New Outlook exploit exposed by Cybereason scientists. A large number of passwords stolen:
A new massive Outlook exploit has been uncovered. This time a mail server attack caused a large amount of passwords to get stolen. At present it’s still unclear just how much damage has been done.
Researchers from a security company called Cybereason discovered the malicious Outlook Web Application (OWA) module after being contacted to provide a security check for an unnamed company with more than 19 000 endpoints. What is known is Cybereason’s client had witnessed a number of abnormalities related to their networks’ behavior. As a result of the security firm’s inspection the suspicious DLL file named OWAAUTH.dll was found loaded into the client’s OWA server. While it had the same name as a benign DLL file, this one was loaded from a completely different directory and remained unsigned.
A vulnerability in Microsoft Outlook’s web application.
It turned out OWAAUTH.dll contained a backdoor and due to being run on the server it managed to retrieve all HTTPS-protected server requests right after they have been decrypted. It is understood this has been going on for months if not years thus making this an advanced persistent thread, the term used for malware campaigns that have a specific target and run for a prolonged period of time. The result of this campaign being anyone who has at any point accessed the company’s server might have his password stolen. Virtually all of this organizations’ passwords might have very well been accessed.
What makes OWA such a valuable tool for attackers is it acts as a link between the public internet and what’s behind the company’s firewall. In the reported case due to the customer using OWA to allow remote user access to Outlook it allowed the perpetrators to access the domain credentials of the whole company. It is not yet quite clear if this spreads beyond this one Cybereason’s client but if history tells us one thing about this type of attacks it is that chances are it won’t be a one-off.
If you are using Outlook we strongly recommend you change your account’s password. You can never be too careful with this type of threats.