[ISN] U.S. Army Web Server Attacked

From: InfoSec News (isnat_private)
Date: Tue Mar 18 2003 - 23:02:29 PST

  • Next message: InfoSec News: "[ISN] U.S. gov't blindly trusts the antivirus industry"

    Forwarded from: William Knowles <wkat_private>
    By Dennis Fisher
    March 18, 2003 
    Security experts say that the new Windows vulnerability revealed 
    Monday by Microsoft Corp. has been used by crackers to attack at least 
    one machine belonging to the U.S. Army. And, it turns out, the flaw 
    used to attack the Web server was discovered not by Microsoft or an 
    independent researcher, but by the attacker himself. 
    Experts at TruSecure Corp., based in Herndon, Va., received word of 
    the attack on the Army's Web server last week through contacts within 
    the Army. A Web server was attacked using a URL that was 4KB in 
    length, and the machine was subsequently compromised. The server then 
    immediately began mapping the network around it, looking for other 
    vulnerable machines and seeing what else of interest was within reach. 
    It then started sending the results of its mapping to a remote machine 
    through TCP port 3389 using terminal services, said Russ Cooper, 
    surgeon general at TruSecure. 
    Once the Army security staff realized the server had been compromised, 
    it took the machine off-line and rebuilt it. But as soon as it was 
    re-connected to the Internet, the server was compromised again. At 
    that point, the Army personnel realized they were dealing with 
    something new and went to Microsoft's support site and filled out a 
    Web form describing the issue. By the end of last week, Microsoft 
    officials had produced a patch for the issue, which turned out to be a 
    vulnerability in a Windows 2000 component used by IIS. 
    Microsoft on Monday released a patch for a critical vulnerability in a 
    Windows 2000 component used by the WebDAV protocol. The vulnerability 
    gives an attacker control of a vulnerable machine, officials said. 
    The vulnerability and its exploitation caught security officials at 
    Microsoft and at independent bodies such as the CERT Coordination 
    Center off guard. Attacks such as this that occur against previously 
    unknown vulnerabilities are known as zero-day exploits, as there is no 
    elapsed time between the discovery of the flaw and its exploitation. 
    Although security experts say they have not seen any other attacks 
    using this exploit, Cooper says he expects to see a worm based on it 
    within a week or so. 
    "It's absolutely vital that people get rid of WebDAV on their boxes if 
    they don't need it," Cooper said. "If they don't know whether they're 
    using it, chances are that they're not and they should disable it." 
    And, because there is just one machine known to have been compromised 
    with this attack so far, Cooper said he believes it was the work of an 
    individual cracker and not a nation or other organization. "With the 
    element of surprise like that, I'd think a nation state would go after 
    a large number of machines and not just this one," he said. 
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 01:31:40 PST