ANU hacked by phishing email through the preview pane
-
-
@nadnerB said in ANU hacked by phishing email through the preview pane:
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
"The staff member only had to preview the email - not click a link or even open the message - for the hackers to get the information needed to access the ANU network."
Only problem with this statement... previewing and opening are the same thing.
We know that, but to the meatware they're two different things. One of those illogical fallacies that people don't question because some how it makes sense... mostly because they have no idea how it works.
While this may be true for some people I've seen way to many wilfully ignorant users to give everyone the benefit of doubt. Often they actively refuse to even use common sense because it's a computer and computer is magic, period. A lot of issues could be prevented by just thinking logically, like we do every day (I hope). This may also apply outside IT but I think not to this extent.
Of course in the real world I at least pretend to believe when a user says he tried - and while some of theyr actions make me question my world view they are also the foundation of my business and after all, a paying customer can have all he pays for.
-
@nadnerB said in ANU hacked by phishing email through the preview pane:
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
"The staff member only had to preview the email - not click a link or even open the message - for the hackers to get the information needed to access the ANU network."
Only problem with this statement... previewing and opening are the same thing.
We know that, but to the meatware they're two different things. One of those illogical fallacies that people don't question because some how it makes sense... mostly because they have no idea how it works.
Right, and writing to trick fools is called... social engineering. Making the article a trick, not actual news.
The problem is, nothing is interesting about the attack other than just how incompetent the university is to not even understand what email is.
-
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf -
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfWow they were able to boil the entire incident to 20 pages!
-
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfWow they were able to boil the entire incident to 20 pages!
It's got diagrams too!
-
@Nic said in ANU hacked by phishing email through the preview pane:
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfWow they were able to boil the entire incident to 20 pages!
It's got diagrams too!
Pretty diagrams!
-
The attackers setup Virtual Machines on their network, and NO ONE noticed!
-
@DustinB3403 clearly they need a SIEM!
-
@Nic Even the spearfishing attacks had all of the trademarks of "something is going on here". With typo's, basic grammatical errors etc.
With the claim of "no one clicked on anything" and they were compromised I find highly suspect. As in the original email, it says "An explanatory note is attached for ease of reference on the contents how the was developed."
No one opened that attachment? BS. Also what the hell does that sentence even mean?
-
I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.
This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.
-
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.
This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.
If they are recklessly using something like Outlook, there is a reasonable possibility that they didn't click on a link. But, we simply can't believe anything because the article is clearly falsified.
-
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfHere is a bit that is odd from that...
"The initial means of infection was a sophisticated spearphishing email which did not require user
interaction, ie clicking on a link or downloading an attachment."Why would they bother making a "sophisticated spearphishing" attack, if the email didn't require any interaction? The spearphishing would be entirely pointless. So this is beyond fishy.
They then define spearphishing as: " Spear-phishing emails are a form of malicious email targeting an individual or organisation. They mimic legitimate mail and contain malicious attachments or links designed to steal credentials or enable the install malware."
So by claiming that it was spearphishing, and defining spearphishing, they now have conflicting claims. In one case they claimed that it contained malicious attachments or links, in the other they claim that it did not.
-
This quote: "The actorβs activity was contained to a handful of systems, although they had gained broader access."
Clearly written by someone who doesn't speak English. The first half of the system, it was contained. But in the second half, it was not contained. Um....
-
What I find even more weird is that the school is some how monitoring the PII details of all of the people who's information was compromised, and they are able to determine that the information hasn't been used by the attacker.
How?! It was 6 weeks before they even knew anything was up!
-
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.
This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.
why do you claim this? do you not believe there are zero-click exploits in anything?
Chrome and IE both recently had zero click exploits - simply visiting a webpage would exploit them and give full control to a hacker.
Assuming Outlook was the culprit for this attack, and Outlook uses IE and Word to display stuff - it's very conceivable that a zero-click exploit was used against these people.The claim that the email wasn't opened is a false claim - as almost everyone these days uses preview mode - which is the same as opening the email.
-
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
What I find even more weird is that the school is some how monitoring the PII details of all of the people who's information was compromised, and they are able to determine that the information hasn't been used by the attacker.
How?! It was 6 weeks before they even knew anything was up!
LOL, the blind protecting the blind.
-
@Dashrender said in ANU hacked by phishing email through the preview pane:
why do you claim this? do you not believe there are zero-click exploits in anything?
I think it is more "there is no reason to believe a known liar when they claim that the obvious did not happen."
If you had this conversation with a cop, they'd point out that the known thief, already caught lying about his alibi, who was caught with the goods on him, is very unlikely to be telling the truth when he said that he didn't do it. Is it possible he didn't do it? Yes, of course. But there is no reason to believe him as it's already established that there is evidence against him and that he's already lying about the event in question.
-
@Dashrender said in ANU hacked by phishing email through the preview pane:
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.
This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.
why do you claim this? do you not believe there are zero-click exploits in anything?
Chrome and IE both recently had zero click exploits - simply visiting a webpage would exploit them and give full control to a hacker.
Assuming Outlook was the culprit for this attack, and Outlook uses IE and Word to display stuff - it's very conceivable that a zero-click exploit was used against these people.The claim that the email wasn't opened is a false claim - as almost everyone these days uses preview mode - which is the same as opening the email.
I find it weird because the 20 page summary of the issues shows the spearfishing attempts! They clearly opened the emails to get those screenshots they provided.
If their security team opened it, then certainly the end user did.
I did not once say that zero-clicks don't exist, I just find it highly unlikely with the low quality of the spearfishing attempts made.
-
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
@Nic said in ANU hacked by phishing email through the preview pane:
@nadnerB said in ANU hacked by phishing email through the preview pane:
Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803
Here's the link straight to the PDF of the report that has all the details in it:
http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdfHere is a bit that is odd from that...
"The initial means of infection was a sophisticated spearphishing email which did not require user
interaction, ie clicking on a link or downloading an attachment."Why would they bother making a "sophisticated spearphishing" attack, if the email didn't require any interaction? The spearphishing would be entirely pointless. So this is beyond fishy.
They then define spearphishing as: " Spear-phishing emails are a form of malicious email targeting an individual or organisation. They mimic legitimate mail and contain malicious attachments or links designed to steal credentials or enable the install malware."
So by claiming that it was spearphishing, and defining spearphishing, they now have conflicting claims. In one case they claimed that it contained malicious attachments or links, in the other they claim that it did not.
yeah - it's bad writing for sure... but it could easily be both... If there was an unpatched vulnerability, that would be exploited.. but they could also include a link to an infected page in case there was no zero-click vulnerability.