December 16, 2021: Kaspersky discovered a previously unknown IIS module (software intended to provide additional functionality to Microsoft web servers) that they have since dubbed Owowa that steals credentials entered by a user when logging into Outlook Web Access. (OWA); it also allows attackers to gain remote control access to the underlying server. Compiled between late 2020 and April 2021, this module is a stealth theft method that is difficult to detect with network surveillance. It’s also resistant to Exchange software updates, which means it can remain hidden on a device for a long time.
In 2021, advanced threat actors increasingly exploited vulnerabilities in Microsoft Exchange Server. In March, four critical vulnerabilities in servers allowed attackers to access all registered email accounts and execute arbitrary code. While searching for other potentially malicious implants in Exchange, Kaspersky experts discovered a malicious module that allows attackers to steal login credentials for Outlook Web Access and gain remote access control to the underlying server . Kaspersky has dubbed this malicious module Owowa, and its malicious capabilities can easily be initiated by sending seemingly harmless requests – in this case, OWA authentication requests.
Kaspersky experts believe the mod was compiled between late 2020 and April 2021, and it has been seen targeting victims in Malaysia, Mongolia, Indonesia and the Philippines. Most of the victims were linked to government organizations and one to a state transport company. It is likely that there are other victims located in Europe.
Cyber criminals only need to go to the OWA login page of a compromised server to enter specially crafted commands in the username and password fields. This is an effective option allowing attackers to gain a solid foothold in targeted networks by persisting inside an Exchange server.
Kaspersky researchers were unable to link Owowa with any known threat actor. Yet, they discovered that it was associated with the username “S3crt”, a developer who could be behind several other malicious binary loaders. However, “S3crt” is a simple derivation of the English word “secret” and could very well be used by more than one person. Therefore, it is also possible that these malicious binaries and Owowa are not connected.
“The particular danger with Owowa is that an attacker can use the module to passively steal the credentials of users who legitimately access web services. This is a much more stealthy way to gain remote access than sending phishing emails. In addition, although IIS configuration tools can be exploited to detect such threats, they are not part of standard file and network monitoring activities, so Owowa can be easily ignored by security tools ” , comments Pierre Delcher, Senior Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
“Since Owowa is an IIS module, that also means it persists even though Microsoft Exchange is updated. The good news is that attackers don’t seem very sophisticated. Businesses should keep a close eye on Exchange servers as they are very sensitive and contain all corporate email. We also recommend that you consider all running modules as critical and check them regularly, ”comments Paul Rascagneres, Senior Security Researcher at GReAT, Kaspersky.
Read the full report on Owowa at Safe List.
To protect yourself from such threats, Kaspersky recommends:
- Regularly check the IIS modules loaded on exposed IIS servers (especially Exchange servers), taking advantage of existing tools in the IIS server suite. In any case, check for such modules as part of threat hunting activities whenever a major vulnerability is announced in Microsoft server products.
- Focus your defense strategy on detecting lateral movement and data exfiltration to the Internet. Pay close attention to outgoing traffic to detect cybercriminal connections. Regularly back up data. Make sure you can access it quickly in an emergency.
- Use solutions like Kaspersky Endpoint detection and response and the Detection and response managed by Kaspersky service that helps identify and stop the attack in the early stages, before the attackers achieve their objectives.
- Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business which is powered by exploit prevention, behavior detection and a remediation engine capable of reversing malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.