Security News > 2021 > December > Hackers steal Microsoft Exchange credentials using IIS module
Threat actors are installing a malicious IIS web server module named 'Owowa' on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely.
Microsoft Exchange servers are commonly targeted with web shells that allow threat actors to remotely execute commands on a server and are usually the focus of defenders.
Using an IIS module as a backdoor is an excellent way to stay hidden.
Owowa specifically targets OWA applications of Exchange servers and is designed to log the credentials of users that successfully authenticate on the OWA login web page.
"This is an efficient option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server."
Exe' or the IIS configuration tool to get a list of all loaded modules on an IIS server.
- Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware (source)
- Microsoft Exchange targeted for IcedID reply-chain hijacking attacks (source)
- Calendly actively abused in Microsoft credentials phishing (source)
- Microsoft adds on-premises Exchange, SharePoint to bug bounty program (source)
- Microsoft asks bug hunters to probe on-premises Exchange, SharePoint servers (source)
- Cisco vulnerability lets hackers craft their own login credentials (source)
- Microsoft Exchange servers hacked to deploy Hive ransomware (source)
- Cyber-spies target Microsoft Exchange to steal M&A info (source)
- Phishing operation hits NHS email accounts to harvest Microsoft credentials (source)
- New IceApple exploit toolset deployed on Microsoft Exchange servers (source)