Cyber Security Today, Oct. 31, 2022 – Windows servers help serve denial of service attacks, and more

Windows servers help serve denial of service attacks, and more.

Welcome to Cyber Security Today. It’s Monday, October 31st, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

 

Poorly-configured Windows servers are helping deliver distributed denial of service attacks. That’s the conclusion of researchers at Black Lotus Labs. They blame Windows administrators who leave an Active Directory service called CLDAP open to the internet. CLDAP is short for Connectionless Lightweight Directory Access Protocol. It’s a service that can allow a client to discover a local authentication service on the open internet. But hackers are leveraging it to magnify their DDoS attacks. The researchers say there really isn’t a reason for network designers to allow this service to be used. In fact when news broke in 2017 about attackers abusing this service, administrators clamped down on it. However, in their report last week researchers said network administrators haven’t been as conscientious lately, and threat actors are again taking advantage of CLDAP. This service should be blocked from being open to the internet if it isn’t necessary.

You may recall that last May I reported a threat actor discovered how to hide malware in Windows event logs. Another hacker has picked up the idea. According to researchers at Symantec, they’re doing it by leveraging the logs created in Microsoft’s popular web server called Internet Information Services, or IIS. The threat actor first compromises a server with a Trojan that can read and execute commands from a legitimate IIS log. Commands disguised as web access requests are sent to the compromised server. Those commands are picked up by the IIS log. Then they are read by the Trojan, saved to a folder and run as backdoors to the server. Network defenders need to identify and block this Trojan from executing.

Twilio has released its final report into a July incident when several customer support staff were fooled into giving up their login credentials to attackers pretending to be Twilio IT staff. The attackers sent hundreds of text messages to the mobile phones of the employees, urging them to click on a password reset link. That led them to fake but lookalike Twilio login pages. The hacker was then able to use the passwords to get information on 209 Twilio customers and 93 users of Twilio’s Authy multifactor authentication service. Twilio says there is no evidence customers’ credentials, authentication tokens or API keys were accessed. In a second incident, a Twilio employee was tricked by a voice message into giving up their username and password. The history and final report may provide useful information for supervisors of customer support teams. Listeners should note that the attackers had to know the mobile phone numbers of employees for the scam to work. Depending on your job, you may not want to put that number on LinkedIn or social media.

Finally, VMware administrators are urged to install patches to recent versions of the company’s Cloud Foundation platform. One fix closes a critical vulnerability in the open-source XStream library the platform uses. The patches are for version 3.11 and 4 of Cloud Foundation

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Sponsored By:

Cyber Security Today Podcast