ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ANU hacked by phishing email through the preview pane

    Scheduled Pinned Locked Moved IT Discussion
    68 Posts 8 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NicN
      Nic @Dashrender
      last edited by

      @Dashrender one interesting tidbit from the Brian Krebs talk at SpiceWorld 2019 was him talking about how hackers typically take a couple weeks to surveil the landscape before executing their payload. Them getting in and then taking time to reinforce their toehold into the environment sounds like it's the norm now.

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @DustinB3403
        last edited by

        @DustinB3403 said in ANU hacked by phishing email through the preview pane:

        Does that really count as no-click? I'd think this is more a scripted execution of their email client being allowed to execute scripts.

        Has to be scripted execution for some environment. Email itself is plain text and cannot be a threat until a scripted execution decides to treat it as an executable.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Dashrender
          last edited by

          @Dashrender said in ANU hacked by phishing email through the preview pane:

          Why do you assume nested virtualization? Isn't station one a user's laptop/desktop? Assuming Windows 10, the attacker could have enabled Hyper-V then ran two VMs there. Or they could have installed virtualbox and built VMs there... I see no reason to consider nested virtualization.

          Because they got a platform first. Then they created VMs on it. Where was this machine hiding if it was a physical machine? Anything like Hyper-V, VirtualBox, etc. would be incredibly noticeable. Especially given that we know how old the equipment that they were running there is. How you could hide building an attack platform on someone's desktop is beyond me. How the hell would no one notice?

          DashrenderD 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Nic
            last edited by

            @Nic said in ANU hacked by phishing email through the preview pane:

            @Dashrender one interesting tidbit from the Brian Krebs talk at SpiceWorld 2019 was him talking about how hackers typically take a couple weeks to surveil the landscape before executing their payload. Them getting in and then taking time to reinforce their toehold into the environment sounds like it's the norm now.

            They've had time to figure out that even big shops like a huge university have nothing looking for breaches, and nothing being secured. So why try to be fast?

            1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @scottalanmiller
              last edited by

              @scottalanmiller said in ANU hacked by phishing email through the preview pane:

              @Dashrender said in ANU hacked by phishing email through the preview pane:

              Why do you assume nested virtualization? Isn't station one a user's laptop/desktop? Assuming Windows 10, the attacker could have enabled Hyper-V then ran two VMs there. Or they could have installed virtualbox and built VMs there... I see no reason to consider nested virtualization.

              Because they got a platform first. Then they created VMs on it. Where was this machine hiding if it was a physical machine? Anything like Hyper-V, VirtualBox, etc. would be incredibly noticeable. Especially given that we know how old the equipment that they were running there is. How you could hide building an attack platform on someone's desktop is beyond me. How the hell would no one notice?

              I still haven't read the 20 page doc... but I'm completely assuming the the attack station is a person's desktop, something that was commandeered via the phishing attack. It seemed likely that that machine is where they installed a hyper-visor.
              I could easily see this being an executive machine that's more power than he ever needs, so having those VMs running there could be barely noticeable, and if the attacker was using the machine mainly while the user wasn't, then it would be even less noticeable to the end user.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • DustinB3403D
                DustinB3403
                last edited by

                @Dashrender we know that station one was out of date, presumably running a much older OS as these systems were fully decommissioned once this was all discovered.

                I would be highly suspect if hyperv was able to be setup on these systems, more likely some version of virtual box was installed, and used to run the operation from.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in ANU hacked by phishing email through the preview pane:

                  I still haven't read the 20 page doc... but I'm completely assuming the the attack station is a person's desktop, something that was commandeered via the phishing attack. It seemed likely that that machine is where they installed a hyper-visor.

                  That's reasonable, but how the heck did they commandeer a desktop, install a hypervisor, run multiple VMs, and no one notice!!

                  DustinB3403D DashrenderD 2 Replies Last reply Reply Quote 0
                  • DustinB3403D
                    DustinB3403 @scottalanmiller
                    last edited by

                    @scottalanmiller said in ANU hacked by phishing email through the preview pane:

                    @Dashrender said in ANU hacked by phishing email through the preview pane:

                    I still haven't read the 20 page doc... but I'm completely assuming the the attack station is a person's desktop, something that was commandeered via the phishing attack. It seemed likely that that machine is where they installed a hyper-visor.

                    That's reasonable, but how the heck did they commandeer a desktop, install a hypervisor, run multiple VMs, and no one notice!!

                    That I would guess is the million dollar question. Like did they have workstations setup randomly throughout the school, like tucked in a closet and people just forgot to remove them?

                    1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @scottalanmiller
                      last edited by

                      @scottalanmiller said in ANU hacked by phishing email through the preview pane:

                      @Dashrender said in ANU hacked by phishing email through the preview pane:

                      I still haven't read the 20 page doc... but I'm completely assuming the the attack station is a person's desktop, something that was commandeered via the phishing attack. It seemed likely that that machine is where they installed a hyper-visor.

                      That's reasonable, but how the heck did they commandeer a desktop, install a hypervisor, run multiple VMs, and no one notice!!

                      I really don't understand your lack of understanding? Do you expect that something would show up to the user, something other than the performance hit? As I said, if the hacker only used the computer when the normal user was off, then it's very easy to see that that normal user would not see the performance drop.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in ANU hacked by phishing email through the preview pane:

                        @scottalanmiller said in ANU hacked by phishing email through the preview pane:

                        @Dashrender said in ANU hacked by phishing email through the preview pane:

                        I still haven't read the 20 page doc... but I'm completely assuming the the attack station is a person's desktop, something that was commandeered via the phishing attack. It seemed likely that that machine is where they installed a hyper-visor.

                        That's reasonable, but how the heck did they commandeer a desktop, install a hypervisor, run multiple VMs, and no one notice!!

                        I really don't understand your lack of understanding? Do you expect that something would show up to the user, something other than the performance hit? As I said, if the hacker only used the computer when the normal user was off, then it's very easy to see that that normal user would not see the performance drop.

                        I suppose. But do you have a machine in your environment that could handle even the storage requirements of multiple VMs without causing issues? We are talking about a school running old machines here. Taking old equipment and "hiding" a ton of resources is harder than it sounds.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in ANU hacked by phishing email through the preview pane:

                          @Dashrender said in ANU hacked by phishing email through the preview pane:

                          @scottalanmiller said in ANU hacked by phishing email through the preview pane:

                          @Dashrender said in ANU hacked by phishing email through the preview pane:

                          I still haven't read the 20 page doc... but I'm completely assuming the the attack station is a person's desktop, something that was commandeered via the phishing attack. It seemed likely that that machine is where they installed a hyper-visor.

                          That's reasonable, but how the heck did they commandeer a desktop, install a hypervisor, run multiple VMs, and no one notice!!

                          I really don't understand your lack of understanding? Do you expect that something would show up to the user, something other than the performance hit? As I said, if the hacker only used the computer when the normal user was off, then it's very easy to see that that normal user would not see the performance drop.

                          I suppose. But do you have a machine in your environment that could handle even the storage requirements of multiple VMs without causing issues? We are talking about a school running old machines here. Taking old equipment and "hiding" a ton of resources is harder than it sounds.

                          They said XP and something else - XP, depending on the tools used by the attacker is 20 GB base, call it another 20 GB for tools - yes, every machine in my environment could give up 40 GB of storage.
                          And if the machines are really that old - then I would fully expect them to have 500 GB HDD, making this even less of an issue than my machines that only have 128 GB SSDs.

                          Most corporate machines barely require any local storage at all. My normal install uses around 30 GB today with windows 10. The desktop is really the only place anyone stores anything, the rest is in folder redirected documents folder, which really lives on the network (may or may not have local copy).

                          DustinB3403D 1 Reply Last reply Reply Quote 0
                          • DustinB3403D
                            DustinB3403 @Dashrender
                            last edited by DustinB3403

                            @Dashrender Except that we know that this environment isn't run like a corporation, since they have machines that were completely unaccounted for; for some duration of time that people forgot about them and those machines were targeted and used.

                            The summation of this is that; this university is absolutely a joke, run by people who don't take their responsibilities seriously and were hoping to never have any issue occur ever.

                            Edit: Typo corrected in bold.

                            DashrenderD 1 Reply Last reply Reply Quote 1
                            • DashrenderD
                              Dashrender @DustinB3403
                              last edited by Dashrender

                              @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                              since they have machines that were completely unaccounted for; for some duration of time that people forgot about them and those machines were targeted and used.

                              Was that specifically stated in the 20 page paper? machine completely unaccounted for? And if they were - they wouldn't be machines that get phished on - that would have to be a user's machine being phished. Which remember, is where this whole thing started.

                              DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • DustinB3403D
                                DustinB3403 @Dashrender
                                last edited by

                                @Dashrender said in ANU hacked by phishing email through the preview pane:

                                @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                                since they have machines that were completely unaccounted for; for some duration of time that people forgot about them and those machines were targeted and used.

                                Was that specifically stated in the 20 page paper? machine completely unaccounted for? And if they were - they wouldn't be machines that get phished on - that would have to be a user's machine being phished. Which remember, is where this whole thing started.

                                What? Are you being dense on purpose?

                                You phish for credentials, not for a computer. Credentials can be used on any number of systems that are setup in a domain. Which specifically "the attacker was phishing for administrative credentials". Read the damn paper, because you're stating to sound absolutely flipping insane.

                                Any number of workstations in a DOMAIN can have administrative credentials used on them, which is what you phish for. FFS!

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in ANU hacked by phishing email through the preview pane:

                                  @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                                  since they have machines that were completely unaccounted for; for some duration of time that people forgot about them and those machines were targeted and used.

                                  Was that specifically stated in the 20 page paper? machine completely unaccounted for? And if they were - they wouldn't be machines that get phished on - that would have to be a user's machine being phished. Which remember, is where this whole thing started.

                                  They made a big point of showing that the machines being phished weren't used for any access.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @DustinB3403
                                    last edited by

                                    @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                                    @Dashrender said in ANU hacked by phishing email through the preview pane:

                                    @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                                    since they have machines that were completely unaccounted for; for some duration of time that people forgot about them and those machines were targeted and used.

                                    Was that specifically stated in the 20 page paper? machine completely unaccounted for? And if they were - they wouldn't be machines that get phished on - that would have to be a user's machine being phished. Which remember, is where this whole thing started.

                                    What? Are you being dense on purpose?

                                    You phish for credentials, not for a computer. Credentials can be used on any number of systems that are setup in a domain. Which specifically "the attacker was phishing for administrative credentials". Read the damn paper, because you're stating to sound absolutely flipping insane.

                                    Any number of workstations in a DOMAIN can have administrative credentials used on them, which is what you phish for. FFS!

                                    Once again... AD being a risk 😉

                                    DustinB3403D 1 Reply Last reply Reply Quote 0
                                    • DustinB3403D
                                      DustinB3403 @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in ANU hacked by phishing email through the preview pane:

                                      Once again... AD being a risk

                                      Yeah it absolutely was in this case, but so would Samba. So half one half another. If the school was LAN-less I can't imagine how'd they'd operate. Since they clearly had no idea what was on their LAN in the first place.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @DustinB3403
                                        last edited by

                                        @DustinB3403 said in ANU hacked by phishing email through the preview pane:

                                        @scottalanmiller said in ANU hacked by phishing email through the preview pane:

                                        Once again... AD being a risk

                                        Yeah it absolutely was in this case, but so would Samba. So half one half another. If the school was LAN-less I can't imagine how'd they'd operate. Since they clearly had no idea what was on their LAN in the first place.

                                        Basically what you are stating is that generally incompetence or cluelessness is really the underlying problem. Since they were doing "everything" badly, fixing any one or two things wouldn't actually make a difference.

                                        That said, SMB without AD does have benefits. Getting one password doesn't not get access to the next thing. It's not "get it once, get the keys to the kingdom" that AD tends to create (only tends, you CAN work around it.)

                                        DustinB3403D 1 Reply Last reply Reply Quote 0
                                        • DustinB3403D
                                          DustinB3403 @scottalanmiller
                                          last edited by

                                          @scottalanmiller From the 20 page summation of the issue, there was literally nothing they could've not done to have fixed this issue ahead of it ever occurring.

                                          Basic documentation of what they had deployed and decommissioning of equipment to an employee being phished, credentials compromised, and then fished again a week or so later and no one noticing a pattern.

                                          Leaving legacy systems unaccounted for and running without ever being updated

                                          A lack of user training

                                          A lack of password policy and access control.

                                          It was all done in a wholly incompetent fashion, having fixed any one of them would've at least limited the damage, from having separate administrative accounts for their admins, to just decom'ing old crap on a regular basis (or at least updating it).

                                          1 Reply Last reply Reply Quote 0
                                          • DustinB3403D
                                            DustinB3403
                                            last edited by

                                            I'd be willing to bet that this university had the students setup their network without any oversight or understanding of how it was setup.

                                            "For today's class we'll be setting up AD 2003 and getting the entire school to use it - You get an A!" and they just let it run and run and run.

                                            I'm just taking a guess at the AD version, wasn't listed

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 4 / 4
                                            • First post
                                              Last post