Security researchers have discovered a new cybercriminal approach that takes advantage of Microsoft’s webmail server to gain access to corporate systems and potentially steal information.
Webmail servers are vulnerable
Israeli company Cybereason presented details of its findings, which showed how Outlook Web Access (OWA), the webmail server associated with Microsoft’s popular email client, has been the target of at least one incident involving an organization. public service in the United States. The attackers were able to exploit the fact that OWA works as a sort of intermediary between the internet and internal systems by downloading a DLL file that opened a backdoor when users authenticated into the system. Cybercriminals could then spread malware every time the server was restarted. This could allow cybercriminals to gain access to passwords and other critical data, SecurityWeek reported.
As more and more employees work out of the office via mobile devices, many businesses are increasingly turning to OWA, Gmail, and similar programs to enable remote access to email. However, Microsoft’s webmail server is unique in that it sits between the publicly accessible Internet and a company’s computer systems, explained SC Magazine.
Depending on the configuration and number of endpoints that the scripts have been scripted on, cybercriminals can gain domain credentials that give them surprisingly deep access to user identities. In this case, Cybereason suggested that the organization she was profiling had been compromised for months.
Of course, the OWA webmail server is not the only such system prone to attack. Just a few months ago, The Register reported how researchers discovered a man-in-the-middle vulnerability in a Samsung smart refrigerator that could potentially steal Gmail logins. Since few organizations will want to go back to the days when you could only access messages at your desk, however, IT departments will need to find ways to better protect business users.
Infosecurity Magazine offered some helpful suggestions. First, businesses must ensure that all endpoints, including not only webmail servers, but also databases and Active Directory servers, are regularly monitored for anomalies. Second, CISOs and their teams might have a process in place to respond to any suspicious activity and check whether, for example, a DLL file is legitimate or not. Finally, they need to recognize that advanced persistent threats like this will likely be outside the norm for what they have experienced in the past. As Cybereason research proves, cybercriminals seem to find new ways to access the network every day.