ANU hacked by phishing email through the preview pane



  • @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    since they have machines that were completely unaccounted for; for some duration of time that people forgot about them and those machines were targeted and used.

    Was that specifically stated in the 20 page paper? machine completely unaccounted for? And if they were - they wouldn't be machines that get phished on - that would have to be a user's machine being phished. Which remember, is where this whole thing started.



  • @Dashrender said in ANU hacked by phishing email through the preview pane:

    @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    since they have machines that were completely unaccounted for; for some duration of time that people forgot about them and those machines were targeted and used.

    Was that specifically stated in the 20 page paper? machine completely unaccounted for? And if they were - they wouldn't be machines that get phished on - that would have to be a user's machine being phished. Which remember, is where this whole thing started.

    What? Are you being dense on purpose?

    You phish for credentials, not for a computer. Credentials can be used on any number of systems that are setup in a domain. Which specifically "the attacker was phishing for administrative credentials". Read the damn paper, because you're stating to sound absolutely flipping insane.

    Any number of workstations in a DOMAIN can have administrative credentials used on them, which is what you phish for. FFS!



  • @Dashrender said in ANU hacked by phishing email through the preview pane:

    @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    since they have machines that were completely unaccounted for; for some duration of time that people forgot about them and those machines were targeted and used.

    Was that specifically stated in the 20 page paper? machine completely unaccounted for? And if they were - they wouldn't be machines that get phished on - that would have to be a user's machine being phished. Which remember, is where this whole thing started.

    They made a big point of showing that the machines being phished weren't used for any access.



  • @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    @Dashrender said in ANU hacked by phishing email through the preview pane:

    @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    since they have machines that were completely unaccounted for; for some duration of time that people forgot about them and those machines were targeted and used.

    Was that specifically stated in the 20 page paper? machine completely unaccounted for? And if they were - they wouldn't be machines that get phished on - that would have to be a user's machine being phished. Which remember, is where this whole thing started.

    What? Are you being dense on purpose?

    You phish for credentials, not for a computer. Credentials can be used on any number of systems that are setup in a domain. Which specifically "the attacker was phishing for administrative credentials". Read the damn paper, because you're stating to sound absolutely flipping insane.

    Any number of workstations in a DOMAIN can have administrative credentials used on them, which is what you phish for. FFS!

    Once again... AD being a risk 😉



  • @scottalanmiller said in ANU hacked by phishing email through the preview pane:

    Once again... AD being a risk

    Yeah it absolutely was in this case, but so would Samba. So half one half another. If the school was LAN-less I can't imagine how'd they'd operate. Since they clearly had no idea what was on their LAN in the first place.



  • @DustinB3403 said in ANU hacked by phishing email through the preview pane:

    @scottalanmiller said in ANU hacked by phishing email through the preview pane:

    Once again... AD being a risk

    Yeah it absolutely was in this case, but so would Samba. So half one half another. If the school was LAN-less I can't imagine how'd they'd operate. Since they clearly had no idea what was on their LAN in the first place.

    Basically what you are stating is that generally incompetence or cluelessness is really the underlying problem. Since they were doing "everything" badly, fixing any one or two things wouldn't actually make a difference.

    That said, SMB without AD does have benefits. Getting one password doesn't not get access to the next thing. It's not "get it once, get the keys to the kingdom" that AD tends to create (only tends, you CAN work around it.)



  • @scottalanmiller From the 20 page summation of the issue, there was literally nothing they could've not done to have fixed this issue ahead of it ever occurring.

    Basic documentation of what they had deployed and decommissioning of equipment to an employee being phished, credentials compromised, and then fished again a week or so later and no one noticing a pattern.

    Leaving legacy systems unaccounted for and running without ever being updated

    A lack of user training

    A lack of password policy and access control.

    It was all done in a wholly incompetent fashion, having fixed any one of them would've at least limited the damage, from having separate administrative accounts for their admins, to just decom'ing old crap on a regular basis (or at least updating it).



  • I'd be willing to bet that this university had the students setup their network without any oversight or understanding of how it was setup.

    "For today's class we'll be setting up AD 2003 and getting the entire school to use it - You get an A!" and they just let it run and run and run.

    I'm just taking a guess at the AD version, wasn't listed


Log in to reply