Security News > 2021 > December > Hackers steal Microsoft Exchange credentials using IIS module
Threat actors are installing a malicious IIS web server module named 'Owowa' on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely.
Microsoft Exchange servers are commonly targeted with web shells that allow threat actors to remotely execute commands on a server and are usually the focus of defenders.
Using an IIS module as a backdoor is an excellent way to stay hidden.
Owowa specifically targets OWA applications of Exchange servers and is designed to log the credentials of users that successfully authenticate on the OWA login web page.
"This is an efficient option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server."
Exe' or the IIS configuration tool to get a list of all loaded modules on an IIS server.
News URL
Related news
- Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets (source)
- Microsoft Exchange Online outage affects Outlook web users (source)
- Microsoft: Exchange Online bug mistakenly quarantines user emails (source)
- Hackers Using E-Crime Tool Atlantis AIO for Credential Stuffing on 140+ Platforms (source)
- Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws (source)
- Microsoft investigates global Exchange Admin Center outage (source)
- Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in six months (source)
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
- Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts (source)