Warnings to Exchange and Comm100 administrators, and how the CIA might have messed up.
Welcome to Cyber Security Today. It’s Monday, October 3rd, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Microsoft Exchange administrators should install a script to mitigate two unpatched zero day vulnerabilities in their on-premise email servers. This advice comes after the discovery of the holes by researchers at a Vietnamese firm. Microsoft says the holes affect Exchange Server 2013, 2016 and 2019. The first vulnerability is a server-side request forgery. If an attacker is able to exploit that they can remotely trigger the second vulnerability, which allows remote code execution through Exchange PowerShell. Authenticated access to the vulnerable Exchange Server is necessary to exploit either vulnerability. Microsoft has released a URL rewrite script to mitigate the server-side request forgery. The script is a blocking rule in IIS Manager. The script will be automatically added to customers who have the Exchange Server Mitigation Service enabled. So far, Microsoft says, it has only seen these attacks in 10 organizations. It suspects a nation-state is behind the exploitation.
Administrators of websites that use the Comm100 Live Chat application for customer support should reinstall the application with the latest version. This comes after researchers at CrowdStrike discovered the application’s installer was compromised late last month. This supply chain attack would allow a hacker to get into the systems of any of the customers of the Canadian company. Anyone who downloaded Comm100 between September 26th and the 29th — and possibly earlier — may have used an infected installer. The installer would have appeared to be legitimate because it had a valid authentication certificate. This is like the SolarWinds Orion attack over a year ago. The report doesn’t explain how Comm100 had its installer compromised. This being Cybersecurity Awareness Month, the report is another reminder to IT and security leaders that cybersecurity includes protecting your application development process.
Here’s another Cybersecurity Awareness Month-related item: At last week’s Virus Bulletin security conference in the Czech Republic researchers at ESET presented a case study of a targeted phishing campaign believed to have been launched a year ago by the North Korean-based Lazarus group. The targets were an employee of an aerospace company in the Netherlands and a political reporter in Belgium. Both were sent emails with infected job offers. The aerospace worker got theirs in an attachment sent by LinkedIn Messaging, the reporter got theirs in an email message. The goal was to exploit a vulnerability in a driver on a Dell computer. The infection route was complex, but for the important thing to me is that it’s another reminder to all employees that any message service can be used to deliver malicious attachments. Don’t be flattered by a job offer or a pitch by a recruiter. Don’t click on any document they send you.
Cybersecurity is apparently important to many Canadian post-secondary students. According to a recent survey, at almost half said their decision to attend a university or college would be affected if the institution had experienced a data breach or had a reputation for weak cybersecurity. Forty-four per cent of respondents said their school doesn’t provide enough training and resources to help ensure students’ personal information is protected from threats. On the other hand only 49 per cent said they follow the guidelines that their academic institutions do put out. The poll was paid for by consulting firm ISA Cybersecurity.
Finally, the U.S. Central Intelligence Agency allegedly wasn’t very intelligent when it created hundreds of websites over a decade ago that its sources could use for communications. That suggestion comes from a new report by researchers at the University of Toronto’s Citizen Lab. The websites were in local languages around the world that appeared to be real news, weather, sports and other sites. But the search box on each site was actually a password login box. For security reasons, each site could only be used by one source. However, using archived web pages Citizen Lab figured out the CIA had apparently bought sequential IP addresses to set up this communications network for its agents. Knowing one website was suspect would have logically led to the conclusion that websites with nearby IP addresses were also suspect. Not only that, the report says, certain web design similarities on each site suggested they were created by a single owner. What’s the context of this? In 2018 Yahoo News reported this network was compromised by China and Iran, apparently leading to the arrest and death of residents in those countries recruited to work for the CIA. The Reuters news agency just released a more detailed story on this.
That’s it for now. You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.