SECURITY RESEARCHERS FROM Cybereason have sounded a klaxon over a problem with the Microsoft Outlook Web Application (OWA) that could let attackers swoop in and tag and bag data and documents through the use of APT techniques.
Cybereason discovered the bug when a customer with some 19,000 endpoints suspected that it was the victim of infection.
"Within several hours, the Cybereason platform detected a unique attack. The attack exploited Microsoft OWA, an internet-facing webmail server, in a way that enabled the attackers to record authentication credentials and be provided with complete backdoor capabilities to the victim's environment," said the security firm in a blog post.
"By using this approach, the hackers managed to collect and retain ownership over a large set of credentials, allowing them to maintain persistent control over the organisation's environment through the OWA exploit."
A Cybereason Lab Analysis of the webmail server APT (PDF) said that the successful attack, part of which involved an unsigned and suspicious DLL file, gave attackers access to just about everything they might need or want, at least until Cybereason cleaned thing up.
"The hacker's first goal was to use the visibility they had gained into the OWA authentication process to steal the passwords of users logging into OWA - namely everyone," the firm said.
"This treasure trove essentially gave the hackers complete access to every identity and therefore every asset in the organisation."
Cybereason suggested that OWA allowed this to happen, but does not seem to have evidence of any other affected firms or cases in the wild. It said that Microsoft's rules make the system vulnerable.
"Almost by definition, OWA requires organisations to define a relatively lax set of restrictions, and in this case OWA was configured in a way that allowed internet-facing access to the server," the firm said.
"This enabled the hackers to establish persistent control over the entire organisation's environment for a period of several months without being detected."
We have asked Microsoft to comment. µ
Watching you, watching me
Everything stops for T