Outlook and Exchange users are not immune to computer attacks. Kaspersky warns of the appearance of Owowa, a module that steals the credentials entered when connecting to OWA (Outlook Web Access).
Kaspersky security researchers recently came across a malicious module that allows hackers to steal Outlook Web Access (OWA) credentials and gain control over the underlying server. The malware, dubbed Owowa, is easily deployed by sending seemingly harmless requests, in this case OWA authentication requests.
Discreet and formidable malware
The IIS module, which is supposed to provide additional functions to Microsoft web servers, was reportedly compiled between the end of 2020 and April 2021. The proven targets are in South East Asia: Malaysia, Indonesia , Philippines, as well as in Mongolia. Kaspersky does not rule out the possibility that there were victims in Europe.
Hackers go to an infected server’s OWA login page to enter specially crafted commands in the username and password fields. The efficiency of the infiltration into the targeted networks is such that they can stay inside the Exchange server without raising the alarm.
Owowa is particularly difficult to detect via network monitoring, it is also resistant to software updates from Exchange. In fact, he can remain hidden for a long time in a device, biding his time to commit his misdeeds.
Kaspersky recommends that you regularly check modules loaded on exposed IIS servers, especially Exchange. Modules can be monitored as part of threat detection activities. You also need to monitor outgoing traffic to spot hacker connections.