The malware on a company’s Exchange server remained undetected for months
Security researchers have uncovered a tailored attack that infected a large company’s Exchange email server for months, harvesting more than 11,000 user passwords.
Researchers at Cybereason, an Israeli security start-up founded by former military IT security experts, said the attack demonstrates the growing danger posed by targeted attacks, known in industry language as advanced persistent threats (APT), which may remain undetected for months or years.
An unnamed customer called Cybereason in after noticing irregular server behaviour, and the company used software installed across all 19,000 of the customer’s endpoints to isolate the source of the problem – a suspicious DLL file loaded into the Outlook Web App (OWA) server, a component of Microsoft Exchange Server that enables access to webmail.
“Although it had the same name as another benign DLL, the suspicious DLL went unsigned and was loaded from a different directory,” Cybereason said in an advisory published on Monday. “Since OWA servers typically load only legitimately signed DLLs, the Cybereason behavioural engine immediately elevated this event to a suspicion.”
The attack was aimed at stealing the passwords of the users logging into OWA, and Cybereason discovered a cache of more than 11,000 username/password pairs.
“This treasure trove essentially gave the hackers complete access to every identity and therefore every asset in the organisation,” the company wrote.
The malware included backdoor capabilities that allowed the attackers to access the password data remotely. It used search terms that included the customer’s name, proving it was tailored for that particular target, Cybereason said.
The OWA component was configured in such a way as to be directly accessible via the Internet, and this is likely to be the means by which the breach occurred, according to the firm. “This enabled the hackers to establish persistent control over the entire organisation’s environment without being detected for a period of several months,” Cybereason wrote.
While Active Directory Server is known for handling sensitive data, and as such is well-protected, the attack demonstrates that a lesser-known component such as OWA can prove to be just as dangerous a weak spot, according to Cybereason.
“While most security professionals understand the sensitivity of data in the (Active Directory Server), the OWA server serves as a focal point for the exact same sensitive data,” the firm wrote.
The incident demonstrates the growing prevalence of tailored attacks, which are difficult to defend against because they are unique, according to a security expert.
“Although threat intelligence can help tell organisations if a particular threat or indicator has been seen by others, they still need strong security intelligence within their own network to identify anomalies and potential threats that may not have been seen before,” said Ken Westin, senior security analyst at Tripwire.
Are you a security pro? Try our quiz!