J003-Content-ExchangeOWA-Nothing-To-See-Here-Folks_SQA recent, very short, blog post recently appeared on the Exchange Team public blog. It was so short, I almost missed it in my feed, but it was rather interesting. The title-No new security vulnerability in Outlook Web Access (OWA.) The gist? A security research company called Cybereason published a blog post about an APT targeting OWA. Arstechnica, normally a very reliable source of information on all things technology, ran a story called “New Outlook mailserver attack steals massive number of passwords.” Microsoft then published a blog post that says, in essence, nothing to see here folks, move along.

Here’s a little more information, gleaned from various sources online including the original report. You can read the report too, which is a PDF, but I will summarize it for you below. If the Arstechnica author had read the report too, perhaps the sensationalism would not have been there in the article.

From Cybereason’s blog post, they say…

“Read the research report to find out:

  • how the hackers backdoored OWA, enabling them to collect and retain ownership over a large set of credentials
  • how the hackers maintained persistent control over the organization’s environment through the OWA control
  • how Cybereason detected and helped contain the attack.”

According to the actual report, the hackers backdoored OWA by installing a malicious DLL to replace the OWAAUTH.DLL. Okay, first flag on the play. How did they get system/admin level access to start installing stuff on the server? According to Cybereason, in a comment on Graham Clueley’s blog reporting on this same issue, the “hackers managed to obtain access to this server using stolen credentials.” Okay, that right there is GAME OVER.

Did the hackers, sitting in the dark and being viewed up close, so only a reflection of the code they were typing showed in their dark glasses, execute some amazing hacker legerdemain that rooted the server? No, they had stolen admin creds! Now don’t get me wrong, the DLL they coded to grab creds was pretty sweet, and how they hid it was brilliant, but this did not start with some back door in OWA. It started with stolen admin creds! Those may very well have been stolen through an APT, but there is an awful lot of steps between an APT compromising admin creds, and reporting that OWA has a vulnerability exposing usernames and passwords.

The hackers also installed a remote access tool while they were on the OWA server. That’s how they maintained persistent control. Well, okay, since they already owned the server because they owned an admin’s creds then they could have installed anything on that box. A RAT is pretty simple in that case. With the RAT, the attackers had a foothold on the network. With the compromised DLL able to grab creds of everyone who logged onto OWA, they could lateral in to anything they could reach. After all, they had credentials!

The takeaways here are simple.

  • Don’t believe everything you read online. Do the research.
  • If you are going to expose resources in the DMZ, use a secure reverse web proxy to publish them.
  • Multifactor authentication is critical. If you’re not using it, you’re going to be a victim. Maybe not today, maybe not next month, but sooner or later, someone is going to pwn you. For what it’s worth, OWA can use MFA.

I applaud Microsoft’s self-control in how they responded to the reports. Saying that there’s a backdoor in OWA without sharing all the details is in the same ballpark as shouting fire at a movie theatre. Sure, you get everyone’s attention, but it’s not doing anyone any good unless there’s an actual fire. Here, there wasn’t even the smell of smoke.