Microsoft IP space caught hosting spam

  • Article

Well, this doesn’t reflect well on Microsoft.  Two IPs belonging to the Microsoft-owned IP space where discovered hosting pharmaceutical spam, and a couple of weeks earlier had been used in a DOS attack against the website KrebsOnSecurity.  From ComputerWorld:

Microsoft blamed human error after two computers on its network were hacked and then misused by spammers to promote questionable online pharmaceutical websites.

Microsoft launched an investigation Tuesday, after the problem was first reported in the Register. "We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error," Microsoft said Wednesday in a statement. "Those devices have been removed."

After they were compromised, the two servers were to handle the DNS of more than 1,000 fraudulent pharmaceutical websites, according to Ronald Guilmette, the managing member of network security software vendor Infinite Monkeys. He discovered the hacked Microsoft systems late last week while researching pharmaceutical spam. "This same group has hijacked quite a lot of machines all over the world," Guilmette said in an interview.

The devices that got hacked were "network devices that run a Linux kernel," Microsoft said.

Microsoft has taken steps to improve its security in recent years, and has taken a hard-line stance against spam, so it's embarrassing to have company systems misused in this way.

The Register also comments:

Microsoft has confirmed that two devices on its corporate network were compromised to help a notorious gang of Russian criminals push Viagra, Human Growth Hormone, and other knockoff pharmaceuticals.

The admission came in response to an article The Register published on Tuesday. It reported that two internet addresses belonging to Microsoft were helping to route traffic to more than 1,000 websites that belong to a fraudulent online pharmacy known as the Canadian Health&Care Mall. Microsoft on Wednesday said an investigation of that report confirmed the hijacking was the result of an attack on machines connected to its network.

“We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error,” the five-sentence statement said. “Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected. We are taking steps to better ensure that testing lab hardware devices that are internet accessible are configured with proper security controls.”

We should be clear that there’s a difference between Microsoft IPs were hosting malware/spam, etc, and IPs belonging to Microsoft were involved.  What I mean is that while I was at Virus Bulletin, one of the presentations or keynotes that I attended the speaker said that “one of the most common security breaches were executives going around security protocols and having DTAPs (outside Internet connections not necessarily within corporate policy) set up in their offices so they could dial in from home.”  Thus, many companies often do have policies in place but sometimes – for the sake of convenience – employees find that they get in the way.  They then work around these policies by setting up connections into their workstations (or similar) and in doing so, they breach policy.  They also don’t understand the nuances of cyber security and therefore these types of set ups are vulnerable for exploit.

This appears to be a similar situation.  I’m not familiar with what happened (Microsoft is a big place), but what appears to be the case is that a new environment was being tested, or possibly an old one that is going to migrate to a new one.  In other words, some legacy bits that run on Linux were being tested quickly.  The people in the lab decided to get things up and running as soon as they can and needed a connection to the outside world.  Servers that run in production in Microsoft data centers are subject the same security protocols as our own personal workstations are.  However, the people in the lab probably had Operations give them an outside line to the world in order to test some bits in a private network or they did it themselves running something quietly without Security and Operations knowing about it.  Those bits unfortunately got compromised.  I think that what happened here is that they thought that their connection was only sending test data and nobody knew about it.  Well, hackers/spammers figured it out and before you know it, the servers got pwned

Sometimes a little knowledge is a dangerous thing.  It’s useful in the sense that you don’t have to spend a lot of time getting someone else to set up a test environment for you and you can test the new project that you are working on.  Unfortunately, that knowledge is limited to what you are trying to do (tunnel vision) and the lack of security and security knowledge opens up the network or resources to vulnerabilities by people who know more than you do about the topic.

Oh, one thing I can confirm is that this wasn’t me.