Jump to content
Login new information ×
Login new information

Hackers Breach Microsoft OWA Server, Steal 11,000 User Passwords

Karamjit

By Karamjit
in Security & Privacy News

Recommended Posts

Karamjit

Karamjit

Posted
Posted
A malicious DLL was able to read&log passwords in clear text

An attack exploiting the Microsoft Outlook Web Application (OWA) allowed hackers to record authentication credentials via a malicious DLL file placed on the server itself.

The attack was uncovered by security vendor Cybereason, when a company asked for its services after their IT personnel detected suspicious behavior on the OWA server.

The Microsoft Outlook Web Application (OWA) is an Internet-facing webmail server, a component of Microsoft Exchange Server, which can be deployed in private companies to provide internal emailing capabilities.

Hackers replaced a DLL on the OWA server

As Cybereason explains, the attackers replaced the OWAAUTH.dll with one that contained a backdoor, and collected information about authentication procedures against the local Active Directory server (a server for managing shared authentication procedures).

Even if all authentication procedures were handled correctly by the OWA server using SSL/TLS encryption, the DLL file allowed hackers to get all login information in clear text, the DLL working after the SSL/TLS decryption stage.

All user login credentials were then logged and sent to the attackers. Every user that ever authenticated against the hacked server had his user & password logged by the attackers.

Hackers stole 11,000 usernames and passwords

All logged data was stored in a log.txt file in the server's "C:\" partition. Cybereason researchers found more than 11,000 user - passwords pairs in this file. The company that owned the OWA server had around 19,000 employees.

The hackers that perpetrated the attack also took steps to prevent their backdoor from being removed, creating an IIS (Microsoft's Web server) filter through which they loaded the malicious version of the OWAAUTH.dll file every time the server was restarted.

Additionally, they've also added special capabilities to the DLL, which watched over HTTP connections and executed commands on the server whenever specific instructions were sent disguised as regular Internet traffic.

From

Link to comment
Share on other sites
  • Replies 3
  • Views 1k
  • Created
  • Last Reply
HX1

HX1

Posted
Posted

I am wondering how they replaced the DLL file.. Sounds like something could have been from within the IT Department itself or a result of installing or using circumvented software. Access to it had to be obtained.. Wondering if it was through the ISS server or from behind the desk...

Link to comment
Share on other sites
CODYQX4

CODYQX4

Posted
Posted

I am wondering how they replaced the DLL file.. Sounds like something could have been from within the IT Department itself or a result of installing or using circumvented software. Access to it had to be obtained.. Wondering if it was through the ISS server or from behind the desk...

Possibly a server exploit that allowed overwriting files, but not executing new ones.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...