A new attack vector against Exchange and more unprotected data found on AWS S3 buckets.
Welcome to Cyber Security Today. It’s Friday, December 23rd, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The Play ransomware gang has apparently found a new vulnerability to exploit on Microsoft Exchange servers. According to researchers at CrowdStrike, the attackers are going through Outlook Web Access — also known as OWA — to get at Power Shell’s remote access service. This gets around Microsoft’s recent mitigations for the ProxyNotShell vulnerability. To defend against this suspected new attack CrowdStrike says Exchange administrators should install the latest patches on their servers. They should also follow Microsoft’s recommendations to disable remote PowerShell for non-administrative users. And they should monitor servers for signs of exploitation in IIS and RemotePowerShell logs.
Separately, administrators whose organizations use the cloud-based Exchange Online service were given a final warning this week that Microsoft is turning off basic authentication in January. They need to switch to Exchange Online’s modern authentication service. Any user trying to connect through basic auth in January will get an error message. The reason for killing basic authentication is it’s susceptible to password spray attacks. Microsoft has been warning about this coming change for some time. Administrators should have switched to Microsoft’s modern auth by now.
Still dealing with Exchange, a Swiss-based cybersecurity firm called Prodaft put out a background report on a financially-motivated ransomware group researchers call FIN7. It often takes advantage of Exchange vulnerabilities. Since 2021 it has been using an automated attack system to find and run exploits on Exchange servers. Other tactics include buying stolen authentication for Windows remote desktop access deployments and VPNs. This particular group goes after high-revenue organizations.
The personal information of over 100,000 students who used publisher McGraw Hill’s online education platform could have been copied by anyone over the summer. According to researchers at vpnMentor, the data was stored in two misconfigured Amazon Web Services buckets. This is just the latest in a series of discoveries of poorly-protected databases left open on the internet. Files included names, email addresses and grades of users from the University of Toronto, McGill University, UCLA, the University of Michigan and others institutions. Also on the servers was source code belonging to the publisher. The thing is, McGraw Hill took a long time to respond to the discovery. vpnMentor says it first left a message with the company on June 13th. After three more unanswered messages the researchers left warnings with the U.S. Computer Emergency Response Team and Amazon, hoping they would contact the publisher. The data on the buckets were finally removed over a month later, on July 20th. Organizations need to have communication processes to respond to complaints like this. Otherwise there will be new stories that make it look like the organization isn’t organized.
Finally, another warning has gone out for Android users to be careful of the apps the download. Researchers at Group-IB have discovered the return of a trojan malware called Godfather that steals the passwords of users who try to log into banks in the U.S., Canada, the U.K., France, Germany and other countries. It’s back after disappearing in June. Victims don’t realize they’re giving away their credentials because they’re logging into a fake screen superimposed over the bank’s real page. Crooks often distribute mobile malware through utility apps such as currency converters, and, in this case, a fake version of Google Protect.
Later today the Week in Review edition will be out. Guest commentator Terry Cutler of Cyology Labs will be here to comment on vulnerabilities in Samba, the seizure of DDoS attack sites and more.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.