Categories: Security

Hidden Exchange Server Attack Steals Passwords

Security researchers have uncovered a tailored attack that infected a large company’s Exchange email server for months, harvesting more than 11,000 user passwords.

Researchers at Cybereason, an Israeli security start-up founded by former military IT security experts, said the attack demonstrates the growing danger posed by targeted attacks, known in industry language as advanced persistent threats (APT), which may remain undetected for months or years.

An unnamed customer called Cybereason in after noticing irregular server behaviour, and the company used software installed across all 19,000 of the customer’s endpoints to isolate the source of the problem – a suspicious DLL file loaded into the Outlook Web App (OWA) server, a component of Microsoft Exchange Server that enables access to webmail.

“Although it had the same name as another benign DLL, the suspicious DLL went unsigned and was loaded from a different directory,” Cybereason said in an advisory published on Monday. “Since OWA servers typically load only legitimately signed DLLs, the Cybereason behavioural engine immediately elevated this event to a suspicion.”

The attack was aimed at stealing the passwords of the users logging into OWA, and Cybereason discovered a cache of more than 11,000 username/password pairs.

“This treasure trove essentially gave the hackers complete access to every identity and therefore every asset in the organisation,” the company wrote.

Tailored attack

The malware included backdoor capabilities that allowed the attackers to access the password data remotely. It used search terms that included the customer’s name, proving it was tailored for that particular target, Cybereason said.

The OWA component was configured in such a way as to be directly accessible via the Internet, and this is likely to be the means by which the breach occurred, according to the firm. “This enabled the hackers to establish persistent control over the entire organisation’s environment without being detected for a period of several months,” Cybereason wrote.

While Active Directory Server is known for handling sensitive data, and as such is well-protected, the attack demonstrates that a lesser-known component such as OWA can prove to be just as dangerous a weak spot, according to Cybereason.

“While most security professionals understand the sensitivity of data in the (Active Directory Server), the OWA server serves as a focal point for the exact same sensitive data,” the firm wrote.

The incident demonstrates the growing prevalence of tailored attacks, which are difficult to defend against because they are unique, according to a security expert.

“Although threat intelligence can help tell organisations if a particular threat or indicator has been seen by others, they still need strong security intelligence within their own network to identify anomalies and potential threats that may not have been seen before,” said Ken Westin, senior security analyst at Tripwire.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago