Hackers Breach Microsoft OWA Server, Steal 11,000 User Passwords

A malicious DLL was able to read & log passwords in clear text

An attack exploiting the Microsoft Outlook Web Application (OWA) allowed hackers to record authentication credentials via a malicious DLL file placed on the server itself.

owa-header-664x374The attack was uncovered by security vendor Cybereason, when a company asked for its services after their IT personnel detected suspicious behaviour on the OWA server.

The Microsoft Outlook Web Application (OWA) is an Internet-facing webmail server, a component of Microsoft Exchange Server, which can be deployed in private companies to provide internal emailing capabilities.

Hackers replaced a DLL on the OWA server

As Cybereason explains, the attackers replaced the OWAAUTH.dll with one that contained a backdoor, and collected information about authentication procedures against the local Active Directory server (a server for managing shared authentication procedures).

Even if all authentication procedures were handled correctly by the OWA server using SSL/TLS encryption, the DLL file allowed hackers to get all login information in clear text, the DLL working after the SSL/TLS decryption stage.

All user login credentials were then logged and sent to the attackers. Every user that ever authenticated against the hacked server had his user & password logged by the attackers.

Attackers stole 11,000 usernames and passwords

All logged data was stored in a log.txt file in the server’s “C:\” partition. Cybereason researchers found more than 11,000 user – passwords pairs in this file. The company that owned the OWA server had around 19,000 employees.

The hackers that perpetrated the attack also took steps to prevent their backdoor from being removed, creating an IIS (Microsoft’s Web server) filter through which they loaded the malicious version of the OWAAUTH.dll file every time the server was restarted.

Additionally, they’ve also added special capabilities to the DLL, which watched over HTTP connections and executed commands on the server whenever specific instructions were sent disguised as regular Internet traffic.