ANU hacked by phishing email through the preview pane
-
If there was some 0-day no-click that was to be exploited, the attacker could've sent a blank email to any number of targets at the university and been on the network.
There would be no reason to draft something up like with the multiple spearfishing examples that were prominently displayed.
And their 2 big takeaways from this attack was User training for spearfishing and PII privacy protections.
Not some factor of severely outdated software needing better maintenance.
-
"20−21 November 2018: the creation of attack station one.
Over the course of two days the actor downloaded tools and scripts to build attack station one. To
download these tools the actor also compromised a second Internet facing webserver using a webshell
and used this server to download software tools to attack station one. These tools were used to run
scripts and perform remote management tasks including scheduled deletion of logs to hide their
activities. The actor started to map the ANU network on 21 November. "They built an attack station remotely? This sounds fine until you hear the second part...
"22 November 2018: the creation of virtual machines on attack station one.
The following day the actor set up two virtual machines on attack station one, one using Windows XP
and the second Kali Linux. Both operating systems were download using BitTorrent. "
So this was nested virtualization? Or somehow they managed to gain access to a physical box that they totally took over? They never mention the hypervisor at play here, but this is some crazy stuff that they are glossing over.
-
Other software used by the actor included network session capture and mapping tools, bespoke clean-up, JavaScript and PowerShell scripts as well as a proxy tool. The actor downloaded several types of virtualisation software before selecting one and downloaded disk images for Windows XP and Kali Linux. There is little evidence to suggest much use of Kali Linux.
Ha. . . so the hacker setup VM's on your network and used WINDOWS XP to own this school's systems for 6 weeks. . .
-
" The actor also gained access (through remote desktop) to a machine in a school which had a publicly routable IP address. Age and permissiveness of the machine and its operating system are the likely reasons the actor compromised this machine"
OMG... they exposed RDP on an outdated OS to the Internet and gave it a routable IP address!
-
@scottalanmiller Probably windows xp!
-
Okay, so @scottalanmiller this is from the analysis portion
The first phishing email was designed to be interaction-less and likely used some form of scripting. It is assumed the actor anticipated a high degree of security awareness on the part of the intended recipient. Unfortunately, a copy of this email was not recoverable, so further analysis is not possible. Subsequent phishing attachments were designed to harvest credentials and used similar scripts. The user opened the attached Word document and the credentials were sent to the remote server. All the attachments in the second, third and fourth spear-phishing cycles used the same technique with the credentials sent to the active attack station instead of the internet.
Does that really count as no-click? I'd think this is more a scripted execution of their email client being allowed to execute scripts.
-
The article even got the year estimation wrong.
19 years, not 20.
Due to the operational security and clean-up operations of the actor, it has not been possible to retrieve copies of the files exfiltrated from the network. In some cases, there was enough forensic and log data to ascertain file sizes. However, because these files were compressed and likely to have been encrypted, it is difficult to infer what specific data sets was taken from the affected systems. However, based on log analysis and known data volumes it is highly likely that the actor took much less than the 19 years’ worth of data first noted at the time of the breach announcement.
From the article
The university confirmed the attack months after it occurred, and is now thought to have netted "considerably less" than 20 years worth of data as originally expected.
-
This bit is disconcerting.
The purpose of this code remains unknown, and no forensic traces of it or the executable file which was compiled from the code have been found at the time of this report.
Meaning, you have the executable and can't tell what it's supposed to do?
Because and this is key, the above is led with;
There is also evidence of bespoke malware in the form of source code (compiled within the network) used to gain access to ESD.
-
Repeatedly throughout this summary, are "Outdated systems" targeted by the attacker. Meaning that this school routinely sets up systems for some purpose and runs it until it's dead, never updating them.
Only having been caught with their pants down did they take these out of date systems offline.
-
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
If there was some 0-day no-click that was to be exploited, the attacker could've sent a blank email to any number of targets at the university and been on the network.
There would be no reason to draft something up like with the multiple spearfishing examples that were prominently displayed.
And their 2 big takeaways from this attack was User training for spearfishing and PII privacy protections.
Not some factor of severely outdated software needing better maintenance.
you missed the whole point where I said perhaps the zero-day was patched, or otherwise prevented from being exploited.. so making the email with multiple attack vectors would be good.
Also, a blank email might trip their spam filter and get killed, etc.
-
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
" The actor also gained access (through remote desktop) to a machine in a school which had a publicly routable IP address. Age and permissiveness of the machine and its operating system are the likely reasons the actor compromised this machine"
OMG... they exposed RDP on an outdated OS to the Internet and gave it a routable IP address!
nothing unsurprising here, really.
-
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
"20−21 November 2018: the creation of attack station one.
Over the course of two days the actor downloaded tools and scripts to build attack station one. To
download these tools the actor also compromised a second Internet facing webserver using a webshell
and used this server to download software tools to attack station one. These tools were used to run
scripts and perform remote management tasks including scheduled deletion of logs to hide their
activities. The actor started to map the ANU network on 21 November. "They built an attack station remotely? This sounds fine until you hear the second part...
I don't understand the need to compromise a second machine, was the first compromised machine unable to get the desired tools because of a web filter?
"22 November 2018: the creation of virtual machines on attack station one.
The following day the actor set up two virtual machines on attack station one, one using Windows XP
and the second Kali Linux. Both operating systems were download using BitTorrent. "
So this was nested virtualization? Or somehow they managed to gain access to a physical box that they totally took over? They never mention the hypervisor at play here, but this is some crazy stuff that they are glossing over.
Why do you assume nested virtualization? Isn't station one a user's laptop/desktop? Assuming Windows 10, the attacker could have enabled Hyper-V then ran two VMs there. Or they could have installed virtualbox and built VMs there... I see no reason to consider nested virtualization.
-
@Dashrender one interesting tidbit from the Brian Krebs talk at SpiceWorld 2019 was him talking about how hackers typically take a couple weeks to surveil the landscape before executing their payload. Them getting in and then taking time to reinforce their toehold into the environment sounds like it's the norm now.
-
@DustinB3403 said in ANU hacked by phishing email through the preview pane:
Does that really count as no-click? I'd think this is more a scripted execution of their email client being allowed to execute scripts.
Has to be scripted execution for some environment. Email itself is plain text and cannot be a threat until a scripted execution decides to treat it as an executable.
-
@Dashrender said in ANU hacked by phishing email through the preview pane:
Why do you assume nested virtualization? Isn't station one a user's laptop/desktop? Assuming Windows 10, the attacker could have enabled Hyper-V then ran two VMs there. Or they could have installed virtualbox and built VMs there... I see no reason to consider nested virtualization.
Because they got a platform first. Then they created VMs on it. Where was this machine hiding if it was a physical machine? Anything like Hyper-V, VirtualBox, etc. would be incredibly noticeable. Especially given that we know how old the equipment that they were running there is. How you could hide building an attack platform on someone's desktop is beyond me. How the hell would no one notice?
-
@Nic said in ANU hacked by phishing email through the preview pane:
@Dashrender one interesting tidbit from the Brian Krebs talk at SpiceWorld 2019 was him talking about how hackers typically take a couple weeks to surveil the landscape before executing their payload. Them getting in and then taking time to reinforce their toehold into the environment sounds like it's the norm now.
They've had time to figure out that even big shops like a huge university have nothing looking for breaches, and nothing being secured. So why try to be fast?
-
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
@Dashrender said in ANU hacked by phishing email through the preview pane:
Why do you assume nested virtualization? Isn't station one a user's laptop/desktop? Assuming Windows 10, the attacker could have enabled Hyper-V then ran two VMs there. Or they could have installed virtualbox and built VMs there... I see no reason to consider nested virtualization.
Because they got a platform first. Then they created VMs on it. Where was this machine hiding if it was a physical machine? Anything like Hyper-V, VirtualBox, etc. would be incredibly noticeable. Especially given that we know how old the equipment that they were running there is. How you could hide building an attack platform on someone's desktop is beyond me. How the hell would no one notice?
I still haven't read the 20 page doc... but I'm completely assuming the the attack station is a person's desktop, something that was commandeered via the phishing attack. It seemed likely that that machine is where they installed a hyper-visor.
I could easily see this being an executive machine that's more power than he ever needs, so having those VMs running there could be barely noticeable, and if the attacker was using the machine mainly while the user wasn't, then it would be even less noticeable to the end user. -
@Dashrender we know that station one was out of date, presumably running a much older OS as these systems were fully decommissioned once this was all discovered.
I would be highly suspect if hyperv was able to be setup on these systems, more likely some version of virtual box was installed, and used to run the operation from.
-
@Dashrender said in ANU hacked by phishing email through the preview pane:
I still haven't read the 20 page doc... but I'm completely assuming the the attack station is a person's desktop, something that was commandeered via the phishing attack. It seemed likely that that machine is where they installed a hyper-visor.
That's reasonable, but how the heck did they commandeer a desktop, install a hypervisor, run multiple VMs, and no one notice!!
-
@scottalanmiller said in ANU hacked by phishing email through the preview pane:
@Dashrender said in ANU hacked by phishing email through the preview pane:
I still haven't read the 20 page doc... but I'm completely assuming the the attack station is a person's desktop, something that was commandeered via the phishing attack. It seemed likely that that machine is where they installed a hyper-visor.
That's reasonable, but how the heck did they commandeer a desktop, install a hypervisor, run multiple VMs, and no one notice!!
That I would guess is the million dollar question. Like did they have workstations setup randomly throughout the school, like tucked in a closet and people just forgot to remove them?