Importance of Protecting Your Organization’s Server from Malware
The recently disclosed data breach at Algonquin College highlights the importance of protecting your organization’s server from malware.
Algonquin College, in a statement released last July 16, said that on May 16 cyberattacks illegally accessed one of the College’s servers by infecting it with a malicious software (malware).
The educational institution didn’t indicate what specific type of malware that the attackers installed on the infected server nor indicate how the attackers were able to get inside the server.
The infected server, according to Algonquin College, hosted access to databases which contained personal information. Sensitive information, including date of birth and home address, of 4,568 individuals (students and alumni) may have been exposed, while non-sensitive information of an additional 106,931 individuals (students, alumni and current and former employees) may have been exposed on the server, the College said.
What Is a Server?
A server refers to both the software (computer program) and a hardware (computer set aside to run that software). The purpose of a server is to “serve” other computers. In particular, a server specifically processes requests and deliver data to other computers over the internet or over a local network – a group of connected computers within a specific geographic area such as an office.
Server operating systems (OS), such as those produced by Microsoft, are examples of computer programs that run on computers set aside to be used as servers.
Aside from the Algonquin College incident, there have been a number of cases whereby cyberattackers infect servers with malware.
- WannaCry Malware
WannaCry is a classic example of a malware that infects servers. In May 2017, WannaCry malware infected hundreds of thousands of computers worldwide, including one-third of NHS hospitals in England.
This malware is categorized as a ransomware for its ability to lock out users from their computer files and asking users for ransom payment in order to unlock the computer files.
WannaCry spreads too fast to other computers as it has a worm capability, meaning, it has the ability to spread itself to other computers connected to a server without user interaction.
WannaCry uses EternalBlue, a spying tool believed to be developed by the US National Security Agency (NSA), that exploited the security vulnerability in Windows operating system, in particular, Microsoft Server Message Block 1.0., a network file sharing protocol which according to Microsoft “allows applications on a computer to read and write to files and to request services from server programs in a computer network”.
Once attackers remotely accessed a Windows server via EternalBlue, they can infect it with any malware of their choosing. In this case, the attackers chose the WannaCry malware.
According to Microsoft, the EternalBlue security vulnerability was fixed by its March 14, 2017 update, close to two months prior to the height of the WannaCry attack on May 12, 2017.
Computers infected by the WannaCry malware were those running Microsoft’s operating systems that didn’t install the company’s March 14, 2017 security update and computers running Windows XP, Windows 8 and Windows Server 2003 – software that Microsoft no longer support as the company no longer issues security updates on the said software at the height of the WannaCry attack on May 12, 2017 . Microsoft re-continued support to the said software after the WannaCry attack.
- Cryptocurrency Mining Malware
A cryptocurrency mining malware is another example of a malware that infects servers.
A cryptocurrency mining software is in itself not a malware. It becomes a malware when it’s installed on a computer without the knowledge and express permission of the computer owner.
The cryptocurrency mining malware called “Adylkuzz” followed the footsteps of WannaCry. While WannaCry restricts computer access until a ransom is paid (although not practiced by the attackers), Adylkuzz illicitly installs cryptocurrency mining malware on the victims’ servers. Similar to WannaCry attackers, Adylkuzz attackers infect victims’ servers by using the spying tool EternalBlue.
Another way by which attackers install a cryptocurrency mining malware on a server is the one described by Check Point, whereby attackers exploited the security vulnerability called “CVE-2017-7269” in infecting servers using Windows Server 2003.
The security vulnerability described by Check Point could allow an attacker to install any malware to his liking (in this case, cryptocurrency mining malware) to the victim’s server as this vulnerability could gain the same user rights as the current user. The CVE-2017-7269 security vulnerability was fixed by Microsoft in its June 13, 2017 security update.
As shown in the above-mentioned examples, many of the servers that were infected with malware were ill effects of unpatched servers and servers using unsupported server OS.
Both WannaCry and Adylkuzz cyberattacks could have been prevented if only victims had installed Microsoft’s March 14, 2017 security update. Illicit cryptocurrency mining malware as a result of CVE-2017-7269 security vulnerability, meanwhile, could have been prevented if only victims had installed Microsoft’s June 13, 2017 security update.
Forty-six percent of the world’s organizations were targeted for the Microsoft Windows Server 2003 (CVE-2017-7269) vulnerability for cryptocurrency mining malware, according to Check Point.
“With crypto-mining malware’s consistent growth, cyber-criminals are innovating their techniques in order to find new ways to exploit victims’ machines and net more revenue.” Maya Horowitz, Threat Intelligence Group Manager at Check Point said. “Now that they’re seeking to infiltrate networks using unpatched server vulnerabilities, this is a clear reminder to organizations that security basics – such as patching – are critical to ensuring that networks remain secure.”
It’s, therefore, important to patch or install the latest security update on your organization’s server OS in order to prevent attackers from installing a malware on it. It also pays to use the latest server OS as this is still supported by the vendor, meaning, the vendor still issues regular patches or security updates.
Contact us at us today if you need assistance in updating your organization’s server OS or assistance in replacing your organization’s outdated server OS. You can reach us 24×7 at 416-920-3000 or email firstname.lastname@example.org