Quelle surpise.... Kurt
On Wed, Oct 7, 2015 at 11:12 AM, Michael B. Smith <[email protected]> wrote: > The Exchange team had more to say off-the-record. This is for public > consumption. > > > > But “we” had it right to start with. The server was already compromised. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kurt Buff > *Sent:* Wednesday, October 7, 2015 1:59 PM > *To:* [email protected] > *Cc:* ntsysadm > > *Subject:* Re: [NTSysADM] RE: [Exchange] So, how did they plant the > malware? > > > > How very bland. I'm still left wanting more details. > > The original security report doesn't specifically call out an OWA vuln, so > I'm wondering how the victim screwed up. Probably something really basic, > but no way to tell at this point. > > Even so, thank you Michael. > > Kurt > > > > On Wed, Oct 7, 2015 at 10:11 AM, Michael B. Smith <[email protected]> > wrote: > > The Exchange Team’s response, hot off the presses: > > > > > http://blogs.technet.com/b/exchange/archive/2015/10/07/no-new-security-vulnerability-in-outlook-web-access-owa.aspx > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Andrew S. Baker > *Sent:* Wednesday, October 7, 2015 12:03 PM > *To:* ntsysadm > *Cc:* [email protected] > *Subject:* Re: [NTSysADM] RE: [Exchange] So, how did they plant the > malware? > > > > This is absolutely a "need more info" type of scenario. > > > > Nothing in the article begins to hint at an actual OWA weakness, in any > event. > > > > > > > > *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> > *Providing Virtual CIO Services (IT Operations & Information Security) for > the SMB market…* > > * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A > > > > On Wed, Oct 7, 2015 at 11:37 AM, Michael B. Smith <[email protected]> > wrote: > > We've been discussing this on a couple of closed lists. Long-story short - > insufficient data at this time. > > The wording of the story is also of some concern. "Outlook mailserver"? > Not Exchange? > > Also, how was the DLL injected? Was the server already compromised? If so, > game over and it isn't OWA's fault. > > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Kurt Buff > Sent: Wednesday, October 7, 2015 11:32 AM > To: [email protected]; ntsysadm > Subject: [Exchange] So, how did they plant the malware? > > The article is short on details, and so is the security firm's PDF. > Very scary, but nothing in the way of actionable intelligence, AFAICT > http://arstechnica.com/security/2015/10/new-outlook-mailserver-attack-steals-massive-number-of-passwords/ > > > > >
