Researchers have unearthed a dangerous backdoor in Microsoft's Outlook Web Application (OWA) that has allowed hackers to steal e-mail authentication credentials from major organizations.

The Microsoft Outlook Web Application or OWA is an Internet-facing webmail server that is being deployed in private companies and organisations to provide internal emailing capabilities.

Researchers from security vendor Cybereason discovered a suspicious DLL file loaded into the company's OWA server that siphoned decrypted HTTPS server requests.

Although the file had the same name as another benign DLL file, the suspicious DLL file was unsigned and loaded from another directory.

Hackers Placed Malicious DLL on OWA Server

According to the security firm, the attacker replaced the OWAAUTH.dll file (used by OWA as part of the authentication mechanism) with one that contained a dangerous backdoor.

Since it ran on the OWA server, the backdoored DLL file allowed hackers to collect all HTTPS-protected server requests, including login information after they had been decrypted, i.e., in clear text.
"OWA was configured in [such] a way that [it] allowed Internet-facing access to the server," Cybereason wrote in a post published Monday. "This enabled the hackers to establish persistent control over the entire organization's environment without being detected for several months."

Hackers Stole 11,000 Credentials

Every user accessing the hacked server had their username & password compromised and stored by the attackers.

Researchers discovered more than 11,000 usernames and passwords combinations in a log.txt file in the server's "C:\" partition. Log.txt file is believed to be used by attackers to store all logged data.

The unnamed company that detected "behavioural abnormalities" across its network before reaching out to security firm Cybereason had more than 19,000 endpoints.

To prevent their backdoor from being removed, the attackers also created an IIS (Microsoft's Web server) filter through which they loaded the malicious OWAAUTH.dll file every time the server was restarted.

To add icing to the cake — the advanced persistent attackers utilized a .NET assembly cache in order to avoid auditing and security inspection.

The security firm did not say how widespread this attack is beyond it targeting one organisation, but there are chances that the attack is or could be hitting other large organizations as well.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.