Re: [NTSysADM] RE: [Exchange] So, how did they plant the malware?

[Susan Bradley]

My guess:

Email phish to an admin/gained access planted the dll
 

On 10/7/2015 11:12 AM, Michael B. Smith wrote:

The Exchange team had more to say off-the-record. This is for public 
consumption.

But “we” had it right to start with.  The server was already compromised.

*From:*listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Kurt Buff
*Sent:* Wednesday, October 7, 2015 1:59 PM
*To:* excha...@lists.myitforum.com
*Cc:* ntsysadm
*Subject:* Re: [NTSysADM] RE: [Exchange] So, how did they plant the 
malware?

How very bland. I'm still left wanting more details.

The original security report doesn't specifically call out an OWA 
vuln, so I'm wondering how the victim screwed up. Probably something 
really basic, but no way to tell at this point.

Even so, thank you Michael.

Kurt

On Wed, Oct 7, 2015 at 10:11 AM, Michael B. Smith 
<mich...@smithcons.com <mailto:mich...@smithcons.com>> wrote:

The Exchange Team’s response, hot off the presses:

http://blogs.technet.com/b/exchange/archive/2015/10/07/no-new-security-vulnerability-in-outlook-web-access-owa.aspx

*From:*listsad...@lists.myitforum.com 
<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com 
<mailto:listsad...@lists.myitforum.com>] *On Behalf Of *Andrew S. Baker
*Sent:* Wednesday, October 7, 2015 12:03 PM
*To:* ntsysadm
*Cc:* excha...@lists.myitforum.com <mailto:excha...@lists.myitforum.com>
*Subject:* Re: [NTSysADM] RE: [Exchange] So, how did they plant the 
malware?

This is absolutely a "need more info" type of scenario.

Nothing in the article begins to hint at an actual OWA weakness, in 
any event.


*ASB
**http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>*_
_**Providing Virtual CIO Services (IT Operations & Information 
Security) for the SMB market…*

* GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A

On Wed, Oct 7, 2015 at 11:37 AM, Michael B. Smith 
<mich...@smithcons.com <mailto:mich...@smithcons.com>> wrote:

We've been discussing this on a couple of closed lists. Long-story 
short - insufficient data at this time.

The wording of the story is also of some concern. "Outlook 
mailserver"? Not Exchange?

Also, how was the DLL injected? Was the server already compromised? If 
so, game over and it isn't OWA's fault.


-----Original Message-----
From: listsad...@lists.myitforum.com 
<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com 
<mailto:listsad...@lists.myitforum.com>] On Behalf Of Kurt Buff
Sent: Wednesday, October 7, 2015 11:32 AM
To: excha...@lists.myitforum.com 
<mailto:excha...@lists.myitforum.com>; ntsysadm
Subject: [Exchange] So, how did they plant the malware?

The article is short on details, and so is the security firm's PDF.
Very scary, but nothing in the way of actionable intelligence, AFAICT 
http://arstechnica.com/security/2015/10/new-outlook-mailserver-attack-steals-massive-number-of-passwords/