"This treasure trove essentially gave the hackers complete access to every identity and therefore every asset in the organization," the researchers wrote.
Cybereason did not name the company targeted in the attack but described it as a "mid-sized public services company based in the U.S." Researchers believe it was a targeted campaign because the malware used very specific keywords. The report also did not explain how the attackers got the backdoored DLL file onto the company's network in the first place.
Even so, the attack illustrates how far attackers will go to get domain credentials, and they won't always take the most obvious approach. Critical assets need to be monitored for any changes to the system configuration, and all new files, especially binaries, need to be scrutinized. Attackers can also use existing tools as part of their attacks, making it even more critical that administrators be able to recognize anomalous behavior on the network.
OWA is designed to give remote users access to Outlook, but its flexible nature also made it easier for attackers. Organizations have to be hypervigilant when it comes to monitoring critical assets within the environment. Sometimes that cache file is not benign at all.
Sign up for MIS Asia eNewsletters.