Why spend time targeting Active Directory for domain credentials when Outlook Web Application is just as good -- and far easier to compromise? A targeted attack against Outlook Web Application (OWA) illustrates how far adversaries will go to establish persistent control over the organization’s entire network.As seen in recent breaches, attackers typically use stolen credentials or malware to get a foothold on the network, and then target the domain controller. Once attackers successfully compromise the domain controller, they can impersonate any user and move freely throughout the enterprise network. Since the OWA server, which provides companies with a Web interface for accessing Outlook and Microsoft Exchange, depends on the domain controller for authentication, whoever gains access to the OWA server automatically wins the domain credentials prize.Israel-based Cybereason described in a research report how attackers uploaded backdoor malware to a company’s OWA server and successfully stole 11,000 usernames and passwords over several months. Most security professionals understand that Active Directory contains sensitive data, but not many consider that OWA can be a source for the exact same sensitive data. And as this attack showed, OWA is not as securely protected as Active Directory. Attackers were able to take advantage of the fact that organizations typically configure OWA servers with “a relatively lax set of restrictions,” the researchers wrote. In a typical organization, administrators place internal servers and critical business applications behind the firewall and use other security controls to prevent outsiders from getting access. However, organizations configure OWA to be Internet-facing, available internally and externally, to allow users to access their messages from anywhere. That dual-nature made OWA an ideal attack platform as it gave attackers complete backdoor functionality. “OWA is unique: it is a critical internal infrastructure that also faces the Internet, making it an intermediary between the internal, allegedly protected DMZ, and the Web,” Yoav Orot, a senior researcher with Cybereason Labs, and Yonatan Striem-Amit, CTO and co-founder of Cybereason, wrote in the report. The attackers had uploaded malware with the same name as a legitimate Microsoft Dynamic Link library (DLL) file to the OWA server. Even though the malicious OWAAUTH.dll was unsigned, that itself wouldn’t have raised any alarms because it was loaded from the .Net assembly cache. The cache is used to store locally compiled native binaries and the files typically are unsigned and have no reputation. This way, the attackers were able to keep the malware under the radar as if it was just another locally generated file.“They were Obi-Wan practicing a little Jedi magic, convincing the defender to think: these are not the files you’re looking for, move along,” Orot and Striem-Amit wrote.OWAAUTH is responsible for authenticating users against Active Directory. Users never realized their credentials were being stolen because their access to Outlook was not affected. The malware also installed an ISAPI filter into the IIS server to filter HTTP requests and get all the credentials being transferred in cleartext. The information was transferred to a command-and-control center, giving attackers a pool of credentials they could use to impersonate any user, move laterally throughout the network, and even write and execute code on the server. “This treasure trove essentially gave the hackers complete access to every identity and therefore every asset in the organization,” the researchers wrote.Cybereason did not name the company targeted in the attack but described it as a “mid-sized public services company based in the U.S.” Researchers believe it was a targeted campaign because the malware used very specific keywords. The report also did not explain how the attackers got the backdoored DLL file onto the company’s network in the first place.Even so, the attack illustrates how far attackers will go to get domain credentials, and they won’t always take the most obvious approach. Critical assets need to be monitored for any changes to the system configuration, and all new files, especially binaries, need to be scrutinized. Attackers can also use existing tools as part of their attacks, making it even more critical that administrators be able to recognize anomalous behavior on the network. OWA is designed to give remote users access to Outlook, but its flexible nature also made it easier for attackers. Organizations have to be hypervigilant when it comes to monitoring critical assets within the environment. Sometimes that cache file is not benign at all. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe