Wouldn't surprise me, but that's not how they're playing this. I do hope we get some real detail out of this.
Kurt On Wed, Oct 7, 2015 at 8:37 AM, Kennedy, Jim <[email protected]> wrote: > This part makes me take notice: > > " OWA was configured in a way that allowed internet-facing > access to the server" > > My gut says they left the box open at the OS level to the internet and the > OWA injection was the killing blow, not the original point of attack. > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Michael B. Smith > Sent: Wednesday, October 7, 2015 11:36 AM > To: [email protected]; ntsysadm <[email protected]> > Subject: RE: [Exchange] So, how did they plant the malware? > > We've been discussing this on a couple of closed lists. Long-story short - > insufficient data at this time. > > The wording of the story is also of some concern. "Outlook mailserver"? Not > Exchange? > > Also, how was the DLL injected? Was the server already compromised? If so, > game over and it isn't OWA's fault. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Wednesday, October 7, 2015 11:32 AM > To: [email protected]; ntsysadm > Subject: [Exchange] So, how did they plant the malware? > > The article is short on details, and so is the security firm's PDF. > Very scary, but nothing in the way of actionable intelligence, AFAICT > http://arstechnica.com/security/2015/10/new-outlook-mailserver-attack-steals-massive-number-of-passwords/ > >
