My guest today is Terry Cutler, head of Cyology Labs. Cutler will join me later in the show, but first I’d like to do a bit of a review of cybersecurity news this week.This is our week in review…Howard covered a story on Monday’s edition of the program where he reported that a security company called Ponderance is warning IT teams that the Conti ransomware gang or its affiliates are still exploiting the Microsoft Exchange vulnerabilities that were revealed earlier this year. This story stuck out for me… for one thing, I’m hearing a lot about vulnerabilities in Microsoft Exchange, in Print services and in internet server software — IISHoward covered an Exchange hack this week that occurred even though the companies had patched their exchange software. The problem was that the company’s Exchange software was already infected before the patch was applied. That’s a real heads up for all of us – even if we think we getting our patching done, are we doing the scanning that we should do in case attackers got in before we applied the patch.In a related story,Microsoft released security updates for 44 vulnerabilities in the August issue of Microsoft Patch Tuesday, seven of which were classified as critical and 37 as important.Thirteen of the published patches target a vulnerability in remote code execution, while some other eight patches focus on information disclosure.Some of the released patches fixed three zero-day bugs, including the Windows Print Spooler Remote Code Execution vulnerability CVE-2021-36936, which has been a major topic of discussion since its discovery in June.More news recently on Microsoft Vulnerabilities over the past few weeks. It seems like the world is in attack mode on the Microsoft trinity
- Exchange – that runs email services
- IIS – the Internet Information Server – the webserver that’s embedded in so much of Microsoft’s cloud-based technology
- and the humble print server —- there’s a lot of noise around attacks on the print server.
These attacks have two things in common. They are going after the backbone of services and I suspect at some architectures that are — shall we say aging?Second – the ingenuity and the creativity of the hackers is something to — well if not admire — at least to respect.Let’s start with the web server — IISSecurity firm ESET published what they call “an anatomy of IIS malware” over the past two weeks with the last instalment hitting on Wednesday of this week. I’ll postThey called it putting IIS Webserver threats under the microscope. They documented three big threats to IISIIS Stealer – steals credit card information and other dataIISpy – creates a backdoor to the serverand a curious new oneIIS Serpent – it highjacks your server, but to steal your reputation — your Search Engine status. Clever.All of these masquerade as regular IIS modules or extentions – they use the regular IIS services.They serve legitimate users on the server — don’t interfere with these services.But because they are for all intents and purposes regular modules, they have access to all of the server functions and protocols.So IIS Stealer – can see the HTTP traffic as the server sees it. So even if you encrypt your traffic, the server is going to unencrypt it and IIS Stealer will get credit card and other secure informationIISpy creates a backdoor to allow remote control of the server.Now supposedly, according to ESET, this backdoor affects a relatively small number of servers in Canada, the U.S., and the Netherlands — but that might not be the total population of affected servers because – wait for it, according to ESET, it’s not uncommon for administrators to NOT use security software on servers.And it does have control of the server. It intercepts HTTP requests that
- get system information
- upload and download files
- Execute files or shells,
- Creates a “reverse shell”
- Creates lists, moves, deletes folders
- Maps from a local drive to a remote drive
- Exfiltrates data
Again, it will ignore legitimate HTTP requests so to the users, everything is ‘hunky dory”But this software has some other, really clever ways of hiding. It Doesn’t pass “passwords” or other credentials in the open. It embeds and encrypts its passwords — even going so far as to hide these in PDF headers.And, again, this is perceived to be a legitimate server module, so it uses the On Log Request function to modify the log entries — turning a threatening traffic stream into a normal casual request.This makes forensics difficult, to say the least.IIS Serpent. – SEO fraudThis is another clever approach. IIS Serpent doesn’t steal data, it steals your reputation. Again, masquerading as a legitimate server module it ONLY intercepts search engine crawlers — and it modifies the content shipped back to them so that it can hijack the reputation or search-ability of a site and use that to promote other websites, making them much more searchable.This is a relatively new exploit, but ESET found this in 6 of the 14 families of malware it studied — often combined with the other variants we’d talked about.To the reader:That’s my prepared piece from the week in review. Please listen to the podcast if you’d like to hear the conversation between Terry and me. It was, at least to me, engaging. Here’s some of the questions that I asked him:
- Is this a new trend or are we just becoming more aware of it? From what seemed to be unsolvable Print Spooler issues to the IIS vulnerabilities to this new SEO attack.
- How much of this is a weakness in Microsoft architecture and how much of this is poor installation or maintenance?
- I will confess to one thing – we took out our in house exchange years ago after a prolonged attack. Our staff slept in the office for days – every time we beat it back, it came back. When we did our post-mortem, we found that although our setup was “text book” correct, it was “built to hack”. We decided to get out of the business of running our own exchange server and use a cloud service. It was controversial at the time, but my feeling was that a small IT department can’t do everything and if someone ran mail services every day for thousands of accounts, they were probably going to be better at it than we were.
Today, people would say, duh…But this is my question, and I knew I’d get to one eventually. How much of what we are seeing are weaknesses in Microsoft’s architecture and how much of it is set up errors?
- Are we smarter to go to the cloud for all of this? Are the cloud versions any safer?
- We’ve seen how important patching is. Another lesson. Howard recommended that we scan before we patch.
- Any other tips with regard to patching?
- How fast should we patch? I was talking to some colleagues at our MapleSEC satellite event and some of them had a regular weekend patch routine — and one of them said that waiting even a few days was too long. How do you cope with that?
- What else can we do to protect our key infrastructure?
I also promised to put some links to the ESET story. Here they are:https://www.welivesecurity.com/2021/08/06/iistealer-server-side-threat-ecommerce-transactions/https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/https://www.welivesecurity.com/2021/08/11/iiserpent-malware-driven-seo-fraud-service/Times up. Been fun. We’ll have to send Howard on vacation again soon!Just a reminder that you can find links to any of the stories, including the ESET report on ITWorldCanada.com along with a text summary of today’s show. Follow us on Apple or Google Podcasts, Spotify, or wherever you get your podcasts.Our annual Security Event which we hold in partnership with CIRA – MapleSec — is coming and we have an incredible program shaping up. Check it out at www.MapleSEC.caYou can subscribe to our Security newsletter or our Daily IT Wire to see more great articles by Howard and our team of tech journalists at ITWorldCanada.comHoward will be back on Monday with another edition of the podcast.Until then, I’m Jim Love, CIO and Chief Content Officer for ITWorldCanada – ITWC. Have a great weekend and stay safe