Gigabyte recovering from ransomware, warnings about Exchange Server exploits and tighten access to Windows’ web server
Welcome to Cyber Security Today. It’s Monday August 9th, I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
Motherboard manufacturer Gigabyte Technology has made some progress in recovering from last week’s ransomware attack. According to the Bleeping Computer news service, the company had to shut down systems in Taiwan and some websites last week. On Sunday the company’s support site was back online after being unavailable for days. The ransomware gang is threatening to release stolen data, including what it says are nondisclosure agreements with major IT manufacturers.
More on ransomware: A security company called Ponderance is warning IT teams that the Conti ransomware gang or its affiliates are still exploiting the Microsoft Exchange vulnerabilities that were revealed earlier this year. These exploits were leveraged by a group Microsoft calls Hafnium. Patches had been installed on the victim organization’s on-premise Exchange server. But in July an attacker was able to use a remote access tool that had been installed earlier to compromise the system. Ponderance believes the patches were installed without the victim company making sure that it’s Exchange server was clean of the Hafnium infections. The lesson, it says, is that just installing Exchange patches doesn’t eliminate the risk of being victimized by a Hafnium attack. You first have to scan your system for indicators of compromise, then install the patches. In fact, Microsoft recommended that a while ago.
Speaking of Exchange, IT administrators are urged to install the latest patches for a recently-discovered exploit called ProxyShell. The patches for this were released in April.
Cyber attackers are always looking for vulnerabilities in Windows Server because it’s used by so many organizations. The latest problem discovered is in an essential component called Internet Information Services – known as IIS – which is the web server part of Windows. Researchers at security company ESET have discovered malware that installs backdoors into IIS for remote control. That allows the installation of more malware that can steal login passwords and credit card transactions, as well as turn the compromised server into one that helps distributes malware to other victims. One of the ways IIS is compromised is by exploiting unpatched Microsoft Exchange vulnerabilities. Victims of IIS attacks have been found in Canada, the U.S., France, India and elsewhere.
IIS can only be exploited this way if an attacker has Windows Server administrator privileges so the malware can be installed. So IT managers have to make sure these accounts are protected with multifactor authentication. In fact Windows Server admin accounts need to be protected this way against many Windows Server attacks. Administrators should consider installing a web application firewall and/or endpoint security on their IIS server. Also, be careful of adding third-party modules that offer feature improvements to IIS. They may contain malware.
Finally, a database holding personal information of about some 35 million people living in the United States was carelessly left open on the internet for at least a month. That’s the finding of a security company called Comparitech. It found the database sitting on an Amazon Web Services storage bucket on June 26th. It took a month before the unknown owner of the database was tracked down and took the database offline. It’s unknown how long the database was open to being copied before that. It looks like the list had been assembled by a marketer or for marketing purposes: It had peoples’ names, birth dates, email addresses, home addresses, occupations, estimated net worth and their hobbies, shopping habits and media consumption. There’s nothing wrong with a company having such a database. What’s wrong is it wasn’t password-protected or encrypted. Crooks would cause a lot of damage with that data. And if one security researcher could find it, who knows if crooks didn’t as well. Assuming a company assembled this database, this is another example of how management isn’t training and overseeing employees in cybersecurity.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.