ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ANU hacked by phishing email through the preview pane

    Scheduled Pinned Locked Moved IT Discussion
    68 Posts 8 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NicN
      Nic @nadnerB
      last edited by

      @nadnerB said in ANU hacked by phishing email through the preview pane:

      Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803

      Here's the link straight to the PDF of the report that has all the details in it:
      http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

      DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
      • DustinB3403D
        DustinB3403 @Nic
        last edited by

        @Nic said in ANU hacked by phishing email through the preview pane:

        @nadnerB said in ANU hacked by phishing email through the preview pane:

        Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803

        Here's the link straight to the PDF of the report that has all the details in it:
        http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

        Wow they were able to boil the entire incident to 20 pages!

        NicN 1 Reply Last reply Reply Quote 0
        • NicN
          Nic @DustinB3403
          last edited by

          @DustinB3403 said in ANU hacked by phishing email through the preview pane:

          @Nic said in ANU hacked by phishing email through the preview pane:

          @nadnerB said in ANU hacked by phishing email through the preview pane:

          Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803

          Here's the link straight to the PDF of the report that has all the details in it:
          http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

          Wow they were able to boil the entire incident to 20 pages!

          It's got diagrams too! πŸ™‚

          DustinB3403D 1 Reply Last reply Reply Quote 1
          • DustinB3403D
            DustinB3403 @Nic
            last edited by

            @Nic said in ANU hacked by phishing email through the preview pane:

            @DustinB3403 said in ANU hacked by phishing email through the preview pane:

            @Nic said in ANU hacked by phishing email through the preview pane:

            @nadnerB said in ANU hacked by phishing email through the preview pane:

            Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803

            Here's the link straight to the PDF of the report that has all the details in it:
            http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

            Wow they were able to boil the entire incident to 20 pages!

            It's got diagrams too! πŸ™‚

            Pretty diagrams!

            1 Reply Last reply Reply Quote 0
            • DustinB3403D
              DustinB3403
              last edited by

              The attackers setup Virtual Machines on their network, and NO ONE noticed!

              NicN 1 Reply Last reply Reply Quote 0
              • NicN
                Nic @DustinB3403
                last edited by

                @DustinB3403 clearly they need a SIEM!

                DustinB3403D 1 Reply Last reply Reply Quote 1
                • DustinB3403D
                  DustinB3403 @Nic
                  last edited by

                  @Nic Even the spearfishing attacks had all of the trademarks of "something is going on here". With typo's, basic grammatical errors etc.

                  With the claim of "no one clicked on anything" and they were compromised I find highly suspect. As in the original email, it says "An explanatory note is attached for ease of reference on the contents how the was developed."

                  No one opened that attachment? BS. Also what the hell does that sentence even mean?

                  1 Reply Last reply Reply Quote 1
                  • DustinB3403D
                    DustinB3403
                    last edited by

                    I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.

                    This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.

                    scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @DustinB3403
                      last edited by

                      @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                      I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.

                      This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.

                      If they are recklessly using something like Outlook, there is a reasonable possibility that they didn't click on a link. But, we simply can't believe anything because the article is clearly falsified.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Nic
                        last edited by

                        @Nic said in ANU hacked by phishing email through the preview pane:

                        @nadnerB said in ANU hacked by phishing email through the preview pane:

                        Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803

                        Here's the link straight to the PDF of the report that has all the details in it:
                        http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

                        Here is a bit that is odd from that...

                        "The initial means of infection was a sophisticated spearphishing email which did not require user
                        interaction, ie clicking on a link or downloading an attachment."

                        Why would they bother making a "sophisticated spearphishing" attack, if the email didn't require any interaction? The spearphishing would be entirely pointless. So this is beyond fishy.

                        They then define spearphishing as: " Spear-phishing emails are a form of malicious email targeting an individual or organisation. They mimic legitimate mail and contain malicious attachments or links designed to steal credentials or enable the install malware."

                        So by claiming that it was spearphishing, and defining spearphishing, they now have conflicting claims. In one case they claimed that it contained malicious attachments or links, in the other they claim that it did not.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller
                          last edited by

                          This quote: "The actor’s activity was contained to a handful of systems, although they had gained broader access."

                          Clearly written by someone who doesn't speak English. The first half of the system, it was contained. But in the second half, it was not contained. Um....

                          1 Reply Last reply Reply Quote 1
                          • DustinB3403D
                            DustinB3403
                            last edited by

                            What I find even more weird is that the school is some how monitoring the PII details of all of the people who's information was compromised, and they are able to determine that the information hasn't been used by the attacker.

                            How?! It was 6 weeks before they even knew anything was up!

                            scottalanmillerS 1 Reply Last reply Reply Quote 2
                            • DashrenderD
                              Dashrender @DustinB3403
                              last edited by

                              @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                              I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.

                              This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.

                              why do you claim this? do you not believe there are zero-click exploits in anything?

                              Chrome and IE both recently had zero click exploits - simply visiting a webpage would exploit them and give full control to a hacker.
                              Assuming Outlook was the culprit for this attack, and Outlook uses IE and Word to display stuff - it's very conceivable that a zero-click exploit was used against these people.

                              The claim that the email wasn't opened is a false claim - as almost everyone these days uses preview mode - which is the same as opening the email.

                              scottalanmillerS DustinB3403D 5 Replies Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @DustinB3403
                                last edited by

                                @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                                What I find even more weird is that the school is some how monitoring the PII details of all of the people who's information was compromised, and they are able to determine that the information hasn't been used by the attacker.

                                How?! It was 6 weeks before they even knew anything was up!

                                LOL, the blind protecting the blind.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in ANU hacked by phishing email through the preview pane:

                                  why do you claim this? do you not believe there are zero-click exploits in anything?

                                  I think it is more "there is no reason to believe a known liar when they claim that the obvious did not happen."

                                  If you had this conversation with a cop, they'd point out that the known thief, already caught lying about his alibi, who was caught with the goods on him, is very unlikely to be telling the truth when he said that he didn't do it. Is it possible he didn't do it? Yes, of course. But there is no reason to believe him as it's already established that there is evidence against him and that he's already lying about the event in question.

                                  1 Reply Last reply Reply Quote 0
                                  • DustinB3403D
                                    DustinB3403 @Dashrender
                                    last edited by

                                    @Dashrender said in ANU hacked by phishing email through the preview pane:

                                    @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                                    I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.

                                    This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.

                                    why do you claim this? do you not believe there are zero-click exploits in anything?

                                    Chrome and IE both recently had zero click exploits - simply visiting a webpage would exploit them and give full control to a hacker.
                                    Assuming Outlook was the culprit for this attack, and Outlook uses IE and Word to display stuff - it's very conceivable that a zero-click exploit was used against these people.

                                    The claim that the email wasn't opened is a false claim - as almost everyone these days uses preview mode - which is the same as opening the email.

                                    I find it weird because the 20 page summary of the issues shows the spearfishing attempts! They clearly opened the emails to get those screenshots they provided.

                                    If their security team opened it, then certainly the end user did.

                                    I did not once say that zero-clicks don't exist, I just find it highly unlikely with the low quality of the spearfishing attempts made.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in ANU hacked by phishing email through the preview pane:

                                      @Nic said in ANU hacked by phishing email through the preview pane:

                                      @nadnerB said in ANU hacked by phishing email through the preview pane:

                                      Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803

                                      Here's the link straight to the PDF of the report that has all the details in it:
                                      http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

                                      Here is a bit that is odd from that...

                                      "The initial means of infection was a sophisticated spearphishing email which did not require user
                                      interaction, ie clicking on a link or downloading an attachment."

                                      Why would they bother making a "sophisticated spearphishing" attack, if the email didn't require any interaction? The spearphishing would be entirely pointless. So this is beyond fishy.

                                      They then define spearphishing as: " Spear-phishing emails are a form of malicious email targeting an individual or organisation. They mimic legitimate mail and contain malicious attachments or links designed to steal credentials or enable the install malware."

                                      So by claiming that it was spearphishing, and defining spearphishing, they now have conflicting claims. In one case they claimed that it contained malicious attachments or links, in the other they claim that it did not.

                                      yeah - it's bad writing for sure... but it could easily be both... If there was an unpatched vulnerability, that would be exploited.. but they could also include a link to an infected page in case there was no zero-click vulnerability.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said in ANU hacked by phishing email through the preview pane:

                                        Chrome and IE both recently had zero click exploits - simply visiting a webpage would exploit them and give full control to a hacker.

                                        That's not really relevant here, thought. That "something" has a zero day flaw, is not the same as what is being said.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said in ANU hacked by phishing email through the preview pane:

                                          Assuming Outlook was the culprit for this attack, and Outlook uses IE and Word to display stuff - it's very conceivable that a zero-click exploit was used against these people.

                                          Assuming Outlook is the culprit, then the wording of the result is untrue. We assume this to be true, but to do so means you have already assumed them to be lying.

                                          And Outlook is simply automating clicks. Under normal circumstances, we don't call that zero interaction. It's a predetermined, automated interaction.

                                          The email layer itself is safe from this. It required an additional, unique application to be told to run code where code isn't supposed to exist. In no other situation do we call that a zero touch situation. If you automated an attack with a script anywhere else, you'd never accept that wording.

                                          1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @DustinB3403
                                            last edited by

                                            @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                                            @Dashrender said in ANU hacked by phishing email through the preview pane:

                                            @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                                            I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.

                                            This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.

                                            why do you claim this? do you not believe there are zero-click exploits in anything?

                                            Chrome and IE both recently had zero click exploits - simply visiting a webpage would exploit them and give full control to a hacker.
                                            Assuming Outlook was the culprit for this attack, and Outlook uses IE and Word to display stuff - it's very conceivable that a zero-click exploit was used against these people.

                                            The claim that the email wasn't opened is a false claim - as almost everyone these days uses preview mode - which is the same as opening the email.

                                            I find it weird because the 20 page summary of the issues shows the spearfishing attempts! They clearly opened the emails to get those screenshots they provided.

                                            If their security team opened it, then certainly the end user did.

                                            I did not once say that zero-clicks don't exist, I just find it highly unlikely with the low quality of the spearfishing attempts made.

                                            I haven't looked at the 20 page paper yet - Thought I thought they only said (through quotes here) that yes, the email was opened - but no - no links/attachments were opened.

                                            are you saying that they did in fact claim the emails themselves were never opened?

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 3 / 4
                                            • First post
                                              Last post