Backdoor in MS Outlook webmail raises security doubts

Ex-Israeli army security experts have discovered a backdoor into Microsoft's Outlook webmail server that was being used in a targeted APT attack to infiltrate a company for several months and steal the names and passwords of 11,000 employees.

The hack, spotted by US and Israel-based Cybereason, raises questions over the security of the Microsoft Outlook Web Access (OWA) server which Cybereason says “uniquely” connects supposedly protected internal systems to the internet and “almost by definition requires organisations to define a relatively lax set of restrictions”.

The attack is detailed in a blog by Cybereason co-founder Yonatan Striem-Amit, a former security analyst with the Israeli Defence Forces, and senior researcher Yoav Orot.

The victim company – described by Cybereason simply as “a mid-size public services company based in the US” – was using OWA to give users remote access to Outlook. But the backdoor let in the attackers as well.

In the blog, Cybereason says the malware was hidden in a Microsoft Dynamic Link library (DLL) file, but gives no further details about how the file was originally corrupted or got onto the network. The network comprised around 19,000 endpoints.

It explains: “The attack involved a malicious module loaded onto Microsoft OWA which provided the attackers with complete backdoor capabilities. The hacker's first goal was to steal the passwords of users logging into OWA – namely everyone.

“We found more than 11,000 user/password pairs. This treasure trove essentially gave the hackers complete access to every identity and therefore every asset in the organisation.”

The researchers have issued this warning to Outlook webmail users: “Contrary to other web servers that typically have only a web interface, OWA is unique: it is a critical internal infrastructure that also faces the internet, making it an intermediary between the internal, allegedly protected DMZ, and the web.

“Almost by definition, OWA requires organisations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed internet-facing access to the server. This enabled the hackers to establish persistent control over the entire organisation's environment without being detected for a period of several months.”

Analysing the report, UK cyber-security expert Sarb Sembhi, director of STORM Guidance, agreed that it exposes weaknesses in Microsoft OWA.

He told via email: “On the surface, it seems like Microsoft engineers didn't model the threats to OWA very well – when any technology plays such a strategic and critical role, it is obvious that it will become the target of many attackers.

“Any technology that is created to play a key role in the corporate infrastructure must be more robust that other less-critical technologies, this is more so with technologies which facilitate the use of web-based apps utilising cloud services like OWA does.”

Sembhi, a leading member of the ISACA security professionals organisation, added that it will not be easy for Microsoft to fix the problem.

“The challenge with writing a fix for such backdoors is that the cause of the problem is quite often not just a single point, it is likely spread across many scripts in the way that the product was architected. Very advanced malware will usually exploit the architecture is such a way that a fix would have to be overly complex and thoroughly tested so as not to have any unforeseen consequences. OWA is a flagship product, so this will be fixed, it is just a question of how soon it can happen.”

In its blog, Cybereason says it was called in after the client company's security team spotted “several behavioural abnormalities”, leading them to suspect they had an infected server.

It says the hackers used the .NET assembly cache, used to store locally-compiled native binaries, to avoid human-driven inspection in what was a tailored, targeted attack.

“They attempted to fool the hunters into thinking that it was simply another locally generated file, as if they were Obi-Wan practicing a little Jedi magic, convincing the defender to think: these are not the files you're looking for, move along.”

Commenting on the research, Ken Westin, senior security analyst at Tripwire, told journalists via email: “This attack shows the importance of being hyper-vigilant when it comes to monitoring critical assets within an organisation's environment. Mail servers, active directory servers, databases and other critical systems need to be monitored for any and all system configuration changes, as well as new binaries added to these systems.

“When dealing with a sophisticated adversary, the malware they use to target infrastructure will use customised code that will not have signatures, or they may simply use tools available on the systems themselves to harvest data. Although threat intelligence can help tell organisations if a particular threat or indicator has been seen by others, they still need strong security intelligence within their own network to identify anomalies and potential threats that may not have been seen before.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.