They first identified the module in late 2020 and published their findings in a recent blog post. The researchers state that Owawa is an IIS module, which logs information from the Microsoft Outlook Web Access (OWA) login page. It also allows a remote operator to run commands on the compromised server. Kaspersky’s researchers have found several compromised servers across Asia. They also said it is likely that organizations in Europe have been targeted.
Owawa Logs Outlook Credentials
IIS is a Windows web server software package, which is used to host websites and other content on the web. It provides all the necessary services to run and manage a website. IIS also supports modules to add extra functionality or features to websites. Owawa is a malicious module that exposes Microsoft Exchange‘s web-based Outlook service. When loaded successfully, Owawa can log information from an OWA login page, and “will allow a remote operator to run commands on the underlying server.” Kaspersky’s researchers have found a cluster of compromised servers in Indonesia, Malaysia, Mongolia, and the Philippines. It added that several of the targets are government organizations. So far, they have not been able to identify the responsible actor.
Concerns About Malicious IIS Modules
Researchers believe that malicious IIS modules are an effective way for threat actors to breach networks. This is because these modules remain on a compromised system even after an Exchange software update. Furthermore, the malicious activity, such as authentication requests to OWA, can fly under the radar of standard network monitoring. Since these modules are not commonly used for backdoors, they are easily missed during standard file monitoring efforts as well. Researchers say this type of credential stealing is “a stealthier alternative to sending phishing emails.”
How to Detect Owawa
To check for Owawa and other malicious modules, network administrators can use the “appcmd.exe” command. They can also use the IIS configuration tool to access a list of “all loaded modules on a given IIS server.” It is important to regularly check IIS modules, look for signs of lateral movement in networks, and keep endpoint security shields raised. Kaspersky’s researchers have mixed views about the actor behind Owawa. On one hand, their interest in government organizations in Asia and Southeast Asia could signal an intent to gather intelligence on “ASEAN’s agenda and member states’ foreign policies.” On the other hand, the operator’s practices show many signs of inexperience, which doesn’t exactly fit the bill of a strategic campaigner. Microsoft Exchange has faced a significant number of high-profile cyberattacks this year, including the Microsoft Exchange email server attack.
