Overclock.net › Forums › Industry News › Software News › [Arstechnica] New Outlook mail server attack steals massive number of passwords
New Posts  All Forums:Forum Nav:

[Arstechnica] New Outlook mail server attack steals massive number of passwords

post #1 of 33
Thread Starter 
SOURCE

New Outlook mailserver attack steals massive number of passwords
Backdoor in Outlook Web Application operates inside target's firewall.
Quote:
Researchers have uncovered advanced malware that can steal virtually all of a large organization's e-mail passwords by infecting its Outlook Web Application (OWA) mail server over an extended period of time.

Researchers from security firm Cybereason discovered the malicious OWA module after receiving a call from an unnamed company that had more than 19,000 endpoints. The customer had witnessed several behavioral abnormalities in its network and asked Cybereason to look for signs of an infection. Within a few hours, the security firm found a suspicious DLL file loaded into the company's OWA server. While it contained the same name as a benign DLL file, this one was unsigned and was loaded from a different directory.

The OWAAUTH.dll file contained a backdoor. Because it ran on the server, it was able to retrieve all HTTPS-protected server requests after they had been decrypted. As a result, the attackers behind this advanced persistent threat—the term given to malware campaigns that target a specific organization for months or years—were able to steal the passwords of just about anyone accessing the server.

"The hackers in this case managed to gain a foothold into a highly strategic asset: the OWA server," Cybereason researchers wrote in a blog post published Monday. "Almost by definition, OWA requires organizations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed Internet-facing access to the server. This enabled the hackers to establish persistent control over the entire organization's environment without being detected for a period of several months."

OWA is a particularly valuable resource for attackers because it acts as an intermediary between the public Internet and an internal resource that's inside a company's firewall. Because the customer was using OWA to enable remote user access to Outlook, the configuration allowed attackers access to the entire organization's domain credentials. Cybereason didn't say how widespread the attack is beyond it targeting the one customer. Chances are, malware as detailed as this isn't a one-off thing, so it wouldn't be surprising to see it hitting other large organizations.

Full report details here http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf
Edited by kaistledine - 10/8/15 at 1:49am
Shadownet
(12 items)
 
 
CPUMotherboardGraphicsRAM
5930k Asus rampage V Extreme  Inno3D GTX 970 Hercluez x4 airboss ultra  Gskill ripjaws DDR4 3200mhz 
Hard DriveHard DriveHard DriveCooling
WD black  WD Black  Seagate ES  Custom loop  
OSKeyboardPowerCase
Windows 10  Corsair k70  Super flower 1000 W plat  Corsair 900D 
  hide details  
Reply
Shadownet
(12 items)
 
 
CPUMotherboardGraphicsRAM
5930k Asus rampage V Extreme  Inno3D GTX 970 Hercluez x4 airboss ultra  Gskill ripjaws DDR4 3200mhz 
Hard DriveHard DriveHard DriveCooling
WD black  WD Black  Seagate ES  Custom loop  
OSKeyboardPowerCase
Windows 10  Corsair k70  Super flower 1000 W plat  Corsair 900D 
  hide details  
Reply
post #2 of 33
Wow, just wow.
post #3 of 33
And just to think of how many State and Gov't agencies use Oulooks mailserver let alone all the private business's.

I'll have to say this could be interesting.
D
(15 items)
 
The Sheep Skinner
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 6700 Gigabyte Z170N-Gaming5 Sapphire Radeon R9 Fury Tri-X 3840 G.Skill TridentZ  
Hard DriveCoolingCoolingCooling
960 EVO 500GB EK SE 240mm, Magicool slim 240mm EK Supreme HF CU Gold EKFC-Fury X WB 
OSMonitorPowerCase
Win 10 Pro Acer XG270HU EVGA 750W  Evolv ITX 
MouseMouse Pad
Naos7000 Corsair MM600 
CPUMotherboardGraphicsRAM
C2D E8400 DFI LT P35 Radeon HD4890 OCZ 2GB 800MHz 
Hard DriveOptical DriveOSMonitor
500GB Asus multi DVD W7 U Samsung 2232BW+ 
PowerCase
Corsair HX520W CM 690 
  hide details  
Reply
D
(15 items)
 
The Sheep Skinner
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 6700 Gigabyte Z170N-Gaming5 Sapphire Radeon R9 Fury Tri-X 3840 G.Skill TridentZ  
Hard DriveCoolingCoolingCooling
960 EVO 500GB EK SE 240mm, Magicool slim 240mm EK Supreme HF CU Gold EKFC-Fury X WB 
OSMonitorPowerCase
Win 10 Pro Acer XG270HU EVGA 750W  Evolv ITX 
MouseMouse Pad
Naos7000 Corsair MM600 
CPUMotherboardGraphicsRAM
C2D E8400 DFI LT P35 Radeon HD4890 OCZ 2GB 800MHz 
Hard DriveOptical DriveOSMonitor
500GB Asus multi DVD W7 U Samsung 2232BW+ 
PowerCase
Corsair HX520W CM 690 
  hide details  
Reply
post #4 of 33
Quote:
Originally Posted by rx7racer View Post

And just to think of how many State and Gov't agencies use Oulooks mailserver let alone all the private business's.

I'll have to say this could be interesting.

This seems to only be for Outlook Web App, so it may not affect businesses that have only an internal Outlook server. None of my previous employers have used the OWA, requiring VPN to access the internal mail server. However, both universities I have attended use it.

The article title seems a bit misleading though - as per the text, there isnt a backdoor in OWA, the backdoor to which they refer is included in the malicious dll.

Smart hack though. I suppose that the webmail is the next best target after the domain controller.
Edited by PsycoCarrot - 10/7/15 at 9:18am
post #5 of 33
Thread Starter 
Yeah it requires the DLL . Interesting all the same !
Shadownet
(12 items)
 
 
CPUMotherboardGraphicsRAM
5930k Asus rampage V Extreme  Inno3D GTX 970 Hercluez x4 airboss ultra  Gskill ripjaws DDR4 3200mhz 
Hard DriveHard DriveHard DriveCooling
WD black  WD Black  Seagate ES  Custom loop  
OSKeyboardPowerCase
Windows 10  Corsair k70  Super flower 1000 W plat  Corsair 900D 
  hide details  
Reply
Shadownet
(12 items)
 
 
CPUMotherboardGraphicsRAM
5930k Asus rampage V Extreme  Inno3D GTX 970 Hercluez x4 airboss ultra  Gskill ripjaws DDR4 3200mhz 
Hard DriveHard DriveHard DriveCooling
WD black  WD Black  Seagate ES  Custom loop  
OSKeyboardPowerCase
Windows 10  Corsair k70  Super flower 1000 W plat  Corsair 900D 
  hide details  
Reply
post #6 of 33
Government needs to step in and set minimum security regulations and enforce them with an iron fist. This is getting silly.
post #7 of 33
Quote:
Originally Posted by DIYDeath View Post

Government needs to step in and set minimum security regulations and enforce them with an iron fist. This is getting silly.

So that they can mandate standards that have backdoors for the alphabets like DUAL_EC_DRBG? No thanks.
Claire
(8 items)
 
Asus N56JR
(5 items)
 
Die "Neue" FXe
(11 items)
 
CPUMotherboardGraphicsRAM
AMD Ryzen 5 1600 ASRock X370 Taichi MSI Radeon R9 390 GAMING 8G G.Skill Flare X 3200 MHz CL14 
Hard DriveOSPowerCase
Samsung 960 EVO 500 GB Solus Seasonic SSR-550RM NZXT S340 Elite Matte White 
CPUGraphicsHard DriveOS
Intel Core i7-4700HQ GeForce GTX 760M Samsung 840 EVO 250 GB Microsoft Windows 10 Education 
Other
Intel Wireless-AC 7260 
CPUMotherboardGraphicsRAM
AMD FX-8120 Asus SABERTOOTH 990FX MSI Radeon R9 390 GAMING 8G G. Skill Ripjaws (DDR3-1600) 
Hard DriveOptical DriveCoolingOS
Samsung 840 EVO 250 Asus DRW-21B1ST Cooler Master Hyper 212 Evo Microsoft Windows 7 Home Premium 
PowerCaseAudio
Cooler Master RS-600-AMBA-D3 Cooler Master CM690 II Advanced Asus Xonar DG 
  hide details  
Reply
Claire
(8 items)
 
Asus N56JR
(5 items)
 
Die "Neue" FXe
(11 items)
 
CPUMotherboardGraphicsRAM
AMD Ryzen 5 1600 ASRock X370 Taichi MSI Radeon R9 390 GAMING 8G G.Skill Flare X 3200 MHz CL14 
Hard DriveOSPowerCase
Samsung 960 EVO 500 GB Solus Seasonic SSR-550RM NZXT S340 Elite Matte White 
CPUGraphicsHard DriveOS
Intel Core i7-4700HQ GeForce GTX 760M Samsung 840 EVO 250 GB Microsoft Windows 10 Education 
Other
Intel Wireless-AC 7260 
CPUMotherboardGraphicsRAM
AMD FX-8120 Asus SABERTOOTH 990FX MSI Radeon R9 390 GAMING 8G G. Skill Ripjaws (DDR3-1600) 
Hard DriveOptical DriveCoolingOS
Samsung 840 EVO 250 Asus DRW-21B1ST Cooler Master Hyper 212 Evo Microsoft Windows 7 Home Premium 
PowerCaseAudio
Cooler Master RS-600-AMBA-D3 Cooler Master CM690 II Advanced Asus Xonar DG 
  hide details  
Reply
post #8 of 33
Quote:
Originally Posted by PiOfPie View Post

So that they can mandate standards that have backdoors for the alphabets like DUAL_EC_DRBG? No thanks.

The other option is to not have any intervention and have the very real possibility that your passwords and potentially your identity stolen because corporations seem to magically get away with horrifically lax security on a consistent basis.

Pick your poison. I'd rather have government crack down hard with complete transperancy of the issue.
post #9 of 33
Quote:
Originally Posted by DIYDeath View Post

Government needs to step in and set minimum security regulations and enforce them with an iron fist. This is getting silly.

No thanks. Corporations that do not defend themselves will get dropped in favor of corporations that provide better security. The government will put backdoors and do much more sinister things than any hacker.
post #10 of 33
Problem is, even if a company follows the "minimum security regulations", there are still 0-days and hacks will still happen. What happens if a company follows the minimum security guidelines to the letter, or even goes above and beyond, but an enterprising hacker with a fresh 0-day comes and cracks their network wide open? How would the government respond to that?

Even with minimum security regulations, the weakest part of any security system is meatspace. People get socially engineered in stupid ways all the time. Some employee will pick up a flash drive in the parking lot and plug it in, or has an easily-guessable password or something.

IMO, you can't effectively stop major hacks. 2-factor auth EVERYWHERE and employee training will help, but someone's password is going to be Hunter2.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
Overclock.net › Forums › Industry News › Software News › [Arstechnica] New Outlook mail server attack steals massive number of passwords