IIS Server Module Puts Microsoft Exchange Credentials at Risk
Table of Contents
- By David Lukic
- Published: Dec 24, 2021
- Last Updated: Mar 18, 2022
Hackers are using an IIS server module to target Microsoft exchange credentials. The hackers use a binary to steal the credentials. The credential theft sets the stage for enabling remote command execution.
How is the Hack Performed?
The hackers are exploiting a binary that wasn’t discovered until recent years. The IIS in question is a webserver module. IIS is short for Internet Information Services. This module is referred to as the Owowa module. The module is positioned on Microsoft’s Exchange Outlook Web Access servers. The purpose of the hack is to steal user credentials, so malicious actors can perform command execution from afar.
What, Exactly, is Owowa?
Owowa is an assembly designed for loading in a module in IIS web servers. This C# developed assembly is characterized as >NETv4.0. Owowa is problematic as it exposes Microsoft Exchange’s Outlook Web Access, also referred to with the acronym of OWA. When loaded in this manner, Owowa steals user credentials entered onto the OWA page upon user login. The hackers then remotely execute commands through the server. This approach centers on the use of a rogue IIS module used in the form of a backdoor.
Owawa is considered a persistent component within the system as it is designed to steal user credentials after successful authentication. This authentication occurs on the OWA authentication page. The hackers then transmit what appear to be legitimate requests. These requests perform the exploit. The digital criminals type nuanced commands in the OWA page login fields for authentication in the affected server. These commands execute the exploit.
As an example, typing in the OWA login of "jFuLIXpzRdateYHoVwMlfc" results in an Owawa response with the credentials. The hackers trigger the execution of the PowerShell command within the OWA password field by typing in the dEUM3jZXaDiob8BrqSy2PQO1 username.
Is the Owowa Attack Novel?
The use of an IIS module for backdoor entry is not a breakthrough in the context of hacking. Rewind time back to the summer of ’21, and the digital security specialist ESET determined more than a dozen malware families were developed in the form of native IIS modules. This development aimed to redirect HTTP traffic to control affected computers remotely.
Which Servers are Targeted?
ESET representatives state this digital attack is zeroing in on servers in the Philippines, Indonesia, Mongolia, and Malaysia. The targeted servers are primarily owned and operated by governments. However, one of the servers is owned by a transportation business.
Who is Responsible for the Attack?
Digital forensics teams have not determined which hacking group is behind the attack. However, the username of S3crt was included within the source code of samples analyzed by investigators.
The digital security group, Kaspersky Global Research and Analysis Team, states it has pinpointed an account with the S3crt username on a tool-sharing platform known as Keybase. Kaspersky representatives also state the hacker might have indicated an interest in sharing tools for digital attacks on RAIDForums.
