Data center intruder trying to cover his face

Hackers target Microsoft Exchange and aim to steal credentials

Researchers from global cybersecurity giant Kaspersky have revealed that cybercriminals are using a malicious module to steal Microsoft Exchange credentials. Once in possession of these details, the cybercriminals can then execute remote commands on the victims’ servers.

Kaspersky, who have named the malicious module “Owawa,” said it had first identified the module in late 2020 when publishing its findings in a mid-December blog.

Kaspersky researchers said Owawa was an IIS module that logged information from the Microsoft Outlook Web Access (OWA) login page. The researchers said they had found several compromised servers across Asia. While it had no data at present, they said it was likely that businesses and other organisations had been targeted across Europe, too.

What is IIS and Owawa?

IIS is a Windows web server software package, which hosts websites and other online content, giving users everything they need to run a website. It also supports modules that you can use to add extra functionality and features to a website to make it more appealing to users. Meanwhile, the Owawa module exposes the Outlook service, enabling cybercriminals to run server commands where it successfully loads.

While Kaspersky’s researchers said they had been unable to verify which cybercriminals were responsible for these hacks, they identified compromised servers in Indonesia, Malaysia, Mongolia, and the Philippines. They also disclosed that government organisations were a common, albeit not exclusive, target.

Why are IIS modules potentially dangerous?

Malicious IIS modules are particularly effective in facilitating network breaches because they remain on user systems even after Microsoft Exchange software updates.

In addition, malicious activity, like sending authentication requests to OWA, can often happen without being detected by many network monitoring tools and processes. Part of the reason is that IIS modules aren’t common backdoors, meaning they’re also often missed during everyday file monitoring efforts. Kaspersky called these techniques “a stealthier alternative to sending phishing emails.”

How can businesses deal with these threats?

Inputting the “appcmd.exe” command will check for Owawa and other malicious ISS modules, from where they can be removed from servers where necessary.

Kaspersky says businesses should regularly check all IIS modules and ensure all endpoint security systems are up to date and active at all times.

Who is likely to be behind the attacks remains unclear; Kaspersky says government organisations being a common target tends to suggest high-level spying or intent to cause damage, while at the same time saying the operator’s practices show inexperience, which wouldn’t necessarily suggest a strategically targeted campaign is ongoing.

Get in Touch

Fill in the form below to tell us your details, and we’ll get started.