much damage has been done.
Researchers from a security company called Cybereason discovered the malicious Outlook Web Application (OWA) module after being contacted to provide a security check for an unnamed company with more than 19 000 endpoints. What is known is Cybereasonโs client had witnessed a number of abnormalities related to their networksโ behavior. As a result of the security firmโs inspection the suspicious DLL file named OWAAUTH.dll was found loaded into the clientโs OWA server. While it had the same name as a benign DLL file, this one was loaded from a completely different directory and remained unsigned.
A vulnerability in Microsoft Outlook’s web application.
It turned out OWAAUTH.dll contained a backdoor and due to being run on the server it managed to retrieve all HTTPS-protected server requests right after they have been decrypted. It is understood this has been going on for months if not years thus making this an advanced persistent thread, the term used for malware campaigns that have a specific target and run for a prolonged period of time. The result of this campaign being anyone who has at any point accessed the companyโs server might have his password stolen. Virtually all of this organizationsโ passwords might have very well been accessed.
What makes OWA such a valuable tool for attackers is it acts as a link between the public internet and whatโs behind the companyโs firewall. In the reported case due to the customer using OWA to allow remote user access to Outlook it allowed the perpetrators to access the domain credentials of the whole company. It is not yet quite clear if this spreads beyond this one Cybereasonโs client but if history tells us one thing about this type of attacks it is that chances are it wonโt be a one-off.
If you are using Outlook we strongly recommend you change your accountโs password. You can never be too careful with this type of threats.
Leave a Reply