You may have seen press coverage this week relating to a Microsoft Outlook Web Access
(OWA) attack. The originating report was published by Cybereason, which can
be found here: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf
In short, attackers of a Cybereason client installed a malicious .dll file which
was used by OWA as part of the authentication mechanism…. Authenticating users
against the Active Directory server. It also installed an ISAPI filter
into the IIS server and was filtering HTTP requests. Once installed, the
malware wrote all usernames and passwords to an encrypted .txt file on the C
Drive. Then it passively waited for instructions from the attackers via
HTTPS.
Microsoft responded to the report and has claimed that a properly deployed and secured
Exchange Server is NOT susceptible to the referenced attacks. http://blogs.technet.com/b/exchange/archive/2015/10/07/no-new-security-vulnerability-in-outlook-web-access-owa.aspx,
Unfortunately, Cybereason has not shared the malware for creation of signatures or hashes.
They have explained that the malware is custom to the victim, so traditional
endpoint signatures would likely not work anyway. Further, there is no
known C2 domains or IP addresses, as the malware was apparently discovered
prior to responding to additional commands.
Cybereason did reveal, however, the name of the malicious file: OWAAUTH.DLL
An RSA ECAT customer can use the Global Module List to CTRL-F search for that
file name: OWAAUTH.DLL
If the file(s) appear without a valid Microsoft signature, you may have been
compromised by this attack and should begin response procedures. If the
attacker followed the same protocol as the Cybereason report outlined, there is
also an encrypted file named log.txt, stored in C:\. It may contain lots
of domain credentials, so should be treated accordingly.
