Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
Log4j: List of vulnerable products and vendor advisories
Microsoft fixes Windows AppX Installer zero-day used by Emotet
Telecom operators targeted in recent espionage hacking campaign
New ransomware now being deployed in Log4Shell attacks
DHS announces ‘Hack DHS’ bug bounty program for vetted researchers
Windows 11 KB5008215 update released with application, VPN fixes
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Microsoft Exchange
Threat actors are installing a malicious IIS web server module named ‘Owowa’ on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely.
The development of Owowa likely started in late 2020 based on compilation data and when it was uploaded to the VirtusTotal malware scanning service.
Based on Kaspersky’s telemetry data, the most recent sample in circulation is from April 2021, targeting servers in Malaysia, Mongolia, Indonesia, and the Philippines.
These systems belong to government organizations, public transportation companies, and other crucial entities.
Kaspersky underlines that the ‘Owowa’ targets aren’t limited to Southeast Asia, and they have also seen signs of infections in Europe.
Microsoft Exchange servers are commonly targeted with web shells that allow threat actors to remotely execute commands on a server and are usually the focus of defenders.
As such, using an IIS module as a backdoor is an excellent way to stay hidden. The actors can send seemingly innocuous authentication requests to OWA, evading standard network monitoring rules as well.
“IIS modules are not a common format for backdoors, especially when compared to typical web application threats like web shells and can therefore easily be missed during standard file monitoring efforts.” explains the report by Kaspersky.
Additionally, the implant persists even after the Exchange software is updated, so the infection needs to take place only once.
Kaspersky comments that the actor may rely on ProxyLogon flaws to compromise the server, which remains a problem even after being patched nine months ago.
However, the actors didn’t do a perfect job with Owowa’s development, failing to hide PDB paths in the malware executable and causing server crashes in some cases.
Owowa specifically targets OWA applications of Exchange servers and is designed to log the credentials of users that successfully authenticate on the OWA login web page.
The login success is automatically validated by monitoring the OWA application to generate an authentication token.
If that happens, Owowa stores the username, password, user IP address, and the current timestamp and encrypts the data using RSA.
The actor can then collect the stolen data by manually sending a command to the malicious module.
Remote commands may also be used for executing PowerShell on the compromised endpoint, opening the way to a range of attack possibilities.
“The cyber criminals only need to access the OWA login page of a compromised server to enter specially crafted commands into the username and password fields,” – explains Kaspersky.
“This is an efficient option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server.”
Admins can use the command ‘appcmd.exe’ or the IIS configuration tool to get a list of all loaded modules on an IIS server.
In the cases seen by the researchers, the malicious module uses the name “ExtenderControlDesigner,” as shown below.
Although the researchers were led to an account on the RaidForums hacking forum while investigating, the attribution remains weak, and there are generally no associations with known actors.
Also, the carelessness in the module’s development is a sign of an unsophisticated actor that doesn’t match the targeting scope, including government entities.
In summary, this is another reminder of the importance of checking your IIS modules regularly, looking for signs of lateral movement in your network, and keeping your endpoint security shields up.
Anubis Android malware returns to target 394 financial apps
Microsoft, Google OAuth flaws can be abused in phishing attacks
The Week in Ransomware – December 3rd 2021 – Seizing Bitcoin
Microsoft shares fix for broken Outlook search in Windows 11
Microsoft Exchange servers hacked to deploy BlackByte ransomware
Not a member yet? Register Now
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
Kronos ransomware attack may cause weeks of HR solutions downtime
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Microsoft to set Windows Terminal as default console in Windows 11

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsNew ransomware now…

FBI: Ransomware gangs hit several tribal-owned casinos in the last year

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…

NUCLEUS:13 TCP security bugs impact critical healthcare devices

State hackers breach defense, energy, healthcare orgs worldwideMediaMarkt hit by Hive ransomware,…

Hackers deploy Linux malware, web skimmer on e-commerce servers

US indicts Iranian hackers for Proud Boys voter intimidation emailsWinamp prepares a…