Categories: Security

Hidden Exchange Server Attack Steals Passwords

Security researchers have uncovered a tailored attack that infected a large company’s Exchange email server for months, harvesting more than 11,000 user passwords.

Researchers at Cybereason, an Israeli security start-up founded by former military IT security experts, said the attack demonstrates the growing danger posed by targeted attacks, known in industry language as advanced persistent threats (APT), which may remain undetected for months or years.

An unnamed customer called Cybereason in after noticing irregular server behaviour, and the company used software installed across all 19,000 of the customer’s endpoints to isolate the source of the problem – a suspicious DLL file loaded into the Outlook Web App (OWA) server, a component of Microsoft Exchange Server that enables access to webmail.

“Although it had the same name as another benign DLL, the suspicious DLL went unsigned and was loaded from a different directory,” Cybereason said in an advisory published on Monday. “Since OWA servers typically load only legitimately signed DLLs, the Cybereason behavioural engine immediately elevated this event to a suspicion.”

The attack was aimed at stealing the passwords of the users logging into OWA, and Cybereason discovered a cache of more than 11,000 username/password pairs.

“This treasure trove essentially gave the hackers complete access to every identity and therefore every asset in the organisation,” the company wrote.

Tailored attack

The malware included backdoor capabilities that allowed the attackers to access the password data remotely. It used search terms that included the customer’s name, proving it was tailored for that particular target, Cybereason said.

The OWA component was configured in such a way as to be directly accessible via the Internet, and this is likely to be the means by which the breach occurred, according to the firm. “This enabled the hackers to establish persistent control over the entire organisation’s environment without being detected for a period of several months,” Cybereason wrote.

While Active Directory Server is known for handling sensitive data, and as such is well-protected, the attack demonstrates that a lesser-known component such as OWA can prove to be just as dangerous a weak spot, according to Cybereason.

“While most security professionals understand the sensitivity of data in the (Active Directory Server), the OWA server serves as a focal point for the exact same sensitive data,” the firm wrote.

The incident demonstrates the growing prevalence of tailored attacks, which are difficult to defend against because they are unique, according to a security expert.

“Although threat intelligence can help tell organisations if a particular threat or indicator has been seen by others, they still need strong security intelligence within their own network to identify anomalies and potential threats that may not have been seen before,” said Ken Westin, senior security analyst at Tripwire.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Warns Of Italian Spyware On Apple, Android Phones

Italian company's hacking tools have been used to spy on Apple, Android smartphones in Italy…

13 hours ago

Intel Signals Delay To Ohio Factory Over US Chips Act Dispute

Chip maker warns new factory in Columbus, Ohio could be delayed or scaled back, over…

13 hours ago

Silicon UK In Focus Podcast: Sustainable Business

How do sustainable businesses use technology to innovate? And as businesses want to connect sustainability…

15 hours ago

Australia Fines Samsung Over Water-Resistance Claims

Samsung rapped over the knuckles by Australian regulator because of 'misleading' Galaxy smartphone water-resistance claims…

1 day ago

Amazon Reveals Alexa Option To Mimic Any Person’s Voice

Bereavement aid for those in mourning? Amazon's Alexa voice assistant could be programmed to sound…

1 day ago