In 2021, advanced threat actors were increasingly exploiting vulnerabilities of Microsoft Exchange Server. In March, four critical vulnerabilities in the servers allowed attackers to gain access to all registered email accounts and execute arbitrary code. While searching for additional potentially malicious implants in Exchange, Kaspersky experts uncovered a malicious module that allows the attackers to steal login credentials for Outlook Web Access and gain remote access control to the underlying server. Kaspersky has dubbed this malicious module Owowa, and its malicious capabilities can easily be launched by sending seemingly innocuous requests - in this case, OWA authentication requests.
Kaspersky experts believe the module was compiled between late 2020 and April 2021, and it has been seen targeting victims in Malaysia, Mongolia, Indonesia, and the Philippines. Most of the victims were connected with government organisations and another to a state transportation company. It is likely there are additional victims located in Europe.
Detected Owowa targets are located in several regions in Asia
The cybercriminals only need to access the OWA log-in page of a compromised server to enter specially crafted commands into the username and password fields. This is an efficient option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server.
Kaspersky researchers could not associate Owowa to any known threat actor. Yet, they did find that it was associated with the username “S3crt”, a developer that may be behind several other malicious binary loaders. However, “S3crt” is a simple derivation of the English word “secret” and could very well be used by multiple individuals. Therefore, it’s also possible that these malicious binary files and Owowa are not connected.
“The particular danger with Owowa is that an attacker can use the module to passively steal credentials from users who are legitimately accessing web services. This is a far stealthier way to gain remote access than sending phishing emails. In addition, while IIS configuration tools can be leveraged to detect such threats, they are not part of standard file and network monitoring activities, so Owowa might be easily overlooked by security tools,” comments Pierre Delcher, Senior Security Researcher with Kaspersky’s Global Research and Analysis Team (GReAT).
“Since Owowa is an IIS module, this also means it persists even if Microsoft Exchange is updated. The good news is, the attackers don’t appear highly sophisticated. Companies should closely monitor Exchange servers since they are highly sensitive and contain all corporate emails. We also recommend considering all running modules as critical and checking them regularly,” comments Paul Rascagneres Senior Security Researcher with Kaspersky’s GReAT.
Read the full report about Owowa on Securelist.
To protect yourself from such threats, Kaspersky recommends: