This week we’ve seen reports spreading of an attack on Exchange Server that leverages Outlook Web App (OWA) to steal network logon credentials.

Before I get into the details here’s a quick summary of the main points:

  • A company named Cybereason published a report titled “Webmail Server APT: A New Persistent Attack Methodology Targeting Microsoft Outlook Web Application (OWA)”
  • Arstechnica ran with the story, using a title of “New Outlook mailserver attack steals massive number of passwords”
  • Microsoft has subsequently published a blog post titled “No new security vulnerability in Outlook Web Access (OWA)”

If you’re in a rush and you just want something to go and tell your boss or infosec team, the takeaway based on everything currently available is that there’s no new OWA vulnerability at play here.

Listen to Mike Crowley and I discuss this topic on the Exchange Server Pro Podcast.

Now for a little more detail. Cybereason’s report is interesting enough, if a little clumsily worded, and these stories can be educational for us IT professionals.

Basically a customer noticed some abnormal behaviour, and Cybereason used their “platform” to detect a suspicious DLL loaded on the Exchange Server that is used for external access to Outlook Web App (OWA). There is no detail as to which version of Exchange Server their customer was running, which version of Windows Server it was running on, whether both products were fully patched, whether that server was the initial point of compromise or whether another host on the network was compromised first, and so on. The report is primarily written to be a marketing tool for Cybereason, and in that respect they’ve been successful.

Cybereason has later clarified in a comment on Graham Cluley’s blog:

The hackers managed to obtain access to this server using stolen credentials.

Ok, so clearly not a vulnerability in Exchange or Windows used to compromise the host in the first place. As Microsoft noted themselves in their own blog post:

One of the reports in question skips over the important details of how an attacker might ‘gain a foothold into a highly strategic asset’ if a system is properly managed, secured, and up-to-date. The “attack” in question could only be initiated by an individual who had administrative access to a server’s file system and services, or who had permission to logon to an Exchange Server console with the rights to replace Exchange system files, and perform an Internet Information Server (IIS) reset.

Someone with credentials to access the server and replace code was able to sniff network credentials used against an application running on that server. Not exactly breaking news, but it’s a good reminder to all of us to consider the security of our environments in depth.

Unfortunately Cybereason does not appear to have consulted with anyone familiar with the workings of Exchange Server when writing their report, as evidenced by phrases such as:

Almost by definition, OWA requires organizations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed internet-facing access to the server.

The first part of that statement is not true, and the second part is basically how OWA is used in most organizations (for external access to Exchange mailboxes). Even if in this case OWA was only used internally, the outcome would have been the same. And if the attackers had chosen to compromise a domain controller, or VPN server, or web server, or any application server on the network that uses domain credentials to authenticate, then the outcome would also have been the same.

As Tony Redmond concludes:

The customer they were working with badly needs some help and advice to manage Exchange servers properly or they will continue to shoot themselves in the foot.

Cybereason has helped a customer, and published a report about it, but other than that there is not much to see here.

References:

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Gareth

    Great write-up Paul!

  2. Dinet

    They actually copy-pasted parts of dell secureworks report from 2 month ago. The report about TG-3390
    Specifically about log.txt

  3. Robert

    This is greatness. I appreciate this article. Shocked (not really) that someone would try to promote their product at the expense of another while at the same time trying to create a panic.

    1. Avatar photo
      Paul Cunningham

      Yes, shocking. Although I don’t think they were out to create panic, just to create enough interest to get some attention.

Leave a Reply