On December 21, 2018 the IT department of the Australian National University (ANU) detected unusual behavior on its network. Upon investigation they discovered a compromised workstation on campus was being used as a command and control (C&C) server by a cyber criminal. They immediately shut down the workstation and severed the attackers access to the network. They thought that it was an isolated incident. They were wrong.
By the time the C&C server was discovered, the attacker had already been in the network for over a month collecting login credentials, compromising servers and stealing financial and personal data. The attack which began with a successful phishing attempt, was stopped when the C&C server was discovered, however the hacker continued to attempt to infiltrate the network using the information they had collected until March 2019.
ANU has very courageously shared their story so that all of us could learn from it. Here is a step by step break down of the attack.
- Spear phishing email with an attachment is sent to a senior staff member. The email has a plausible premise for contact and looks like it is coming from within the University. The email results in the collection of the targets login credentials.
- Login credentials are used to access the senior staff members calendar. Information for future spear phishing attacks is collected.
- Login credentials are used to access a webserver. The attacker sets up remote access on this server. This allows them to access the server without having to continue to use the stolen credentials as well as gives them the ability to access other devices connected to the server.
- An old, no longer used server is accessed from the compromised webserver using the stolen credentials. The credentials do not allow administrative access to this legacy server limiting what the hacker can access.
- The hacker finds flaws in the system and uses them to elevate their privileges, giving them full administrative access and control over the legacy server.
- The attacker locates and compromises a second webserver.
- The second compromised webserver is used to download tools and scripts that are then installed on the legacy server. The legacy server becomes their command and control server. The tools downloaded are used to map the network and automatically delete logs so their presence wouldn’t be detected.
- The hacker creates a virtual machine on the second compromised webserver that scans monitored or redirected network traffic looking for additional login credentials.
- An old outdated school workstation with a publicly routable IP address located outside of the University’s firewall is compromised through a remote desktop.
- The attacker uses an old mail server to send emails from the University. These emails likely contained network mapping, user and machine data.
- An encrypted connection designed to hide traffic between the hackers computer and the University’s network is established
- The hacker begins intercepting data being transferred on the network and analyzing it. At this point, the attacker still does not have the level of network access that they are looking for as their stolen credentials don’t have the right permissions and they are only able to escalate them on an old server. Even with all of the work they have done, they are not able to move beyond a few compromised systems.
- A second spear phishing email is sent to one external and 10 internal email addresses. Only one login credential is stolen with limited privileges.
- This login is not enough to gain access to the desired servers. The hacker continues to look for additional credentials in the network traffic.
- The attacker gains access to file shares with found credentials. They focus on the ones storing finance and HR related files.
- Using the file share information the hacker tracks down the database servers but is unable to immediately gain access.
- The hacker uses password cracking tools to gain access to the database servers and then uses a commercial tool to search and extract database records from the database server.
- Database records are sent to the old compromised workstation and then outside of the university network.
- The attacker attempts to disable the email spam filters.
- The attacker sends out 50 spear phishing emails to University email addresses and 25 to emails outside of the University. They are able to steal credentials with administrator level access. It is at this point that ANU changed their firewall as part of their routine maintenance. This cut the hacker off from the legacy server and they lost access to their control and command server.
- After two weeks the hacker is able to compromise a machine running an old operating system, access the network again and set up a second control and command server. This machine is outside of the firewall and using publicly routed IP addresses.
- The attacker sends 40 spear phishing emails to ANU staff with privileged accounts. The emails contain information from the calendar breached after the first spear phishing attack. Several login credentials are obtained.
- ANU staff detect unusual activity on the network and take down the second control and command server. IT staff think this is an isolated incident.
- Repeated attempts to regain access to the ANU network and database are made and stopped.
- ANU publicly announces that they have had a breach.
- Within an hour the network was hit with a botnet attack that was stopped by ANU.
- The following night an attempted attack against the spam filter and mail gateway was unsuccessful.
- ANU continues to investigate the repeated attempts to access their database.that occurred after the detection of the breach.
What can we learn from this? A few things stand out.
- This started with one phishing email.
- The people who received the phishing emails had no idea their login credentials were stolen.
- Even though the stolen credentials did not give the attacker the access they wanted, they were able to use vulnerabilities in the systems to escalate their privileges and gain greater access.
- Old machines that were no longer updated or maintained were compromised using known vulnerabilities.
To sum it all up, that phishing email that arrives in your inbox is usually just the beginning of a planned, concentrated and persistent effort to access your data. This effort often starts by quietly stealing your login credentials. When they can’t convince you to give them their credentials, they will use password cracking tools to gain access. They can leverage known vulnerabilities in old systems to gain further access. These tactics along with others allows hackers to spend weeks collecting information off of a network without anyone noticing. This information is then used to carry out more attacks or is sold.
You can prevent this from happening just by stopping and thinking before you click, keeping your software updated, having a strong password and reporting suspicious emails to firstname.lastname@example.org. Let’s be safe out there!
As I predicted, hackers are starting to take advantage of the huge collections of free user credentials floating on the web. This week both Dunkin’ Donuts and OkCupid have had large numbers of their user accounts hacked with credential stuffing.
Credential stuffing is where hackers take a list of usernames and passwords and use them to try and login to a site. They use computer programs that allows them to test thousands of login credentials in minutes. If someone is reusing passwords or using common or weak passwords they will have no problem accessing those accounts.
As those Dunkin’ Donuts and OkCupid users found out, it is almost impossible to prevent hackers from accessing accounts this way. They can block most of the login attempts, but there will always be those that get through. Although Dunkin’ Donuts’ users originally lost access to their Perks accounts the company replaced them and ensured customers didn’t loose any value they had accumulated. The poor folks at OkCupid not only lost their accounts, but had to worry about criminals having access to private messages. Ouch!
So how do you protect yourself against credential stuffing?
- Don’t reuse passwords. I know, I know, I say this all the time, but I am going to say it one more time. I know it is inconvenient and a pain but it really is the only way to protect yourself.
- Use a password manager. This takes the sting out of my first recommendation. Password managers not only store your passwords, but make generating them and logging in a breeze.
- Use the new Password checkup Chrome extension from Google. This puppy has already saved my bacon once. I had come up with a nice secure password. Turns out someone else involved in a data breach had come up with the same one. Password checkup let me know so I could change it.
- Register with haveibeenpwned.com. If you register your email with them, they will email you when your email address shows up in a data breach. If you are still reusing passwords, this gives you time to change it. Credentials stolen in data breaches often show up on the dark web for sale before the breached company even knows their user’s data has been compromised.
- Enable two factor authentication on every account that has is available. Two factor authentication requires you to enter an authentication code or respond to a prompt from an authentication app only when you login to a unknown device.
Have you stayed at one of the following hotels in the past 4 years?
- W Hotels
- St. Regis
- Sheraton Hotels & Resorts
- Westin Hotels & Resorts
- Element Hotels
- Aloft Hotels
- The Luxury Collection
- Tribute Portfolio
- Le Meridien Hotels & Resorts
- Four Points by Sheraton
- Design Hotels
Lucky you!! There is a possibility your name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure data, reservation dates and/or credit card information were stolen in a data breach. Marriott has reported an unauthorized access to their guest reservation database was made on or before Sept 10 of this year. However they acknowledge that the criminals have been inside the company’s network since 2014.
In response they have set up a dedicated website, established a call center to answer questions and will be emailing those affected. To make their customers feel better they are also offering a free on year subscription to an internet monitoring service. When a subscriber’s personal information is found on the web, they are notified. This service is available to customers in Canada.
Dell has announced that on November 9 they detected in intrusion into its systems. Customers’ names, email addresses and passwords were involved in the breach. However, Dell did not find any evidence that any of this information was actually extracted. To be safe, all customers were forced to reset their passwords.
If you have had financial information stored in your Dell account, keep an eye on your credit card statements. There is no evidence any of this information was affected, but its not unusual for a company to initially report everything is okay, there is nothing to see and then a month later (after the executives have sold their shares) reveal all your personal data has been stolen . Yes Equifax, I am talking about you.
Not every hacker makes their money by breaking into accounts and stealing funds or ransoming your data. Some hackers are content to simply break into servers and steal usernames. passwords and other personal information that they then sell on the dark web. It is quite a niche business.
To combat this evil, an enterprising fellow name Troy Hunt created a tool that scans the dark web looking for stolen data that is for sale. You can access this information for free at have i been powned. Simply visit the website and enter your email address. It will tell you if any of your accounts using that email have been breached.
This gives you the opportunity to change your password and username or delete the account. This is an easy process if you don’t reuse passwords. It is a huge headache if you do. What’s even cooler, you can subscribe to an alert service so they will automatically notify you when there is a new account breach. This is so awesome, Mount Royal even subscribes.
We get notified when anyone with an @mtroyal.ca email is involved in a breach. We also get told which account was breached. We are aware that password reuse still happens. By being notified of breaches we can make sure our users change their passwords so hackers cannot use their accounts to gain access to the network.
So if you are using your @mtroyal.ca account to sign up for the adult furry website High Tail Hall, we will know about it. To make matters worse, we have to contact you to let you know about the breach. It gets awkward for everyone.
This is a friendly reminder, only use your @mtroyal.ca email account for business. IT Services thanks you.
The BBC Russian Service has found data from 81 000 Facebook profiles sitting on the web. The data is apparently just a small sample of what was taken from 120 million accounts by a hacker selling his haul. It is hard to know if 120 million profiles were indeed hacked or if the breach is limited to what is currently on display. One would think that Facebook would notice 120 million profiles being accessed, so my guess is they don’t have much more than the small sample. After all, criminals aren’t known for their honesty.
Facebook is blaming malicious browser extensions. They are reporting that the extensions were monitoring user’s Facebook activity while shuttling personal information as well as private conversations to the hackers. The majority of information taken was from Ukrainian and Russian users, however profiles from all over the world were also pilfered.
This is a reminder to be wary of browser extensions. As with apps, only download ones that:
- You really need
- Have good reviews
- Have lots of downloads
- Come from reputable sites
Malicious browser extensions can be very difficult to detect as extensions update automatically. This allows hackers to create extensions that are harmless, until their first update. After that your handy extension starts doing all sorts of nasty things.
To reduce the risk, if you really need a particular browser extension consider disabling it when you aren’t using it. Lastly once you no longer need the extension, remove it from your browser.
Today Facebook announced that they have discovered hackers have stolen 50 million access tokens. These tokens allow them to take over an account without having to login with a password. They did it by taking advantage of a vulnerability in the View As feature that allows users to see what their account looks like when viewed by others.
To solve the problem, they have logged out all the users who they believe were affected and disabled the View As feature. As often happens in these types of breaches, there is a possibility that at a later date they may find there are more people affected than originally thought.
To be on the safe side I suggest that you logout of Facebook by going to Settings and selecting Security and Login. There you can logout of all your devices at once with a single click. Alternatively, this might be a good time to get rid of Facebook all together.
If you have a Netflix, Hulu or HBO Go account, you should reset your password. Irdeto has reported finding passwords to those services for sale on the dark web. This is an easy fix if you have a unique password for every account. If however you reuse passwords, this news is going to ruin your day. Good luck even remembering all the accounts that you have little own which ones use the same password.
I hate to sound like a broken record, but this is just one more reason to make sure you use unique passwords on all your accounts. This might also be a good time to break down and start using a password manager to keep track of all of them as well.
Researchers have stumbled across two of TeenSafe‘s servers containing databases that list parent emails, their child’s Apple ID email address and password, device names and unique identifiers in plain text. Because the information isn’t encrypted, anyone who gains access to the server can read the information.
Once TeenSafe was notified of the leak, the servers were taken off line. However, if you are a user of TeenSafe, you should change your password and have your child change their Apple ID password. Of course, if you have reused passwords you will also have to change the password for every account that uses the same password. Just another reminder to use a unique password for every account.
A college that we communicate with regularly has had one of their email accounts compromised. As a result, several people around campus have received emails with requests to Download Attachments from Sharefile. The emails look like this:
The name of the college and the email sender have been blurred out to protect their privacy.
What makes these emails so devious is that they come from someone that Mount Royal staff have been conversing with recently. This makes it much more challenging to identify them as malicious.
This is a gentle reminder to everyone to contact the email sender when you receive an unexpected email with a link or attachment using a contact number that you have used in the past or have found through Google. Even if you have been speaking with them recently if you aren’t expecting the email, call to confirm its legitimacy. Just because an email looks like it comes from someone you know, doesn’t mean it does.
That is what our brave Mount Royal employee did and as a result prevented a potentially serious cyber security incident. Had they simply clicked on the Download Attachments button and followed the instructions, they would have given the hacker their Docusign credentials. Who knows what that would have led to.