Outlook attack steals massive number of passwords

Security firm Cybereason’s researchers discovered the malicious OWA module after receiving a call from an unnamed company that had more than 19,000 endpoints (an Internet-capable computer hardware device). Apparently the company had witnessed several behavioural abnormalities in its network and asked Cybereason to look for suspicious activity. Within hours, they found a suspicious file loaded into the company’s OWA server that was unsigned (not proven to be safe).

This file contained a backdoor. Because it ran on the company's server, it was able to circumvent the security protocols, and as a result, the attackers behind this threat were able to steal the passwords of anyone that accessed the server.

Cybereason also detailed the technical information behind how the hackers managed to gain a foothold into such a highly strategic asset;
"Almost by definition, OWA requires organizations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed Internet-facing access to the server. This enabled the hackers to establish persistent control over the entire organization's environment without being detected for a period of several months."

This is a particularly valuable resource for attackers because it acts as an intermediary between the public Internet and a resource that’s inside a company’s firewall. Because they were using OWA to enable remote user access to Outlook, the attackers were able to access the company’s domain credentials. Although Cybereason didn’t say how widespread the attack is beyond it targeting the one company, the likelihood is that malware as detailed as this isn’t a one-off thing, so it wouldn’t be surprising to see it resurface again.

Are you worried about such an event happening to your company? Our Managed Services Solutions can help you defend against such an attack. Talk to our sales team for more info.