RE: [NTSysADM] RE: [Exchange] So, how did they plant the malware?

[Michael B. Smith]

The Exchange team had more to say off-the-record. This is for public 
consumption.

But “we” had it right to start with.  The server was already compromised.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kurt Buff
Sent: Wednesday, October 7, 2015 1:59 PM
To: excha...@lists.myitforum.com
Cc: ntsysadm
Subject: Re: [NTSysADM] RE: [Exchange] So, how did they plant the malware?

How very bland. I'm still left wanting more details.

The original security report doesn't specifically call out an OWA vuln, so I'm 
wondering how the victim screwed up. Probably something really basic, but no 
way to tell at this point.
Even so, thank you Michael.
Kurt

On Wed, Oct 7, 2015 at 10:11 AM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
The Exchange Team’s response, hot off the presses:

http://blogs.technet.com/b/exchange/archive/2015/10/07/no-new-security-vulnerability-in-outlook-web-access-owa.aspx


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Andrew S. Baker
Sent: Wednesday, October 7, 2015 12:03 PM
To: ntsysadm
Cc: excha...@lists.myitforum.com<mailto:excha...@lists.myitforum.com>
Subject: Re: [NTSysADM] RE: [Exchange] So, how did they plant the malware?

This is absolutely a "need more info" type of scenario.

Nothing in the article begins to hint at an actual OWA weakness, in any event.






ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market…


 GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A

On Wed, Oct 7, 2015 at 11:37 AM, Michael B. Smith 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
We've been discussing this on a couple of closed lists. Long-story short - 
insufficient data at this time.

The wording of the story is also of some concern. "Outlook mailserver"? Not 
Exchange?

Also, how was the DLL injected? Was the server already compromised? If so, game 
over and it isn't OWA's fault.

-----Original Message-----
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kurt Buff
Sent: Wednesday, October 7, 2015 11:32 AM
To: excha...@lists.myitforum.com<mailto:excha...@lists.myitforum.com>; ntsysadm
Subject: [Exchange] So, how did they plant the malware?

The article is short on details, and so is the security firm's PDF.
Very scary, but nothing in the way of actionable intelligence, AFAICT 
http://arstechnica.com/security/2015/10/new-outlook-mailserver-attack-steals-massive-number-of-passwords/