New Microsoft Exchange credential stealing malware could be worse than phishing

While looking for additional Exchange vulnerabilities in the wake of this year's zero-days, Kaspersky found an IIS add-on that harvests credentials from OWA whenever, and wherever, someone logs in.

malware.jpg

stevanovicigor, Getty Images/iStockphoto

Kaspersky has discovered a malicious add-on for Microsoft's Internet Information Service (IIS) web server software that it said is designed to harvest credentials from Outlook Web Access (OWA), the webmail client for Exchange and Office 365. 

Appropriately dubbed, but debatably pronounced, Owowa, Kaspersky researchers discovered the addon in the wake of the March 2021 Exchange server hack. "While looking for potentially malicious implants that targeted Microsoft Exchange servers, we identified a suspicious binary that had been submitted to a multiscanner service in late 2020," Kaspersky said in its announcement of the discovery.

SEE: Google Chrome: Security and UI tips you need to know  (TechRepublic Premium)

Owowa is an add-on for IIS, which is itself software built to manage web server services that Microsoft describes as being made up of more than 30 independent modules. Owowa is designed to get installed in IIS, and once installed looks for evidence that the IIS server it's on is responsible for exposing a business's Exchange server's OWA portal. 

When Owowa sees OWA operating on its host machine it logs every single successful login to Exchange through OWA by detecting authentication tokens. If it spots one, Owowa stores the username, password, user IP address and timestamp in a temp file that's RSA encrypted.

Here's where Owowa gets really interesting: All that an attacker needs to harvest data is enter one of three gibberish usernames into OWA that are actually commands. One returns the credentials log encoded in base64, the second deletes the credentials log, and the third executes whatever PowerShell command is typed into the password field. Yikes. 

The what, where, when, who and how of Owowa

To be clear about one thing, Owowa has the potential to be incredibly dangerous, said Kaspersky Global Research and Analysis Team senior security researcher Pierre Delcher. 

"This is a far stealthier way to gain remote access than sending phishing emails. In addition, while IIS configuration tools can be leveraged to detect such threats, they are not part of standard file and network monitoring activities, so Owowa might be easily overlooked by security tools," Delcher said

This isn't a hypothetical, either: Owowa has been seen targeting government organizations and state agencies in Malaysia, Mongolia, Indonesia and The Philippines, and Kaspersky said that there are likely additional victims in Europe as well. One more reason to be nervous: Kaspersky doesn't know how exactly Owowa is initially infecting its victims. 

"The malicious module described in this post represents an effective option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server," Kaspersky said. It cited reasons including persistence when Exchange servers are updated, ability to submit malicious code in innocuous requests and entirely passive nature that removes relying on user confusion to succeed. 

Kaspersky said that it was unable to retrieve enough data to indicate that Owowa infections were used to launch an additional infection chain or post-infection activities. Kaspersky also said that it's not sure how Owowa was initially deployed, outside of the possibility that its owners jumped on the Exchange server compromises earlier in 2021. 

SEE: Password breach: Why pop culture and passwords don't mix (free PDF) (TechRepublic)

The code that Kaspersky was able to analyze from Owowa indicates creativity, it said, but also an amateur's touch. "The practices exhibited by what is likely an inexperienced developer don't appear to correspond with such strategic targeting," Kaspersky said. 

One such instance of sloppy code was the creator's act of "ignoring explicit warnings from Microsoft" about risky development practices in HTTP modules (of which Owowa is one) that can crash servers. So, it's basically doubly as dangerous for an infected server: Either data gets stolen, or the whole thing falls apart. 

How to detect and fight Owowa

If its raw potential for undetected data theft isn't enough of a reason to watch out for Owowa, consider its raw potential to crash your Exchange or IIS servers as another reason to take the right precautions. 

Kaspersky makes the following four recommendations for protecting yourself from Owowa and similar threats:

  • Check all IIS modules on exposed IIS servers regularly — especially if that IIS server deals with Exchange. 
  • Focus on detecting lateral movements and data exfiltration to the internet. Pay attention to outgoing traffic in particular, and create regular backups that are easily accessible.
  • Use trusted endpoint detection and response software to identify and stop attacks early on.
  • Use trusted endpoint security software powered by exploit prevention, behavior detection and remediation engines that can roll back malicious actions. 

If you're curious about detecting Owowa infections, Kaspersky's full report contains steps on using appcmd.exe or the ISS configuration tool to seek out and identify Owowa and other malicious modules.

Also see