Kaspersky discovered a malicious IIS web server software named `Owowa’ on Microsoft Exchange Outlook Web Access (OWA) servers.
- Kaspersky discovered a new malicious add-on for the IIS web server that could steal credentials and execute commands on the server remotely.
- Pierre Delchern, Kaspersky Global Research and Analysis Team senior security researcher, says Owowa has the potential to be incredibly dangerous.
Kaspersky discovered a malicious IIS web server software named `Owowa’ on Microsoft Exchange Outlook Web Access (OWA) servers.
Kaspersky said in its announcement that while looking for potentially malicious implants that targeted Microsoft Exchange servers, they identified a suspicious binary that had been submitted to a multi scanner service in late 2020.
According to Kaspersky’s telemetry data, Owowa has been targeting government organisations and state agencies across Mongolia, the Philippines, Malaysia and Indonesia.
“IIS modules are not a common format for backdoors, especially when compared to typical web application threats like web shells and can therefore easily be missed during standard file monitoring efforts," explains Kaspersky.
Even after the Exchange software is updated, the implant persists, so the infection needs to occur only once.
Owowa particularly targets OWA applications of Exchange servers operating on its host machine. It is designed to log users' credentials that successfully authenticate on the OWA login web page.
If it finds one, Owowa stores the username, password, user IP address, and the current timestamp and encrypts the data using RSA.
Owowa logs every single successful login to Exchange through OWA by detecting authentication tokens.
"The cybercriminals only need to access the OWA login page of a compromised server to enter specially crafted commands into the username and password fields," - explains Kaspersky.
This is an efficient option for threat actors to gain a strong foothold in targeted networks by remaining inside an Exchange server.
Admins can use the command 'appcmd.exe' or the IIS configuration tool to get a list of all loaded modules on an IIS server.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?