{
	"id": "3a91622f-8e6f-4da5-a66c-839262f38297",
	"created_at": "2026-04-06T00:16:49.099288Z",
	"updated_at": "2026-04-10T03:28:02.907725Z",
	"deleted_at": null,
	"sha1_hash": "1648035d4151760f6b03cef8108080d38112df99",
	"title": "Targeted Attack Exposes OWA Weakness",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35203,
	"plain_text": "Targeted Attack Exposes OWA Weakness\r\nBy Michael Mimoso\r\nPublished: 2015-10-06 · Archived: 2026-04-05 15:39:18 UTC\r\nA targeted attack has been uncovered in which hackers were able to burrow onto the corporate network and steal\r\nthousands of username-password combinations via Outlook Web Access.\r\nAttackers aiming for lateral movement inside an enterprise network have done well in the past to target domain\r\ncontroller credentials.\r\nResearchers at Cybereason, however, have uncovered a targeted attack in which hackers were able to burrow onto\r\nthe corporate network and steal thousands of username-password combinations via Outlook Web Access.\r\n“Security professionals are very aware of the value of their domain-controllers, and consider those as the keys to\r\nthe castle, without realizing that the OWA server gives essentially identical access,” said Cybereason CTO and\r\ncofounder Yonatan Striem-Amit.\r\nThe attack was carried out for months against an organization with 19,000 endpoints, and credentials for more\r\nthan 11,000 user accounts were sniffed and stolen.\r\nOWA enables remote access to Outlook and Exchange Server in organizations that wish to roll it out. And because\r\nit faces the Internet and internal infrastructure, it’s a tempting target for advanced attackers who wish to spy or\r\nsteal on an organization’s activities.\r\n“This configuration of OWA created an ideal attack platform because the server was exposed both internally and\r\nexternally,” Striem-Amit said. “Moreover, because OWA authentication is based on domain credentials, whoever\r\ngains access to the OWA server becomes the owner of the entire organization’s domain credentials.”\r\nIn this case, the attackers used stolen credentials to load a malicious and unsigned dynamic library onto the OWA\r\nserver. The module was used to open a backdoor to a command and control server and to record credentials for\r\nmost of the accounts in the organization.\r\n“Although it had the same name as another benign DLL, the suspicious DLL went unsigned and was loaded from\r\na different directory,” Cybereason wrote in a report.\r\nStriem-Amit added that a forensics investigation concluded there was no advanced malware used to gain initial\r\nentry in the attack.\r\n“As there was no zero-day, the only ‘vulnerability’ is OWAs willingness to happily load unsigned DLLs, which is\r\nthe default behavior in most servers and Windows-based machines,” he said.\r\nThis technique is a new twist for APT gangs, most of which rely on phishing as an initial foothold on a network.\r\nOnce legitimate access is gained via stolen credentials, attackers try to pivot internally until landing on a resource\r\nhttps://threatpost.com/targeted-attack-exposes-owa-weakness/114925/\r\nPage 1 of 2\n\nthey covet—which in this case was all of the organization’s OWA credentials.\r\nThe backdoored OWAAUTH.dll, was used by OWA for authentication against the organization’s Active Directory\r\nserver. The attackers also installed an ISAPI filter for IIS, which was used to filter HTTP requests to the server.\r\n“This enabled the hackers to get all requests in cleartext after SSL/TLS decryption,” Striem-Amit said. “The\r\nmalware replaced the OWAAUTH [library] by installing an IIS filter in the registry, which enabled the malware to\r\nautomatically load and persist on every subsequent server restart.”\r\nThe DLL then loaded another HTTP module that grabbed the malware logic and backdoor, Cybereason said.\r\n“The interesting part of this attack is the value they hackers got from this particular backdoor. Not only were they\r\nable to access the specific compromised server, they also got access to all the username/passwords of every user in\r\nthe organization,” Striem-Amit said. “This way, they get a very robust way to get in, and leverage any other\r\ncompromised asset as complete access to every other resource.”\r\nThe attackers were able to sit on the network and sniff for variables passed in request queries that looked like\r\nusername-password combinations whenever users logged into OWA. The researchers said they found 11,000 such\r\npairs, essentially for every identity and asset in the organization. The backdoor also contained a special parameter\r\nwith the particular organization’s name in it, lending more proof that they were specifically targeted. The backdoor\r\nallowed the attackers access to the OWA server where they could execute any code and using the stolen\r\ncredentials, impersonate any user—all without attacking the domain controller, which was a target in some other\r\nhigh profile attacks.\r\n“While most security professionals understand the sensitivity of data in the A/D server, the OWA server serves as\r\na focal point for the exact same sensitive data,” Striem-Amit said.\r\nSource: https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/\r\nhttps://threatpost.com/targeted-attack-exposes-owa-weakness/114925/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/"
	],
	"report_names": [
		"114925"
	],
	"threat_actors": [
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434609,
	"ts_updated_at": 1775791682,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1648035d4151760f6b03cef8108080d38112df99.pdf",
		"text": "https://archive.orkl.eu/1648035d4151760f6b03cef8108080d38112df99.txt",
		"img": "https://archive.orkl.eu/1648035d4151760f6b03cef8108080d38112df99.jpg"
	}
}