Last week we launched the Cybersecurity Survey. Unfortunately the survey contained an error that kept students from completing it. The survey is now fixed.
If you had tried to complete the survey but were unable to, please give it another try. Your entry into the $50 gift certificate to the Table is waiting.
Thank you for your patience. We apologize for the inconvenience.
It’s that time of year again when we look back at how we have done for the last 12 months and determine how we can improve. It is cybersecurity survey time!!! Yes, you read correctly the Cybersecurity Survey is ready for your input. Whoo hoo, I can just feel your excitement!
The good news is for completing the survey, you earn a contest entry code for the Cybersecurity Challenge. The better news is we have a sponsor for this year’s survey. I know there will be those of you who were looking forward to winning a grab bag of swag. However you sick folks are going to have to settle for a gift certificate from the Table. That’s right, the terrific folks at NetApp are donating a $50.00 gift certificate. !
To get your free food, you only need to take 5 to 10 min to complete the survey. Your feedback helps shape the cybersecurity awareness program for the next year. Remember we want to know what you ARE doing not what you should be doing. The survey is completely anonymous, so you are free to be 100% honest. The contest draw is independent of the survey so you can give us your anonymous feedback and still enter. You have until November 30, 2019 to complete the survey, we will do the draw that day. We look forward to hearing from you!
Tuesday morning was an exciting one for the security team. Over 900 inboxes received the following email.
I am delighted to report that a huge number of you were superheros and forwarded the email to firstname.lastname@example.org. Thanks to you we were able to block the target page and limit any damage. Even though so many of you spotted the email as a phish right away, with the high number of recipients Marketing and Communications made the unusual decision to issue a campus wide alert.
While we were investigating the incident, we discovered that the attacker spent a lot of time viewing our Payroll webpage. There is an excellent chance that the attacker will use this information in the near future to create another phishing email.
We are asking everyone across campus to keep an eye out for payroll or HR related phishing emails in the next little while. If you receive an email that appears to come from HR or Payroll, please check the email address for accuracy. If it is correct, please call the sender to confirm that they actually sent the email.
Should you find the email to be malicious, do what your colleagues did this morning and forward the email to email@example.com. You too can be a superhero!
On December 21, 2018 the IT department of the Australian National University (ANU) detected unusual behavior on its network. Upon investigation they discovered a compromised workstation on campus was being used as a command and control (C&C) server by a cyber criminal. They immediately shut down the workstation and severed the attackers access to the network. They thought that it was an isolated incident. They were wrong.
By the time the C&C server was discovered, the attacker had already been in the network for over a month collecting login credentials, compromising servers and stealing financial and personal data. The attack which began with a successful phishing attempt, was stopped when the C&C server was discovered, however the hacker continued to attempt to infiltrate the network using the information they had collected until March 2019.
ANU has very courageously shared their story so that all of us could learn from it. Here is a step by step break down of the attack.
- Spear phishing email with an attachment is sent to a senior staff member. The email has a plausible premise for contact and looks like it is coming from within the University. The email results in the collection of the targets login credentials.
- Login credentials are used to access the senior staff members calendar. Information for future spear phishing attacks is collected.
- Login credentials are used to access a webserver. The attacker sets up remote access on this server. This allows them to access the server without having to continue to use the stolen credentials as well as gives them the ability to access other devices connected to the server.
- An old, no longer used server is accessed from the compromised webserver using the stolen credentials. The credentials do not allow administrative access to this legacy server limiting what the hacker can access.
- The hacker finds flaws in the system and uses them to elevate their privileges, giving them full administrative access and control over the legacy server.
- The attacker locates and compromises a second webserver.
- The second compromised webserver is used to download tools and scripts that are then installed on the legacy server. The legacy server becomes their command and control server. The tools downloaded are used to map the network and automatically delete logs so their presence wouldn’t be detected.
- The hacker creates a virtual machine on the second compromised webserver that scans monitored or redirected network traffic looking for additional login credentials.
- An old outdated school workstation with a publicly routable IP address located outside of the University’s firewall is compromised through a remote desktop.
- The attacker uses an old mail server to send emails from the University. These emails likely contained network mapping, user and machine data.
- An encrypted connection designed to hide traffic between the hackers computer and the University’s network is established
- The hacker begins intercepting data being transferred on the network and analyzing it. At this point, the attacker still does not have the level of network access that they are looking for as their stolen credentials don’t have the right permissions and they are only able to escalate them on an old server. Even with all of the work they have done, they are not able to move beyond a few compromised systems.
- A second spear phishing email is sent to one external and 10 internal email addresses. Only one login credential is stolen with limited privileges.
- This login is not enough to gain access to the desired servers. The hacker continues to look for additional credentials in the network traffic.
- The attacker gains access to file shares with found credentials. They focus on the ones storing finance and HR related files.
- Using the file share information the hacker tracks down the database servers but is unable to immediately gain access.
- The hacker uses password cracking tools to gain access to the database servers and then uses a commercial tool to search and extract database records from the database server.
- Database records are sent to the old compromised workstation and then outside of the university network.
- The attacker attempts to disable the email spam filters.
- The attacker sends out 50 spear phishing emails to University email addresses and 25 to emails outside of the University. They are able to steal credentials with administrator level access. It is at this point that ANU changed their firewall as part of their routine maintenance. This cut the hacker off from the legacy server and they lost access to their control and command server.
- After two weeks the hacker is able to compromise a machine running an old operating system, access the network again and set up a second control and command server. This machine is outside of the firewall and using publicly routed IP addresses.
- The attacker sends 40 spear phishing emails to ANU staff with privileged accounts. The emails contain information from the calendar breached after the first spear phishing attack. Several login credentials are obtained.
- ANU staff detect unusual activity on the network and take down the second control and command server. IT staff think this is an isolated incident.
- Repeated attempts to regain access to the ANU network and database are made and stopped.
- ANU publicly announces that they have had a breach.
- Within an hour the network was hit with a botnet attack that was stopped by ANU.
- The following night an attempted attack against the spam filter and mail gateway was unsuccessful.
- ANU continues to investigate the repeated attempts to access their database.that occurred after the detection of the breach.
What can we learn from this? A few things stand out.
- This started with one phishing email.
- The people who received the phishing emails had no idea their login credentials were stolen.
- Even though the stolen credentials did not give the attacker the access they wanted, they were able to use vulnerabilities in the systems to escalate their privileges and gain greater access.
- Old machines that were no longer updated or maintained were compromised using known vulnerabilities.
To sum it all up, that phishing email that arrives in your inbox is usually just the beginning of a planned, concentrated and persistent effort to access your data. This effort often starts by quietly stealing your login credentials. When they can’t convince you to give them their credentials, they will use password cracking tools to gain access. They can leverage known vulnerabilities in old systems to gain further access. These tactics along with others allows hackers to spend weeks collecting information off of a network without anyone noticing. This information is then used to carry out more attacks or is sold.
You can prevent this from happening just by stopping and thinking before you click, keeping your software updated, having a strong password and reporting suspicious emails to firstname.lastname@example.org. Let’s be safe out there!
This quarter our main message has been Keep your Password Secret. The reason is, sharing your password is against our Acceptable Use Policy (AUP) and puts yourself and our network at risk. The purpose of keeping your password secret is to prevent other people from having access to information and applications that they shouldn’t as well as to provide accountability.
Much to my surprise, it has been discovered that employees are logging into applications, workstations and systems with their own credentials and then letting someone else use those same applications, workstations and systems. While they are indeed keeping their passwords secret, they are still violating our AUP and exposing themselves to the same risks just as if they had just handed over their password. They risk is not just the loss of data, but also being held accountable for something that they did not do.
That is exactly what happened this week. A supervisor logged into an application using their credentials and then let their reports use the application. While one of the reports was using the system, they made changes to data they were not authorized to make. Because the supervisor’s credentials were used, they were questioned about the changes. The supervisor denies they made the changes, however there is no way to track who in fact made them.
I am also aware of similar situations occurring when guests are brought on campus. Some departments have been asking their administrative assistants to login to a workstation and then turn the workstation over to a guest speaker. This is also a violation of the AUP.
If you have a guest coming to speak on campus, they are required to bring their own laptop and then connect to the visitor WiFi, MRvisitor. If they do not have a laptop, they can borrow one from the library. At no point are visitors allowed to have access to our internal WiFi, MRsecure, our workstations or computers stored in smart cabinets.
Repeatedly sharing passwords or logging in and letting others use workstations or applications will result in your account being locked down. If you have any questions regarding the sharing of passwords or credentials, please refer to our AUP or contact the IT Service Desk at 403-440-6000.
For a while now, I have been warning about clicking on links in emails from organizations that you know. Instead, I have encouraged all of you to visit the organizations website directly using a bookmark. A report of a new phishing campaign targeting Stripe users shows why this advice is so important to take.
This campaign involves an email that tells the intended victim that there is something wrong with their account details. They are asked to login to their Stripe account to update them and given a handy button that appears to take them to the Strip login page. The page is of course a spoof and although it looks exactly like the real one, all credentials entered are collected by the thieves.
The fraudulent page is set up so that once you have entered your credentials in the fake login page, they use them to log you into your actual account. From your point of view, nothing is amiss. They now have your login credentials, you are non the wiser and they have hours if not days to withdraw funds before you even notice.
Although this campaign is targeting Stripe users at the moment, the same tactic is used to target all sorts of users. This is a gentle reminder to not click on links in emails from organizations that you know, but to use a bookmark instead. If you don’t have the site bookmarked you can use a search results, however proceed with caution as more and more fraudulent sites are appearing there.
Mount Royal employees are receiving fraudulent calls from individuals pretending to be from the Canadian government. The caller explains there is an issue with your SIN number and as a result you are subject to legal action. You are asked to contact them immediately. Upon contacting them, you are told you must pay thousands in bitcoin to avoid being charged with fraud. This scam is similar to one currently making the rounds in Regina.
What makes this scam so concerning is the fraudsters are spoofing government agencies so the call looks like it is official. As well they are often robocalls which makes them sound even more legitimate. In response, the Canadian Anti-Fraud Centre has issued an alert asking people to be vigilant.
No government of Canada agency will call you over the phone and threaten you or ask for payment. Neither will the RCMP or police. If you receive a call of this nature, hang up the phone. If you are concerned there may be an issue with your SIN you can contact the government directly by visiting their website. You can also check with Equifax and Transunion to see if your SIN has been used to obtain additional credit without your knowledge.
Those clever cybercriminals have come up with another tactic to get you to click on something you shouldn’t. Introducing the “I found an ID pass”, phishing email.
What makes this email so diabolical, is it has no sense of urgency. In fact it asks nothing of you at all. It simply lets you know that a pass was found and it is being mailed. It’s calm, indifferent manner lull’s you into thinking the email is harmless. It counts on the reader being so curious that they throw caution to the wind and click on the link to see whose ID was found. Quite ingenious really.
If you receive an email of this sort, delete it and wait for the mail to arrive.
One sure fire way to avoid becoming a victim of a cyberattack is to call the email sender to verify that they in fact sent the email. That is a message that I preach over and over again all over campus. I am happy to report that my message is being heard and acted upon…sort of.
Here is the email that one of our staff received in their inbox.
The staff member knows the sender and aside from the poor grammar, the email is spot on. The attachment was indeed a Sharepoint document, so she opened it. However when she found nothing but a greeting link to another document she paused. She knew that email addresses could be spoofed and realized she should confirm the legitimacy of the email. So she sent this email.
She correctly did not reply to the original email. But created a new one and sent it using an email address in her contact list. This is the reply that she received.
Before she could check the invoice, she received this email.
The sender’s email account had been hacked! It didn’t occur to our staff member that if someone else was using her colleague’s email address, it wouldn’t be her colleague who responded . She gets an A for verifying the legitimacy of the email. But she gets a F for talking to the hacker.
The lesson has been learned. When confirming email legitimacy, use the darn phone. A 30 second phone call can save you from a world of hurt.
The tools that cybersecurity professionals use are getting more and more sophisticated. They can now identify a known malicious link or attachment and strip it from the email so it never arrives in your inbox. To get around that limitation, hackers are hiding their malicious links and attachments in legitimate documents. This latest attack is a perfect example of that tactic.
This one is scary in it’s precision. It was sent to only two email addresses. Both recipients have higher level network and financial access. The email looks like this
It looks innocent enough. In fact, if you check the link it goes to a Microsoft site. Clicking the link takes you here.
This is a legitimate OneNote notebook. The icons however are just pictures, not clickable links and the links below them are flagged as malicious. Had the user clicked on the link, their login credentials would have been quietly harvested.
In this type of attack, the hacker often shares or pretends to share a document with you. The email usually asks for your input and is purposely vague and low key. Should you open one of these documents and find only links to another document, close the document and contact the IT Service desk. Your quick action could save your data.