Overclock.net › Forums › Industry News › Software News › [Arstechnica] New Outlook mail server attack steals massive number of passwords
New Posts  All Forums:Forum Nav:

[Arstechnica] New Outlook mail server attack steals massive number of passwords - Page 3

post #21 of 33
Probably an inside job to get the domain credentials to install the DLL, could also just be a stupidly guessable password. Its likely the passwords were not retrieved from AD, but merely copied in flight before hashing to compare against the AD records. Sit in the middle long enough, and you can get essentially every users credentials and then let the data trickle out to reduce chances of being spotted.
Nightrider
(17 items)
 
Commodore 64
(10 items)
 
 
CPUMotherboardGraphicsRAM
3930k x79 gd45 PLUS GTX Titan Crucial Ballistix Sport VLP  
Hard DriveHard DriveHard DriveCooling
HyperX 3k Intel 320 Seagate Barracuda Swifttech H220 
CoolingCoolingOSOS
Swifttech 220QP Corsair SP120 Windows 8.1 Pro Windows 10 Pro 
OSOSMonitorMonitor
Windows 7 Home Ubuntu 15.4 QNIX 2710 Catleap 2B 
Keyboard
Ducky - Cherry MX Red 
CPUMotherboardGraphicsRAM
3570k DZ77GA - 70K GTX670-DC2-4GD5  MV-3V4G3D/US 
Hard DriveCoolingOSOS
HyperX 3k CM 212 + Win 7 64 ubuntu 
PowerCase
Seventeam 850w modular CS-NT-ZERO-2  
  hide details  
Reply
Nightrider
(17 items)
 
Commodore 64
(10 items)
 
 
CPUMotherboardGraphicsRAM
3930k x79 gd45 PLUS GTX Titan Crucial Ballistix Sport VLP  
Hard DriveHard DriveHard DriveCooling
HyperX 3k Intel 320 Seagate Barracuda Swifttech H220 
CoolingCoolingOSOS
Swifttech 220QP Corsair SP120 Windows 8.1 Pro Windows 10 Pro 
OSOSMonitorMonitor
Windows 7 Home Ubuntu 15.4 QNIX 2710 Catleap 2B 
Keyboard
Ducky - Cherry MX Red 
CPUMotherboardGraphicsRAM
3570k DZ77GA - 70K GTX670-DC2-4GD5  MV-3V4G3D/US 
Hard DriveCoolingOSOS
HyperX 3k CM 212 + Win 7 64 ubuntu 
PowerCase
Seventeam 850w modular CS-NT-ZERO-2  
  hide details  
Reply
post #22 of 33
Quote:
Originally Posted by Avonosac View Post

Probably an inside job to get the domain credentials to install the DLL, could also just be a stupidly guessable password. Its likely the passwords were not retrieved from AD, but merely copied in flight before hashing to compare against the AD records. Sit in the middle long enough, and you can get essentially every users credentials and then let the data trickle out to reduce chances of being spotted.
The company supposedly bought a very sophisticated monitoring tool, which implies they are not completely brain dead and would lead me to assume they wouldn't store password in decryptable manner or in plain text to allow copying them.
It would sounded more plausible if the article was saying hashes and ntds.dit , but it goes on telling us it was on the level of cain&abel "hacking" pop3 passwords.
Quote:
If the function found the username and password, it recorded them together with a
timestamp
It actually doesn't mention domain controllers at all.
It mentions 11k users/passwords (Not entries mind you) in one txt file on 1 server, which also implies that attack was done to single CAS, which in turn implies that 19k users are sitting on single CAS environment.
Skylake
(12 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k Asus Maximus VIII Gene GTX 970 Kingston hyperx Savage  
Hard DriveCoolingOSMonitor
Samsung 850 PRO NH-D14 Win 7 Philips 60 
KeyboardPowerCaseMouse
Ducky SHine 4 TX950 Air 540 G502 
  hide details  
Reply
Skylake
(12 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k Asus Maximus VIII Gene GTX 970 Kingston hyperx Savage  
Hard DriveCoolingOSMonitor
Samsung 850 PRO NH-D14 Win 7 Philips 60 
KeyboardPowerCaseMouse
Ducky SHine 4 TX950 Air 540 G502 
  hide details  
Reply
post #23 of 33
Quote:
Originally Posted by DiNet View Post

The company supposedly bought a very sophisticated monitoring tool, which implies they are not completely brain dead and would lead me to assume they wouldn't store password in decryptable manner or in plain text to allow copying them.
It would sounded more plausible if the article was saying hashes and ntds.dit , but it goes on telling us it was on the level of cain&abel "hacking" pop3 passwords.
It actually doesn't mention domain controllers at all.
It mentions 11k users/passwords (Not entries mind you) in one txt file on 1 server, which also implies that attack was done to single CAS, which in turn implies that 19k users are sitting on single CAS environment.

I don't know why you're jumping to conclusions. To process authentication while on the server the credentials will have to be in plain text at some point, or essentially in plain text because the attacker would have access to the salt, salting algorithm and the key for whatever encryption scheme they were running. The attack placed a DLL on the server, it would be super easy to do some AOP pointcuts around the normal functionality and just decode the creds.
Nightrider
(17 items)
 
Commodore 64
(10 items)
 
 
CPUMotherboardGraphicsRAM
3930k x79 gd45 PLUS GTX Titan Crucial Ballistix Sport VLP  
Hard DriveHard DriveHard DriveCooling
HyperX 3k Intel 320 Seagate Barracuda Swifttech H220 
CoolingCoolingOSOS
Swifttech 220QP Corsair SP120 Windows 8.1 Pro Windows 10 Pro 
OSOSMonitorMonitor
Windows 7 Home Ubuntu 15.4 QNIX 2710 Catleap 2B 
Keyboard
Ducky - Cherry MX Red 
CPUMotherboardGraphicsRAM
3570k DZ77GA - 70K GTX670-DC2-4GD5  MV-3V4G3D/US 
Hard DriveCoolingOSOS
HyperX 3k CM 212 + Win 7 64 ubuntu 
PowerCase
Seventeam 850w modular CS-NT-ZERO-2  
  hide details  
Reply
Nightrider
(17 items)
 
Commodore 64
(10 items)
 
 
CPUMotherboardGraphicsRAM
3930k x79 gd45 PLUS GTX Titan Crucial Ballistix Sport VLP  
Hard DriveHard DriveHard DriveCooling
HyperX 3k Intel 320 Seagate Barracuda Swifttech H220 
CoolingCoolingOSOS
Swifttech 220QP Corsair SP120 Windows 8.1 Pro Windows 10 Pro 
OSOSMonitorMonitor
Windows 7 Home Ubuntu 15.4 QNIX 2710 Catleap 2B 
Keyboard
Ducky - Cherry MX Red 
CPUMotherboardGraphicsRAM
3570k DZ77GA - 70K GTX670-DC2-4GD5  MV-3V4G3D/US 
Hard DriveCoolingOSOS
HyperX 3k CM 212 + Win 7 64 ubuntu 
PowerCase
Seventeam 850w modular CS-NT-ZERO-2  
  hide details  
Reply
post #24 of 33
Quote:
Originally Posted by Avonosac View Post

I don't know why you're jumping to conclusions. To process authentication while on the server the credentials will have to be in plain text at some point, or essentially in plain text because the attacker would have access to the salt, salting algorithm and the key for whatever encryption scheme they were running. The attack placed a DLL on the server, it would be super easy to do some AOP pointcuts around the normal functionality and just decode the creds.

I'm not doubting you, just curious because I don't know anything about Windows server auth - does OWA seriously decode the user's password versus comparing the hash to a stored value a la /etc/shadow? If this person was in a position to middle man the auth requests, couldnt they just capture hashes for a pass-the-hash attack? Or am I completely off base here?

Edit: I suppose the user still has to enter credentials, but the hashing is done client-side after the webpage is loaded right? Meaning it's already encrypted before it goes over-the-wire?
Edited by PsycoCarrot - 10/8/15 at 3:10pm
post #25 of 33
I ran this by the security guys at work and they say this thing smells of a kind of advertising for the company. Read the PDF and a few pages in they extol their solution and how it found the issue quickly.

Also, what they fail to mention is how the payload was delivered on the server in the first place. It all came from a malware dll file, but was this a former employee who had access to their ADM credentials, or an admin who got their information compromised. This is urgent information. They offered no conclusion other than to say that OWA was on the DMZ and had access to the internet.

As you can see, many people in this thread think that it was a problem with MS rather then a compromise of an admin's credentials, which is the most likely catalyst.
The Little Guy
(20 items)
 
I come in peace
(14 items)
 
 
CPUMotherboardGraphicsRAM
i7 5820k Asus X99-A MSI R9-290X 2 x Corsair Vengeance LPX 16GB (4 x 4GB) DDR4 2... 
Hard DriveCoolingCoolingCooling
2 x SAMSUNG 840 Pro Series MZ-7PD512BW 2.5" 512... Black Ice GT Stealth 360 Radiator - Blue EK Supremacy CPU Liquid Cooling Block - Nickel ... EK Radeon R9-290X VGA Liquid Cooling Block - Ac... 
CoolingCoolingCoolingOS
Monsoon Series Two Premium D5 / MCP655 Dual Bay... Swiftech MCP655-PWM-DRIVE 12v Water Pump Module... 3 x Noctual NF-F12 120 x 25mm PWM fan Windows 10 Professional 
MonitorMonitorKeyboardPower
2 x Dell UltraSharp U2312HM 23" IPS Asus MG279Q 27" 144 Hz IPS Freesync 35-90Hz Range Razer Black Widow Ultimate Corsair AX-860i 
CaseMouseMouse PadAudio
Cooler Master Cosmos II Razer Naga 2014 Left-Hand edition Razer Vespula Creative Labs Titanium HD 
CPUMotherboardGraphicsRAM
AMD FX-8120 ASUS Crosshair V XFX R7-260X-CNF4 Core Edition Radeon R7 260X 2G... Crucial Ballistix Sport 16GB (2 x 8GB) 240-Pin ... 
Hard DriveHard DriveCoolingOS
4 x Seagate NAS HDD ST2000VN000 2TB 64MB Cache ... 2 x OCZ Vertex 3 240 GB Corsair H-80 Windows Server 2012 Essentials 
PowerCaseOtherOther
Corsair HX-850 Lian Li PC-X500B LSI 9300 MegaRAID SAS 9361-8i (LSI00417) PCI-Ex... LSI LSICVM02 (LSI00418) CacheVault Accessory Ki... 
Other
Intel Ethernet Server Adapter i210 
Other
Surface Book 
  hide details  
Reply
The Little Guy
(20 items)
 
I come in peace
(14 items)
 
 
CPUMotherboardGraphicsRAM
i7 5820k Asus X99-A MSI R9-290X 2 x Corsair Vengeance LPX 16GB (4 x 4GB) DDR4 2... 
Hard DriveCoolingCoolingCooling
2 x SAMSUNG 840 Pro Series MZ-7PD512BW 2.5" 512... Black Ice GT Stealth 360 Radiator - Blue EK Supremacy CPU Liquid Cooling Block - Nickel ... EK Radeon R9-290X VGA Liquid Cooling Block - Ac... 
CoolingCoolingCoolingOS
Monsoon Series Two Premium D5 / MCP655 Dual Bay... Swiftech MCP655-PWM-DRIVE 12v Water Pump Module... 3 x Noctual NF-F12 120 x 25mm PWM fan Windows 10 Professional 
MonitorMonitorKeyboardPower
2 x Dell UltraSharp U2312HM 23" IPS Asus MG279Q 27" 144 Hz IPS Freesync 35-90Hz Range Razer Black Widow Ultimate Corsair AX-860i 
CaseMouseMouse PadAudio
Cooler Master Cosmos II Razer Naga 2014 Left-Hand edition Razer Vespula Creative Labs Titanium HD 
CPUMotherboardGraphicsRAM
AMD FX-8120 ASUS Crosshair V XFX R7-260X-CNF4 Core Edition Radeon R7 260X 2G... Crucial Ballistix Sport 16GB (2 x 8GB) 240-Pin ... 
Hard DriveHard DriveCoolingOS
4 x Seagate NAS HDD ST2000VN000 2TB 64MB Cache ... 2 x OCZ Vertex 3 240 GB Corsair H-80 Windows Server 2012 Essentials 
PowerCaseOtherOther
Corsair HX-850 Lian Li PC-X500B LSI 9300 MegaRAID SAS 9361-8i (LSI00417) PCI-Ex... LSI LSICVM02 (LSI00418) CacheVault Accessory Ki... 
Other
Intel Ethernet Server Adapter i210 
Other
Surface Book 
  hide details  
Reply
post #26 of 33
Quote:
Originally Posted by DIYDeath View Post

The other option is to not have any intervention and have the very real possibility that your passwords and potentially your identity stolen because corporations seem to magically get away with horrifically lax security on a consistent basis.

Pick your poison. I'd rather have government crack down hard with complete transperancy of the issue.

The US government has proven to be incredibly inept at understanding anything about technology (see arcane copyright laws). Any regulation passed would be burdensome, lacking in specificity, and largely irrelevant. The industry will have to continue to self regulate.
post #27 of 33
Quote:
Originally Posted by Avonosac View Post

I don't know why you're jumping to conclusions. To process authentication while on the server the credentials will have to be in plain text at some point, or essentially in plain text because the attacker would have access to the salt, salting algorithm and the key for whatever encryption scheme they were running. The attack placed a DLL on the server, it would be super easy to do some AOP pointcuts around the normal functionality and just decode the creds.
Exchange servers use NTLM.
https://www.owasp.org/index.php/Authentication_In_IIS#NTLM
Quote:
The client then uses the password hash and the nonce to build the digest response. Thus the server side of the transaction does not need access to the client's original (clear text) password in order to recompute the digest and verify that the client has knowledge of the password.
It does not at any given point use plain text.
Quote:
In addition, the
malicious OWAAUTH.DLL also installed an ISAPI filter into the IIS server, and was
filtering HTTP requests.
This enabled the hackers to get all requests in cleartext after SSL/TLS decryption.
First they say the server gets http traffic (which it doesn't actually). To decrypt that traffic they need access to certificate with private key and not the isapi filters in IIS. And even then decrypting that traffic would not give them any plain text credentials.
This is bogus information.
They could have used ISAPI filter to force everything to http traffic, that would break the IIS however.
Also public facing CAS is still port filtered on firewalls and uses only 443 for access.
Internal CAS would need to undergo more changes/configuration to accept http for owa access.
And both of these require the backend exchange configuration to accept basic authentication in first place to actually not being exposed within half an hour.

Edit: Apparently there is something that can be done with ISAPI filter. However the exact paragraph was copy-pasted from dell secureworks report from two month ago.
http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/#appc
Quote:
The following tools appear to be exclusive to TG-3390:

OwaAuth web shell — A web shell and credential stealer deployed to Microsoft Exchange servers. It is installed as an ISAPI filter. Captured credentials are DES-encrypted using the password "12345678" and are written to the log.txt file in the root directory. Like the ChinaChopper web shell, the OwaAuth web shell requires a password. However, the OwaAuth web shell password contains the victim organization's name. More information about the OwaAuth web shell is available in Appendix C.
ASPXTool — A modified version of the ASPXSpy web shell (see Figure 6). It is deployed to internally accessible servers running Internet Information Services (IIS).




Also some other posts calling their bs and them changing "fact" from their report.
http://windowsitpro.com/blog/doubtful-security-report-about-owa-flaw-gains-headlines-offers-little-real-value
http://exchangeserverpro.com/misleading-reports-of-outlook-web-app-vulnerability-in-exchange-server/
http://eightwone.com/2015/10/08/owa-hack/
Edited by DiNet - 10/9/15 at 5:21am
Skylake
(12 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k Asus Maximus VIII Gene GTX 970 Kingston hyperx Savage  
Hard DriveCoolingOSMonitor
Samsung 850 PRO NH-D14 Win 7 Philips 60 
KeyboardPowerCaseMouse
Ducky SHine 4 TX950 Air 540 G502 
  hide details  
Reply
Skylake
(12 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k Asus Maximus VIII Gene GTX 970 Kingston hyperx Savage  
Hard DriveCoolingOSMonitor
Samsung 850 PRO NH-D14 Win 7 Philips 60 
KeyboardPowerCaseMouse
Ducky SHine 4 TX950 Air 540 G502 
  hide details  
Reply
post #28 of 33
Quote:
Originally Posted by PsycoCarrot View Post

I'm not doubting you, just curious because I don't know anything about Windows server auth - does OWA seriously decode the user's password versus comparing the hash to a stored value a la /etc/shadow? If this person was in a position to middle man the auth requests, couldnt they just capture hashes for a pass-the-hash attack? Or am I completely off base here?

Edit: I suppose the user still has to enter credentials, but the hashing is done client-side after the webpage is loaded right? Meaning it's already encrypted before it goes over-the-wire?

I can't believe it would be decrypting in normal operation, but the encrypted value is present along with all of the information required to decrypt the password in the context of the server request, if you AOP around the method in the bad DLL, you could decrypt it yourself on the fly. Seems this is irelavent as apparently it uses a secure enough process, I can't imagine the the server is looking up the NTLM hash to store a clear text password. But they could definitely get the hash + nonce combo and use that to get passwords via rainbow tables.

Quote:
Originally Posted by DiNet View Post

Warning: Spoiler! (Click to show)
Exchange servers use NTLM.
https://www.owasp.org/index.php/Authentication_In_IIS#NTLM
It does not at any given point use plain text.
First they say the server gets http traffic (which it doesn't actually). To decrypt that traffic they need access to certificate with private key and not the isapi filters in IIS. And even then decrypting that traffic would not give them any plain text credentials.
This is bogus information.
They could have used ISAPI filter to force everything to http traffic, that would break the IIS however.
Also public facing CAS is still port filtered on firewalls and uses only 443 for access.
Internal CAS would need to undergo more changes/configuration to accept http for owa access.
And both of these require the backend exchange configuration to accept basic authentication in first place to actually not being exposed within half an hour.

Edit: Apparently there is something that can be done with ISAPI filter. However the exact paragraph was copy-pasted from dell secureworks report from two month ago.
http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/#appc
Also some other posts calling their bs and them changing "fact" from their report.
http://windowsitpro.com/blog/doubtful-security-report-about-owa-flaw-gains-headlines-offers-little-real-value
http://exchangeserverpro.com/misleading-reports-of-outlook-web-app-vulnerability-in-exchange-server/
http://eightwone.com/2015/10/08/owa-hack/

Sounds like its mostly BS, if they are claiming the passwords on the server were stored in plain text.. unless they looked up the NTLM hash in a rainbow table or something to store it..
Nightrider
(17 items)
 
Commodore 64
(10 items)
 
 
CPUMotherboardGraphicsRAM
3930k x79 gd45 PLUS GTX Titan Crucial Ballistix Sport VLP  
Hard DriveHard DriveHard DriveCooling
HyperX 3k Intel 320 Seagate Barracuda Swifttech H220 
CoolingCoolingOSOS
Swifttech 220QP Corsair SP120 Windows 8.1 Pro Windows 10 Pro 
OSOSMonitorMonitor
Windows 7 Home Ubuntu 15.4 QNIX 2710 Catleap 2B 
Keyboard
Ducky - Cherry MX Red 
CPUMotherboardGraphicsRAM
3570k DZ77GA - 70K GTX670-DC2-4GD5  MV-3V4G3D/US 
Hard DriveCoolingOSOS
HyperX 3k CM 212 + Win 7 64 ubuntu 
PowerCase
Seventeam 850w modular CS-NT-ZERO-2  
  hide details  
Reply
Nightrider
(17 items)
 
Commodore 64
(10 items)
 
 
CPUMotherboardGraphicsRAM
3930k x79 gd45 PLUS GTX Titan Crucial Ballistix Sport VLP  
Hard DriveHard DriveHard DriveCooling
HyperX 3k Intel 320 Seagate Barracuda Swifttech H220 
CoolingCoolingOSOS
Swifttech 220QP Corsair SP120 Windows 8.1 Pro Windows 10 Pro 
OSOSMonitorMonitor
Windows 7 Home Ubuntu 15.4 QNIX 2710 Catleap 2B 
Keyboard
Ducky - Cherry MX Red 
CPUMotherboardGraphicsRAM
3570k DZ77GA - 70K GTX670-DC2-4GD5  MV-3V4G3D/US 
Hard DriveCoolingOSOS
HyperX 3k CM 212 + Win 7 64 ubuntu 
PowerCase
Seventeam 850w modular CS-NT-ZERO-2  
  hide details  
Reply
post #29 of 33
Quote:
Originally Posted by Avonosac View Post


Sounds like its mostly BS, if they are claiming the passwords on the server were stored in plain text.. unless they looked up the NTLM hash in a rainbow table or something to store it..

It's not mostly BS, the company that put this pdf is bs. Paraphrased 2 month old dell secureworks report. Even the backdoor function map is copy-pasted...
Need to read it in full some time later, just skipped through it out of interest smile.gif
No, there is no jedi powers or mystical zero-days in IIS or OWA, the attack comes from phishing emails, if you're wondering.
Edited by DiNet - 10/9/15 at 8:59am
Skylake
(12 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k Asus Maximus VIII Gene GTX 970 Kingston hyperx Savage  
Hard DriveCoolingOSMonitor
Samsung 850 PRO NH-D14 Win 7 Philips 60 
KeyboardPowerCaseMouse
Ducky SHine 4 TX950 Air 540 G502 
  hide details  
Reply
Skylake
(12 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k Asus Maximus VIII Gene GTX 970 Kingston hyperx Savage  
Hard DriveCoolingOSMonitor
Samsung 850 PRO NH-D14 Win 7 Philips 60 
KeyboardPowerCaseMouse
Ducky SHine 4 TX950 Air 540 G502 
  hide details  
Reply
post #30 of 33
Does OWA run on the exchange server or not? Because if it doesn't then you can still do an AOP man in the middle attack with a rainbow table because you'll have the nonce and NTLM hash from the OWA request.
Nightrider
(17 items)
 
Commodore 64
(10 items)
 
 
CPUMotherboardGraphicsRAM
3930k x79 gd45 PLUS GTX Titan Crucial Ballistix Sport VLP  
Hard DriveHard DriveHard DriveCooling
HyperX 3k Intel 320 Seagate Barracuda Swifttech H220 
CoolingCoolingOSOS
Swifttech 220QP Corsair SP120 Windows 8.1 Pro Windows 10 Pro 
OSOSMonitorMonitor
Windows 7 Home Ubuntu 15.4 QNIX 2710 Catleap 2B 
Keyboard
Ducky - Cherry MX Red 
CPUMotherboardGraphicsRAM
3570k DZ77GA - 70K GTX670-DC2-4GD5  MV-3V4G3D/US 
Hard DriveCoolingOSOS
HyperX 3k CM 212 + Win 7 64 ubuntu 
PowerCase
Seventeam 850w modular CS-NT-ZERO-2  
  hide details  
Reply
Nightrider
(17 items)
 
Commodore 64
(10 items)
 
 
CPUMotherboardGraphicsRAM
3930k x79 gd45 PLUS GTX Titan Crucial Ballistix Sport VLP  
Hard DriveHard DriveHard DriveCooling
HyperX 3k Intel 320 Seagate Barracuda Swifttech H220 
CoolingCoolingOSOS
Swifttech 220QP Corsair SP120 Windows 8.1 Pro Windows 10 Pro 
OSOSMonitorMonitor
Windows 7 Home Ubuntu 15.4 QNIX 2710 Catleap 2B 
Keyboard
Ducky - Cherry MX Red 
CPUMotherboardGraphicsRAM
3570k DZ77GA - 70K GTX670-DC2-4GD5  MV-3V4G3D/US 
Hard DriveCoolingOSOS
HyperX 3k CM 212 + Win 7 64 ubuntu 
PowerCase
Seventeam 850w modular CS-NT-ZERO-2  
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
Overclock.net › Forums › Industry News › Software News › [Arstechnica] New Outlook mail server attack steals massive number of passwords