Owowa is an Microsoft web server (IIS) module currently tuned to intercept outlook web app (OWA) login requests. The exact method of how Owowa makes its way onto servers isn't yet fully known as of publishing of this post, but it is possible that it is deployed as a reconnaissance tool/sniffer during an initial attack on a network. Once it is deployed to a server it is designed to intercept login requests to the target outlook web instance and to funnel the login credentials found to whomever deployed it. This means that if your exchange server is infected, just logging into outlook to check your email can comprise your email account, give the attacker direct control of your email account, and lead to phishing campaigns by pretending to be you. Currently, Owowas targeted have reportedly been governments or government controlled entities in the asia pacific region, but that can change at any time.

Owowa currently works by monitoring HTTP requests on the infected server and responses for OWA traffic by triggering the “PreSendRequestContent” flag, this flag is suspected to be only triggered when a web application hosted by IIS is about to send content to a client application, such as an outlook client. It also verifies that the login was successful by grabbing data from authentication tokens sent as a access confirmation back to the client which contains the user login credentials, IP address and timestamp. It is suspected that the attacker can enter certain strings into the owa login pages username field on an infected server to retrieve the servers credentials log, delete said log, or use the owa login page password field to remotely execute powershell commands remotely.

The IIS "IHttpModule" is used for packet sniffing. According to Microsoft, using the string with the associated flag triggered within the IHttpModule is not recommended as it can lead to server instability/crashes. The attacker, however, is using this exploit to retrieve information despite Microsoft considering that this is not how it should be used.

Another part of the danger regarding Owowa is that without having a security regime tuned to looking for the type of traffic that Owowa sends the only real way to determine if Owowa is on your server is a manual investigation of the loaded modules in IIS. We are informed that most/all security platforms are not designed to search for vulnerabilities like Owaowa at the time of this post.

Currently talk about Owowa is just that, talk; even Kaspersky researchers, who first discovered Owowa and made its existence public, have not yet taken any protective action. In addition, there is no current discussion as to what Owaowa can be turned into, since it is a snooping tool for IIS currently tuned to steal exchange credentials, modifications to its programming likely would, and could allow it to grab any sort of data being sent to/from an IIS server. Such a vulnerability could mean that the entire IIS ecosystem is a continuous threat risk.

Part of my concern around Owowa and about how dangerous it can be, is that it has been reported that Owowa has unused empty modules within its code that could be potentially - maybe already have been - could be used to enhance its current capability.

Recommendations

Owowa may not yet be commonplace but the threat is significant enough that immediate action should be taken. Verification of the IIS backend, its configuration, on a regular basis. Checks should be done regularly to look for the module and remove it. It is thought that Owowa is currently a reconnaissance tool for an ongoing attack, post exploit, or information grabber for the dark web that will lead to additional exploits, phishing and scams. So proactive steps need to be implemented to assist in preventing the exploit.

Fivesys is a rootkit that has been recently discovered in the wild. A rootkit is a type of malware designed to install in the background on a target machine and are also designed to be hard to impossible to detect by normal malware scanning and remediation processes. Rootkits as a class of malware isn't new, but the viability of rootkits overall, has been reduced due to countermeasures developed to mitigate the vast majority of rootkits on the internet. The difference with this rootkit is its packaging that mimics a valid signed driver; it even has a Microsoft signed certificate.

The purpose of the Fivesys rootkit to date, is to redirect HTTP/HTTPS traffic to an attackers predefined IP addresses. The current package has a list of 300 different IPs through proxy designed to prevent blocking traffic. The package also contains a driver blacklist to prevent it being removed or overwritten with a legitimate package. It is it thought by Bitdefender, the company that made the discovery, that the primary target of Fivesys is online games, with the intent to steal game login credentials and hijack in-game transactions for payment credentials/data. As the prior statement cannot be fully verified at this time, we would like to note that re-programming of the package will likely occur resulting in Fivesys being weaponized for any number of similar attack vectors.

As I outline in my first paragraph, the major issue with Fivesys is that the creator has managed to pass the package through Microsoft's driver validation program, which we have confirmed is a fully automated signing process with no manual oversight or flag for review. This allows an actor to use the process to bypasses all of the inbuilt windows security features, leaving machines vulnerable until it is discovered.

Recommendations

Our recommendation to prevent Fivesys or any other rootkits from affecting your environment is to be diligent in your downloads by confirming you are on the manufacturers site. Input the url to the manufacturer manually, do not click on links, and do not use the google search to click a link to go to the download. Current exploits in AdSense and other links, advertising links to legitimate sites that are user uploaded sources, all pose a real risk to Fivesys being downloaded instead of the legitimate driver/software you are after - see our posts on the AdSense exploit. Make sure all your teams, staff and users are trained on cyber security.

Cybercriminals are targeting Linux-based servers running Microsoft’s Azure public cloud environment that are vulnerable to flaws after Microsoft didn’t automatically apply a patch on affected clients in its infrastructure.

Recorded Future reports that the attacks began the night of Sept. 16 after a exploit proof-of-concept was published on GitHub. It was noted that about 10 malicious bot servers have been searching the internet for vulnerable systems. In addition, Cado Security researchers in a blog post also noted a tweet from cybersecurity researcher German Fernandez, who found that the infamous DDoS Mirai botnet – known for taking advantage of insecure Internet of Things (IoT) devices – also is exploiting OMIGOD.

The flaws include CVE-2021-38647, which is a remote code execution bug, and three privileged escalation vulnerabilities: CVE-2021-8648, CVE-2021-38645 and CVE-2021-38649. Ohfeld wrote that the researchers offered a conservative estimate that thousands of Azure customers and millions of endpoints are impacted by the flaws.

“Supply chain cyber attacks have disrupted everyday life and dominated headlines this year,” he wrote. “One of the biggest challenges in preventing them is that our digital supply chain is not transparent. If you don’t know what’s hidden in the services and products you use every day, how can you manage the risk?”

Microsoft was quick to issue fixes to the four vulnerabilities in its September release of security updates, and the vulnerabilities put a spotlight on the risk to supply chains that Microsoft open-source code represents, particularly for organizations using cloud computing services since Microsoft let go its Beta testing teams and community Beta testers that used to volunteer their time.

With OMIGOD, the issue relates to the app called Open Management Infrastructure (OMI), which is embedded in many Azure services and is sponsored by Microsoft open-source OMI project in collaboration with The Open Group.

When users enable any of these popular services, OMI is silently installed on their Virtual Machine by Azure, running at the highest privileges possible. This happens without customers’ explicit consent or knowledge. Users simply click agree to log collection during setup and they have unknowingly opted in to the Microsoft application. Because Azure provides virtually no public documentation about OMI, most customers have never heard of it and are unaware that this attack surface exists in their environment.

The OMI agent operates as root (the highest privileges any users can have) and with it using a Unix socket or through an HTTP API has unlimited control. In Linux, and Unix based environments, the use of Root for any application is discouraged, and this should be the Microsoft default as well, especially when the app is exposed to internet access, but it is not the case as OMI shows. With OMI being so poorly implemented bad actors can easily gain control of the servers.

“This vulnerability can be also used by attackers to obtain initial access to a target Azure environment and then move laterally within it,” Ohfeld wrote in a technical blog. Thus, an exposed port with such access privilege's is a holy grail for malicious attackers, and with OMI, one simple exploit provides attackers with access to new targets, execute commands at the highest privileges, and possibly spread exponentially to new target machines.

Recorded Future noted that Microsoft addressed the bug by developing version 1.6.8.1 of the OMI client and releasing it on GitHub, but didn’t automatically install the update on OMI clients in its infrastructure, essentially leaving tens of thousands of servers vulnerable. The company also took three days to replace the OMI client version inside its available Azure Linux VM images.

The cybersecurity firm said a query on the Shodan search engine found more than 15,600 Azure Linux servers connected to the internet, all with possible exposure, and these are just the ones known.

Recommendations

1. Immediately implementing the OMI patch.
2. Remove it if it is unneeded
3. Check and confirm all applications exposed to the internet
4. Scan and check all server files, access controls, ports and privilege's as well as check your user accounts and groups.

An organization named EXPMON discovered an Office 365/2019 vulnerability on September 5th 2021. The vulnerability lies within MSHTML, which is the Microsoft Internet Explorer browser engine. The vulnerability itself is a Remote code execution (RCE) attack, allowing the attacker to remotely install malware on the target machine.

Source tweet

The exploit is performed by an attacker sending a user a modified .docx file. Said file will contain a script upon opening the document that will use the IE MSHTML engine to open the url programmed into the scripting in the .docx file.

Microsoft has recommended disabling scripts and active X execution, but we are not convinced this is enough due to the base IE11 code being left in the OS. Despite Microsoft not carrying over the IE coding from legacy Edge when they switched to the new Chromium based Edge browser, having legacy IE11 code within the OS still makes execution possible and we recommend removing the base IE11. This is, however, not a guarantee as Microsoft has not confirmed if the IE11 code exist in other parts of the OS, so the following prevention recommendations should always be followed:

Recommendation Internet Explorer 11, even if not showing on your computer, is likely still installed as a background app on your machine as Microsoft has maintained it for compatibility, it is recommended to remove it. You can do this by searching for windows features in the windows search bar. Uncheck the Internet Explorer 11 checkbox to remove "Internet Explorer" and IE11 code. Your PC should request a reboot, click reboot when prompted.

See walkthrough video here

If your business still requires use of Internet Explorer 11 for any reason, contact the developer of the program you are using to ask them to update their codebase to support modern web browsing.

It is important to remember that attachments are often insecure, and even if you have removed the above code, we continue to recommend not opening attachments unless you are absolutely sure of the source; and even then, only once you have confirmed that the source did send it.

The preferred approach is to use a sharing system such as our On The move server https://c-justice.com/odrsoftware.html available to all types of business, as one example; or other secure option instead of using attachments.