Security News > 2021 > December > Hackers steal Microsoft Exchange credentials using IIS module
Threat actors are installing a malicious IIS web server module named 'Owowa' on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely.
Microsoft Exchange servers are commonly targeted with web shells that allow threat actors to remotely execute commands on a server and are usually the focus of defenders.
Using an IIS module as a backdoor is an excellent way to stay hidden.
Owowa specifically targets OWA applications of Exchange servers and is designed to log the credentials of users that successfully authenticate on the OWA login web page.
"This is an efficient option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server."
Exe' or the IIS configuration tool to get a list of all loaded modules on an IIS server.
News URL
Related news
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- Hackers steal 15,000 cloud credentials from exposed Git config files (source)
- Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft (source)
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Microsoft 365 outage impacts Exchange Online, Teams, Sharepoint (source)
- Microsoft re-releases Exchange updates after fixing mail delivery (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Microsoft dangles $10K for hackers to hijack LLM email service (source)