ANU hacked by phishing email through the preview pane





  • The attackers setup Virtual Machines on their network, and NO ONE noticed!



  • @DustinB3403 clearly they need a SIEM!



  • @Nic Even the spearfishing attacks had all of the trademarks of "something is going on here". With typo's, basic grammatical errors etc.

    With the claim of "no one clicked on anything" and they were compromised I find highly suspect. As in the original email, it says "An explanatory note is attached for ease of reference on the contents how the was developed."

    No one opened that attachment? BS. Also what the hell does that sentence even mean?



  • I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.

    This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.



  • @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.

    This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.

    If they are recklessly using something like Outlook, there is a reasonable possibility that they didn't click on a link. But, we simply can't believe anything because the article is clearly falsified.



  • @Nic said in ANU hacked by phishing email through the preview pane:

    @nadnerB said in ANU hacked by phishing email through the preview pane:

    Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803

    Here's the link straight to the PDF of the report that has all the details in it:
    http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

    Here is a bit that is odd from that...

    "The initial means of infection was a sophisticated spearphishing email which did not require user
    interaction, ie clicking on a link or downloading an attachment."

    Why would they bother making a "sophisticated spearphishing" attack, if the email didn't require any interaction? The spearphishing would be entirely pointless. So this is beyond fishy.

    They then define spearphishing as: " Spear-phishing emails are a form of malicious email targeting an individual or organisation. They mimic legitimate mail and contain malicious attachments or links designed to steal credentials or enable the install malware."

    So by claiming that it was spearphishing, and defining spearphishing, they now have conflicting claims. In one case they claimed that it contained malicious attachments or links, in the other they claim that it did not.



  • This quote: "The actor’s activity was contained to a handful of systems, although they had gained broader access."

    Clearly written by someone who doesn't speak English. The first half of the system, it was contained. But in the second half, it was not contained. Um....



  • What I find even more weird is that the school is some how monitoring the PII details of all of the people who's information was compromised, and they are able to determine that the information hasn't been used by the attacker.

    How?! It was 6 weeks before they even knew anything was up!



  • @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.

    This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.

    why do you claim this? do you not believe there are zero-click exploits in anything?

    Chrome and IE both recently had zero click exploits - simply visiting a webpage would exploit them and give full control to a hacker.
    Assuming Outlook was the culprit for this attack, and Outlook uses IE and Word to display stuff - it's very conceivable that a zero-click exploit was used against these people.

    The claim that the email wasn't opened is a false claim - as almost everyone these days uses preview mode - which is the same as opening the email.



  • @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    What I find even more weird is that the school is some how monitoring the PII details of all of the people who's information was compromised, and they are able to determine that the information hasn't been used by the attacker.

    How?! It was 6 weeks before they even knew anything was up!

    LOL, the blind protecting the blind.



  • @Dashrender said in ANU hacked by phishing email through the preview pane:

    why do you claim this? do you not believe there are zero-click exploits in anything?

    I think it is more "there is no reason to believe a known liar when they claim that the obvious did not happen."

    If you had this conversation with a cop, they'd point out that the known thief, already caught lying about his alibi, who was caught with the goods on him, is very unlikely to be telling the truth when he said that he didn't do it. Is it possible he didn't do it? Yes, of course. But there is no reason to believe him as it's already established that there is evidence against him and that he's already lying about the event in question.



  • @Dashrender said in ANU hacked by phishing email through the preview pane:

    @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.

    This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.

    why do you claim this? do you not believe there are zero-click exploits in anything?

    Chrome and IE both recently had zero click exploits - simply visiting a webpage would exploit them and give full control to a hacker.
    Assuming Outlook was the culprit for this attack, and Outlook uses IE and Word to display stuff - it's very conceivable that a zero-click exploit was used against these people.

    The claim that the email wasn't opened is a false claim - as almost everyone these days uses preview mode - which is the same as opening the email.

    I find it weird because the 20 page summary of the issues shows the spearfishing attempts! They clearly opened the emails to get those screenshots they provided.

    If their security team opened it, then certainly the end user did.

    I did not once say that zero-clicks don't exist, I just find it highly unlikely with the low quality of the spearfishing attempts made.



  • @scottalanmiller said in ANU hacked by phishing email through the preview pane:

    @Nic said in ANU hacked by phishing email through the preview pane:

    @nadnerB said in ANU hacked by phishing email through the preview pane:

    Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803

    Here's the link straight to the PDF of the report that has all the details in it:
    http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

    Here is a bit that is odd from that...

    "The initial means of infection was a sophisticated spearphishing email which did not require user
    interaction, ie clicking on a link or downloading an attachment."

    Why would they bother making a "sophisticated spearphishing" attack, if the email didn't require any interaction? The spearphishing would be entirely pointless. So this is beyond fishy.

    They then define spearphishing as: " Spear-phishing emails are a form of malicious email targeting an individual or organisation. They mimic legitimate mail and contain malicious attachments or links designed to steal credentials or enable the install malware."

    So by claiming that it was spearphishing, and defining spearphishing, they now have conflicting claims. In one case they claimed that it contained malicious attachments or links, in the other they claim that it did not.

    yeah - it's bad writing for sure... but it could easily be both... If there was an unpatched vulnerability, that would be exploited.. but they could also include a link to an infected page in case there was no zero-click vulnerability.



  • @Dashrender said in ANU hacked by phishing email through the preview pane:

    Chrome and IE both recently had zero click exploits - simply visiting a webpage would exploit them and give full control to a hacker.

    That's not really relevant here, thought. That "something" has a zero day flaw, is not the same as what is being said.



  • @Dashrender said in ANU hacked by phishing email through the preview pane:

    Assuming Outlook was the culprit for this attack, and Outlook uses IE and Word to display stuff - it's very conceivable that a zero-click exploit was used against these people.

    Assuming Outlook is the culprit, then the wording of the result is untrue. We assume this to be true, but to do so means you have already assumed them to be lying.

    And Outlook is simply automating clicks. Under normal circumstances, we don't call that zero interaction. It's a predetermined, automated interaction.

    The email layer itself is safe from this. It required an additional, unique application to be told to run code where code isn't supposed to exist. In no other situation do we call that a zero touch situation. If you automated an attack with a script anywhere else, you'd never accept that wording.



  • @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    @Dashrender said in ANU hacked by phishing email through the preview pane:

    @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    I'd bet dollars to donuts that the attachment was opened, and contained some malicious software that allowed the attacker in.

    This claim of "they didn't even open the email" is absurd, someone absolutely opened an email, clicked a link or opened an attachment.

    why do you claim this? do you not believe there are zero-click exploits in anything?

    Chrome and IE both recently had zero click exploits - simply visiting a webpage would exploit them and give full control to a hacker.
    Assuming Outlook was the culprit for this attack, and Outlook uses IE and Word to display stuff - it's very conceivable that a zero-click exploit was used against these people.

    The claim that the email wasn't opened is a false claim - as almost everyone these days uses preview mode - which is the same as opening the email.

    I find it weird because the 20 page summary of the issues shows the spearfishing attempts! They clearly opened the emails to get those screenshots they provided.

    If their security team opened it, then certainly the end user did.

    I did not once say that zero-clicks don't exist, I just find it highly unlikely with the low quality of the spearfishing attempts made.

    I haven't looked at the 20 page paper yet - Thought I thought they only said (through quotes here) that yes, the email was opened - but no - no links/attachments were opened.

    are you saying that they did in fact claim the emails themselves were never opened?



  • Dash, the story and summation says this

    Spearfishing attempt to targeted users then an internal system was compromised.

    Not that there was some magical 0-day no-click that immediately allowed the hackers in. Is it possible, maybe, but the much more believable thing to have occurred is that from the first spearfishing attack, someone opened the attachment.



  • @Dashrender said in ANU hacked by phishing email through the preview pane:

    The claim that the email wasn't opened is a false claim - as almost everyone these days uses preview mode - which is the same as opening the email.

    Right, and this establishes that either they are just making things up because even "what email is" is something that they don't understand: in which case we must assume the entire event is false information.

    Or if they do know what email is, then they are malicious actors trying to cover something up.

    In either case, the result is "we can't trust their explanantion of events."



  • @Dashrender said in ANU hacked by phishing email through the preview pane:

    @scottalanmiller said in ANU hacked by phishing email through the preview pane:

    @Nic said in ANU hacked by phishing email through the preview pane:

    @nadnerB said in ANU hacked by phishing email through the preview pane:

    Here's a better article: https://www.itnews.com.au/news/anu-hackers-built-shadow-ecosystem-to-stay-hidden-for-six-weeks-531803

    Here's the link straight to the PDF of the report that has all the details in it:
    http://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

    Here is a bit that is odd from that...

    "The initial means of infection was a sophisticated spearphishing email which did not require user
    interaction, ie clicking on a link or downloading an attachment."

    Why would they bother making a "sophisticated spearphishing" attack, if the email didn't require any interaction? The spearphishing would be entirely pointless. So this is beyond fishy.

    They then define spearphishing as: " Spear-phishing emails are a form of malicious email targeting an individual or organisation. They mimic legitimate mail and contain malicious attachments or links designed to steal credentials or enable the install malware."

    So by claiming that it was spearphishing, and defining spearphishing, they now have conflicting claims. In one case they claimed that it contained malicious attachments or links, in the other they claim that it did not.

    yeah - it's bad writing for sure... but it could easily be both... If there was an unpatched vulnerability, that would be exploited.. but they could also include a link to an infected page in case there was no zero-click vulnerability.

    That's possible. But if so, feels like it makes the whole thing even worse.



  • @Dashrender said in ANU hacked by phishing email through the preview pane:

    I haven't looked at the 20 page paper yet - Thought I thought they only said (through quotes here) that yes, the email was opened - but no - no links/attachments were opened.

    The official wording is that they "only previewed it", which is fine to say. And that they did not "open an attachment". Totally different than what the article said that they said.



  • If there was some 0-day no-click that was to be exploited, the attacker could've sent a blank email to any number of targets at the university and been on the network.

    There would be no reason to draft something up like with the multiple spearfishing examples that were prominently displayed.

    And their 2 big takeaways from this attack was User training for spearfishing and PII privacy protections.

    Not some factor of severely outdated software needing better maintenance.



  • "20−21 November 2018: the creation of attack station one.
    Over the course of two days the actor downloaded tools and scripts to build attack station one. To
    download these tools the actor also compromised a second Internet facing webserver using a webshell
    and used this server to download software tools to attack station one. These tools were used to run
    scripts and perform remote management tasks including scheduled deletion of logs to hide their
    activities. The actor started to map the ANU network on 21 November. "

    They built an attack station remotely? This sounds fine until you hear the second part...

    "22 November 2018: the creation of virtual machines on attack station one.
    The following day the actor set up two virtual machines on attack station one, one using Windows XP
    and the second Kali Linux.
    Both operating systems were download using BitTorrent. "


    So this was nested virtualization? Or somehow they managed to gain access to a physical box that they totally took over? They never mention the hypervisor at play here, but this is some crazy stuff that they are glossing over.



  • Other software used by the actor included network session capture and mapping tools, bespoke
    clean-up, JavaScript and PowerShell scripts as well as a proxy tool. The actor downloaded several
    types of virtualisation software before selecting one and downloaded disk images for Windows XP and
    Kali Linux. There is little evidence to suggest much use of Kali Linux.
    

    Ha. . . so the hacker setup VM's on your network and used WINDOWS XP to own this school's systems for 6 weeks. . .



  • " The actor also gained access (through remote desktop) to a machine in a school which had a publicly routable IP address. Age and permissiveness of the machine and its operating system are the likely reasons the actor compromised this machine"

    OMG... they exposed RDP on an outdated OS to the Internet and gave it a routable IP address!



  • @scottalanmiller Probably windows xp!



  • Okay, so @scottalanmiller this is from the analysis portion

        The first phishing email was designed to be interaction-less and likely used some form of scripting. It is assumed the actor anticipated a high degree of security awareness on the part of the intended recipient. Unfortunately, a copy of this email was not recoverable, so further analysis is not possible. 
         
        Subsequent phishing attachments were designed to harvest credentials and used similar scripts. The user opened the attached Word document and the credentials were sent to the remote server. All the attachments in the second, third and fourth spear-phishing cycles used the same technique with the credentials sent to the active attack station instead of the internet.
    

    Does that really count as no-click? I'd think this is more a scripted execution of their email client being allowed to execute scripts.



  • The article even got the year estimation wrong.

    19 years, not 20.

    Due to the operational security and clean-up operations of the actor, it has not been possible to retrieve copies of the files exfiltrated from the network. In some cases, there was enough forensic and log data to ascertain file sizes. However, because these files were compressed and likely to have been encrypted, it is difficult to infer what specific data sets was taken from the affected systems. However, based on log analysis and known data volumes it is highly likely that the actor took much less than the 19 years’ worth of data first noted at the time of the breach announcement.
    

    From the article

    The university confirmed the attack months after it occurred, and is now thought to have netted "considerably less" than 20 years worth of data as originally expected.


  • This bit is disconcerting.

    The purpose of this code remains unknown, and no forensic traces of it or the executable file which was compiled from the code have been found at the time of this report. 
    

    Meaning, you have the executable and can't tell what it's supposed to do?

    Because and this is key, the above is led with;

    There is also evidence of bespoke malware in the form of source code (compiled within the network) used to gain access to ESD.


  • Repeatedly throughout this summary, are "Outdated systems" targeted by the attacker. Meaning that this school routinely sets up systems for some purpose and runs it until it's dead, never updating them.

    Only having been caught with their pants down did they take these out of date systems offline.


Log in to reply