How do you cook a backdoor?
It won't fit in the oven
Security researchers Yonatan Striem-Amit and Yoav Orot say attackers have cooked a dangerous backdoor capable of hosing organisations using Microsoft Outlook Web Access (OWA). The pair from Boston outfit Cybereason detected the attack in a malicious .dll file that siphoned decrypted HTTPS server requests. Chief technology …
This post has been deleted by its author
"The pair point out that OWA server admins are owners of an organisation's domain credentials, making it a juicy attack vector."
No they are not. Email admins would not normally have domain admin rights in a properly setup environment. Also no admin should be using admin credentials to access their normal account / email via OWA.
That they got remote access to an OWA server - which are pretty secure by default - smells of a larger problem in the environment.
There's a separation between Exchange and domain admins only in the larger enterprises. I've worked for many SMEs, public and private, and in all, I was both a domain and Exchange admin. I personally think it's the most common scenario.
However, SMEs are probably not the most broad attack surface in terms of number of potentially-compromised accounts per environment. Then again, there are more of them than large enterprises.
Larger problems? More like problems one can sail a supertanker through.
First, separate admin account from the user account, ensure the passwords are different. Personally, for that, I prefer a 2 factor authentication, for user and admin accounts.
One also has the OWA frontend servers *not* running exchange and pinholes made in the firewall. I've personally saw both on a box on the DMZ on a Fortune 200 company.
It's an interesting bit of reading but I must have missed the part about how all these bits&bobs got on to the server in the first place, given that if you have sufficient access to plant these things in those places, then it's probably not far from game over already.
I'm also a little unclear on how capturing OWA user credentials gives control over the entire domain, unless a domain administrator is using OWA? I will confess Windows is not my primary environment, perhaps that's obvious...
I don't often read these fully, so I might have misunderstood but it looks more like a proposed spec than anything else!
@Doctor_Wibble - it isnt all that clear actually so I am with you on this.
I think this was something a pentest firm "cooked" up as part of a scheduled and funded penetration test.
Without knowing the scope of the test and what access levels they were given, its hard to tell how they deployed the malware but one example would be testing what can happen if an insider (without priv accounts) decides to get all malicious.
The more interesting bit, is now this attack is known to be possible, lots and lots of malware producers will be trying to develop their own version.
Usually Exchange users - including those accessing it via OWA - use their domain credentials (SSO...) to access it. If someone is so fool to use his or her domain admin account as a "everyday" account (unluckily, I've seen people doing that, it's sooooo easy to access everything without the hassle of using different login that way...), and you can get the credentials, you're thoroughly p0wned...
Moreover, there are some administrative tasks that can be performed by the Exchange web interface - and there's a good chance in some networks mail administrators are domain admins as well (bad practice too).
Yet it's still interesting to know how they planted the malicious DLL - had they access to the server, or exploited an IIS/OWA vulnerability?
That would be the bit that misfired in your brain.
Order of events is:
1. Company is hacked.
2. Company admins belatedly discover serious anomalies in the log files.
3. Company hires security boffins to find the problem.
4. Security boffins find malicious dll file on the OWA server.
So no, the security company was not granted prior access.
Were I to speculate, I'd guess an admin account that was used for mail. If you grab the credentials from the login in a wireless cafe (think StarBucks, back in the day it was the only reason I went there) and realize they are admin credentials when you log into the OWA system, p@wnage is sure to follow.
It's obviously true that yes, this requires a precursor hack to get the dll in place - an in any environment where the admins have any training at all, installing a dll onto the front-end MX should already require domain admin creds.
But this might still be relevant for 'after the breach' hacks - everyone changes password, the CISO is fired, the firewall is swapped for one that costs six times as much etc, but the exchange server remains compromised so the attackers can easily re-acquire credentials.
I'm no fan of OWA or Exchange for that matter, but this is not news. The attack requires additional access in the first instance to stuff that you just cant get to via a web portal.
The only threat here is disgruntled ex-employees with server access...which is a threat regardless.
Yes it is. However, as others have commented, the real issue here is not that the OWA service was used to gain access to domain credentials, but how the offending DLL was installed on the server in the first place, and how the server config was manpulated to load the malicous DLL in place of the legitimate one. That was the cause of the breach, everythng else was the effect.