ANU hacked by phishing email through the preview pane
-
"The staff member only had to preview the email - not click a link or even open the message - for the hackers to get the information needed to access the ANU network."
Only problem with this statement... previewing and opening are the same thing. The client has to open the email in order to preview it. To access a payload, it has to follow a link. So it's a little misleading. It was obviously opened.
-
@Nic said in ANU hacked by phishing email through the preview pane:
@wrx7m I knew it was an issue back in the day, but I didn't realize it had resurfaced over the years.
If people haven't patched, it never goes away
-
@PhlipElder said in ANU hacked by phishing email through the preview pane:
@Nic said in ANU hacked by phishing email through the preview pane:
No clicking on links or downloading attachments required - they payload got executed just by being previewed. No mention of what email client they were using yet.
Highly suspect. No details, no original e-mail mentioned, no analysis.
I call bunk.
Someone clicked on something and didn't fess up.
Seems most likely. Or set the browser to follow links automatically. They already got the preview / open thing wrong claiming that they "opened and read the email" but hadn't "opened it" which clearly, makes no sense.
-
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
"The staff member only had to preview the email - not click a link or even open the message - for the hackers to get the information needed to access the ANU network."
Only problem with this statement... previewing and opening are the same thing.
We know that, but to the meatware they're two different things. One of those illogical fallacies that people don't question because some how it makes sense... mostly because they have no idea how it works.
-
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
-
@nadnerB said in ANU hacked by phishing email through the preview pane:
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
"The staff member only had to preview the email - not click a link or even open the message - for the hackers to get the information needed to access the ANU network."
Only problem with this statement... previewing and opening are the same thing.
We know that, but to the meatware they're two different things. One of those illogical fallacies that people don't question because some how it makes sense... mostly because they have no idea how it works.
While this may be true for some people I've seen way to many wilfully ignorant users to give everyone the benefit of doubt. Often they actively refuse to even use common sense because it's a computer and computer is magic, period. A lot of issues could be prevented by just thinking logically, like we do every day (I hope). This may also apply outside IT but I think not to this extent.
Of course in the real world I at least pretend to believe when a user says he tried - and while some of theyr actions make me question my world view they are also the foundation of my business and after all, a paying customer can have all he pays for.
-
@nadnerB said in ANU hacked by phishing email through the preview pane:
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
"The staff member only had to preview the email - not click a link or even open the message - for the hackers to get the information needed to access the ANU network."
Only problem with this statement... previewing and opening are the same thing.
We know that, but to the meatware they're two different things. One of those illogical fallacies that people don't question because some how it makes sense... mostly because they have no idea how it works.
Right, and writing to trick fools is called... social engineering. Making the article a trick, not actual news.
The problem is, nothing is interesting about the attack other than just how incompetent the university is to not even understand what email is.
-
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf -
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfWow they were able to boil the entire incident to 20 pages!
-
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfWow they were able to boil the entire incident to 20 pages!
It's got diagrams too!
-
@Nic said in ANU hacked by phishing email through the preview pane:
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfWow they were able to boil the entire incident to 20 pages!
It's got diagrams too!
Pretty diagrams!
-
The attackers setup Virtual Machines on their network, and NO ONE noticed!
-
@DustinB3403 clearly they need a SIEM!
-
@Nic Even the spearfishing attacks had all of the trademarks of "something is going on here". With typo's, basic grammatical errors etc.
With the claim of "no one clicked on anything" and they were compromised I find highly suspect. As in the original email, it says "An explanatory note is attached for ease of reference on the contents how the was developed."
No one opened that attachment? BS. Also what the hell does that sentence even mean?
-
I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.
This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.
-
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.
This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.
If they are recklessly using something like Outlook, there is a reasonable possibility that they didn't click on a link. But, we simply can't believe anything because the article is clearly falsified.
-
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfHere is a bit that is odd from that...
"The initial means of infection was a sophisticated spearphishing email which did not require user
interaction, ie clicking on a link or downloading an attachment."Why would they bother making a "sophisticated spearphishing" attack, if the email didn't require any interaction? The spearphishing would be entirely pointless. So this is beyond fishy.
They then define spearphishing as: " Spear-phishing emails are a form of malicious email targeting an individual or organisation. They mimic legitimate mail and contain malicious attachments or links designed to steal credentials or enable the install malware."
So by claiming that it was spearphishing, and defining spearphishing, they now have conflicting claims. In one case they claimed that it contained malicious attachments or links, in the other they claim that it did not.
-
This quote: "The actorβs activity was contained to a handful of systems, although they had gained broader access."
Clearly written by someone who doesn't speak English. The first half of the system, it was contained. But in the second half, it was not contained. Um....
-
What I find even more weird is that the school is some how monitoring the PII details of all of the people who's information was compromised, and they are able to determine that the information hasn't been used by the attacker.
How?! It was 6 weeks before they even knew anything was up!
-
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.
This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.
why do you claim this? do you not believe there are zero-click exploits in anything?
Chrome and IE both recently had zero click exploits - simply visiting a webpage would exploit them and give full control to a hacker.
Assuming Outlook was the culprit for this attack, and Outlook uses IE and Word to display stuff - it's very conceivable that a zero-click exploit was used against these people.The claim that the email wasn't opened is a false claim - as almost everyone these days uses preview mode - which is the same as opening the email.
