ANU hacked by phishing email through the preview pane
-
No clicking on links or downloading attachments required - they payload got executed just by being previewed. No mention of what email client they were using yet.
-
@Nic said in ANU hacked by phishing email through the preview pane:
No clicking on links or downloading attachments required - they payload got executed just by being previewed. No mention of what email client they were using yet.
Probably Outlook. I am pretty sure that vulnerabilities like this have surfaced and been patched several times over in various versions of Outlook.
-
@wrx7m I knew it was an issue back in the day, but I didn't realize it had resurfaced over the years.
-
Both IE and Chrome had had zero click vulnerabilities is the past 2-3 weeks. I know this attack was back in 2018, so likely wasn't these vulnerabilities - but who knows.. could have been a zero day when it happened.
-
@Nic said in ANU hacked by phishing email through the preview pane:
No clicking on links or downloading attachments required - they payload got executed just by being previewed. No mention of what email client they were using yet.
Highly suspect. No details, no original e-mail mentioned, no analysis.
I call bunk.
Someone clicked on something and didn't fess up.
-
"The staff member only had to preview the email - not click a link or even open the message - for the hackers to get the information needed to access the ANU network."
Only problem with this statement... previewing and opening are the same thing. The client has to open the email in order to preview it. To access a payload, it has to follow a link. So it's a little misleading. It was obviously opened.
-
@Nic said in ANU hacked by phishing email through the preview pane:
@wrx7m I knew it was an issue back in the day, but I didn't realize it had resurfaced over the years.
If people haven't patched, it never goes away
-
@PhlipElder said in ANU hacked by phishing email through the preview pane:
@Nic said in ANU hacked by phishing email through the preview pane:
No clicking on links or downloading attachments required - they payload got executed just by being previewed. No mention of what email client they were using yet.
Highly suspect. No details, no original e-mail mentioned, no analysis.
I call bunk.
Someone clicked on something and didn't fess up.
Seems most likely. Or set the browser to follow links automatically. They already got the preview / open thing wrong claiming that they "opened and read the email" but hadn't "opened it" which clearly, makes no sense.
-
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
"The staff member only had to preview the email - not click a link or even open the message - for the hackers to get the information needed to access the ANU network."
Only problem with this statement... previewing and opening are the same thing.
We know that, but to the meatware they're two different things. One of those illogical fallacies that people don't question because some how it makes sense... mostly because they have no idea how it works.
-
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
-
@nadnerB said in ANU hacked by phishing email through the preview pane:
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
"The staff member only had to preview the email - not click a link or even open the message - for the hackers to get the information needed to access the ANU network."
Only problem with this statement... previewing and opening are the same thing.
We know that, but to the meatware they're two different things. One of those illogical fallacies that people don't question because some how it makes sense... mostly because they have no idea how it works.
While this may be true for some people I've seen way to many wilfully ignorant users to give everyone the benefit of doubt. Often they actively refuse to even use common sense because it's a computer and computer is magic, period. A lot of issues could be prevented by just thinking logically, like we do every day (I hope). This may also apply outside IT but I think not to this extent.
Of course in the real world I at least pretend to believe when a user says he tried - and while some of theyr actions make me question my world view they are also the foundation of my business and after all, a paying customer can have all he pays for.
-
@nadnerB said in ANU hacked by phishing email through the preview pane:
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
"The staff member only had to preview the email - not click a link or even open the message - for the hackers to get the information needed to access the ANU network."
Only problem with this statement... previewing and opening are the same thing.
We know that, but to the meatware they're two different things. One of those illogical fallacies that people don't question because some how it makes sense... mostly because they have no idea how it works.
Right, and writing to trick fools is called... social engineering. Making the article a trick, not actual news.
The problem is, nothing is interesting about the attack other than just how incompetent the university is to not even understand what email is.
-
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf -
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfWow they were able to boil the entire incident to 20 pages!
-
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfWow they were able to boil the entire incident to 20 pages!
It's got diagrams too!
-
@Nic said in ANU hacked by phishing email through the preview pane:
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfWow they were able to boil the entire incident to 20 pages!
It's got diagrams too!
Pretty diagrams!
-
The attackers setup Virtual Machines on their network, and NO ONE noticed!
-
@DustinB3403 clearly they need a SIEM!
-
@Nic Even the spearfishing attacks had all of the trademarks of "something is going on here". With typo's, basic grammatical errors etc.
With the claim of "no one clicked on anything" and they were compromised I find highly suspect. As in the original email, it says "An explanatory note is attached for ease of reference on the contents how the was developed."
No one opened that attachment? BS. Also what the hell does that sentence even mean?
-
I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.
This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.
