Kaspersky security researchers discovered a malicious Microsoft Internet Information Services (IIS) add-on that harvests credentials from Outlook Web Access (OWA) whenever someone logs in.
Dubbed ‘Owowa’, the add-on was likely created sometime between late 2020 and April 2021and is resistant to software updates. This means it can stay hidden on a compromised Microsoft web server for quite some time.
Boasting a market share of 12.4%, Microsoft IIS is the third-most-popular suite of web server software, used to power at least 51.6 million websites and web applications worldwide. According to Kaspersky, threat actors designed the malicious IIS add-on to harvest credentials from Microsoft’s webmail client for Exchange and Office 365. Not only that, but the module also allows attackers to “gain remote control access to the underlying server.”
“While looking for potentially malicious implants that targeted Microsoft Exchange servers, we identified a suspicious binary that had been submitted to a multiscanner service in late 2020.”-reads the announcement by Kaspersky.
The researchers observed Owowa targeting systems located in Malaysia, Mongolia, Indonesia, and the Philippines. Kaspersky notes that most of the targeted servers were associated with critical infrastructure, including government organizations, as well as a transportation company.
“The cybercriminals only need to access the OWA log-in page of a compromised server to enter specially crafted commands into the username and password fields,” states the Kaspersky report. “This is an efficient option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server.”
Getting rid of Owowa
To protect yourself from Owowa and similar cyber threats, Kaspersky provides the following security recommendations:
- Regularly check loaded IIS modules on exposed IIS servers, especially when a major vulnerability is announced on Microsoft server products.
- Focus on detecting lateral movements on your network and data exfiltration to the internet. Pay special attention to outgoing traffic.
- Regularly back up your data and make sure your backups are easily accessible in an emergency.
- Use reliable endpoint security, detection, and response software to identify and stop attacks in their early stages.
“Since Owowa is an IIS module, this also means it persists even if Microsoft Exchange is updated. The good news is, the attackers don’t appear highly sophisticated. Companies should closely monitor Exchange servers since they are highly sensitive and contain all corporate emails. We also recommend considering all running modules as critical and checking them regularly,” concludes Kaspersky’s Senior Security Researcher Paul Rascagneres.
More from CyberNews
Subscribe to our newsletter