Hackers Abusing Server Module To Steal Microsoft Exchange Credentials

You are currently viewing Hackers Abusing Server Module To Steal Microsoft Exchange Credentials

Hackers are using an Internet Information Services (IIS) webserver module dubbed “Owowa,” on Exchange Outlook servers with the aim of stealing credentials and enabling remote code execution.

“Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA),” Kaspersky researchers Paul Rascagneres and Pierre Delcher said. “When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server.”

The idea that a rogue IIS module can be fashioned as a backdoor is not new. In August 2021, Slovak cybersecurity company ESET’s study of the IIS landscape revealed as many as 14 malware families that were developed as native IIS modules in an attempt to intercept HTTP traffic and remotely commandeer the compromised computers.

As a persistent component on the compromised system, Owawa is engineered to capture the credentials of users who are successfully authenticated on the OWA authentication web page. Exploitation can then be achieved by sending “seemingly innocuous requests” to the exposed web services by entering specifically crafted commands within the username and password fields in the OWA authentication page of a compromised server.

Specifically, if the OWA username is “jFuLIXpzRdateYHoVwMlfc,” Owawa responds back with the encrypted credentials. If the username, on the other hand, is “dEUM3jZXaDiob8BrqSy2PQO1”, the PowerShell command typed in the OWA password field is executed, the results of which are sent back to the attacker.

The Russian security firm said it detected a cluster of targets with compromised servers located in Malaysia, Mongolia, Indonesia, and the Philippines that primarily belong to government organizations, with the exception of one server that’s attached to a government-owned transportation company. That said, additional organizations in Europe are believed to have been victimized by the actor as well.

Although no links have been unearthed between the Owowa operators and other publicly documented hacking groups, a username “S3crt” (read “secret”) that was found embedded in the source code of the identified samples has yielded additional malware executables that are likely the work of the same developer. Chief among them are a number of binaries designed to execute an embedded shellcode, load next-stage malware retrieved from a remote server, and trigger the execution of Cobalt Strike payloads.

Kaspersky’s Global Research and Analysis Team (GReAT) also said it identified an account with the same username on Keybase, where the individual has shared offensive tools such as Cobalt Strike and Core Impact, in addition to demonstrating an interest in the latter on RAIDForums.

“IIS modules are not a common format for backdoors, especially when compared to typical web application threats like web shells and can therefore easily be missed during standard file monitoring efforts,” Rascagneres and Delcher said. “The malicious module […] represents an effective option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server.”

Protection Against Hackers

There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply