Windows servers help serve denial of service attacks, and more.
Welcome to Cyber Security Today. It’s Monday, October 31st, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Poorly-configured Windows servers are helping deliver distributed denial of service attacks. That’s the conclusion of researchers at Black Lotus Labs. They blame Windows administrators who leave an Active Directory service called CLDAP open to the internet. CLDAP is short for Connectionless Lightweight Directory Access Protocol. It’s a service that can allow a client to discover a local authentication service on the open internet. But hackers are leveraging it to magnify their DDoS attacks. The researchers say there really isn’t a reason for network designers to allow this service to be used. In fact when news broke in 2017 about attackers abusing this service, administrators clamped down on it. However, in their report last week researchers said network administrators haven’t been as conscientious lately, and threat actors are again taking advantage of CLDAP. This service should be blocked from being open to the internet if it isn’t necessary.
You may recall that last May I reported a threat actor discovered how to hide malware in Windows event logs. Another hacker has picked up the idea. According to researchers at Symantec, they’re doing it by leveraging the logs created in Microsoft’s popular web server called Internet Information Services, or IIS. The threat actor first compromises a server with a Trojan that can read and execute commands from a legitimate IIS log. Commands disguised as web access requests are sent to the compromised server. Those commands are picked up by the IIS log. Then they are read by the Trojan, saved to a folder and run as backdoors to the server. Network defenders need to identify and block this Trojan from executing.
Twilio has released its final report into a July incident when several customer support staff were fooled into giving up their login credentials to attackers pretending to be Twilio IT staff. The attackers sent hundreds of text messages to the mobile phones of the employees, urging them to click on a password reset link. That led them to fake but lookalike Twilio login pages. The hacker was then able to use the passwords to get information on 209 Twilio customers and 93 users of Twilio’s Authy multifactor authentication service. Twilio says there is no evidence customers’ credentials, authentication tokens or API keys were accessed. In a second incident, a Twilio employee was tricked by a voice message into giving up their username and password. The history and final report may provide useful information for supervisors of customer support teams. Listeners should note that the attackers had to know the mobile phone numbers of employees for the scam to work. Depending on your job, you may not want to put that number on LinkedIn or social media.
Finally, VMware administrators are urged to install patches to recent versions of the company’s Cloud Foundation platform. One fix closes a critical vulnerability in the open-source XStream library the platform uses. The patches are for version 3.11 and 4 of Cloud Foundation
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon