Sunday, October 06, 2019

The Cyber Capabilities Of Some Cyber Criminals Are Pretty Impressive And Really Worrying.

As a really great public service the Australian National University has made public its review of a major data breach is suffered beginning about a year ago.
Here is some coverage of the findings:

ANU cyber attack began with email to senior staff member

Andrew Tillett Political Correspondent
Oct 2, 2019 — 4.15pm
The Australian National University's investigation into the hacking of students' personal data has failed to identify a culprit or exonerate suspects but the nature of the data stolen suggests fraud may have been a motive.
While some in the security community believed China was behind the cyber attack, given past form and ANU's rich trove of sensitive data and research, the university will only describe the perpetrator as a "sophisticated actor".
"It's very difficult to come up with any definitive conclusion, and speculation I think is potentially harmful," vice-chancellor Brian Schmidt said.
The hackers got away with only 700 megabytes of staff and student data – a compact disc's worth – out of the two terrabytes that was stored in the compromised databases they had access to for six weeks.

The data the hackers had access to was up to 19 years old but the university cannot say which students and staff were affected or even how many.
"It's data I don't think any us would want to be shared but it's not super private," Professor Schmidt said.
Investigators estimate a team of five to 15 hackers worked round the clock and tried repeatedly to access the university's Enterprise Systems Domain, which houses human resources, financial management and student administration data.
They first successfully breached the system on November 9 last year by sending a spearphishing email to a senior member of the university's staff. While such tactics often require the recipient to click on a link or download an attachment to be compromised, the hack only required the email to be previewed for the credentials to be stolen.
Within days, the hackers were able to take control of a webserver and then a "legacy server" that was about to be decommissioned which gave access to the entire ANU network.
However, on November 30 the attackers were kicked out of the system when a new firewall was installed, but they managed to work their way back in almost a fortnight later.
ANU staff detected a fresh spearphishing attempt on December 21, which alerted them to the breach and they regained control of the system, although they thought it had been a one-off attack.
The hackers continued to try for several months after to re-enter the system.
But it was only in April when ANU's information technology staff realised the breach had been much bigger when they conducted a routine baseline threat scan.
They kept quiet for a few weeks while they investigated and cleaned up the system before going public in June.
There is lot more here:
Excellent coverage was also provided here:

ANU hackers built 'shadow ecosystem' to stay hidden for six weeks

By Ry Crozier on Oct 2, 2019 5:13PM

Identity and amount of data exfiltrated still unknown.

The attacker that infiltrated the Australian National University’s enterprise systems built up a “shadow ecosystem” of compromised machines - physical and virtual - that allowed them to stay undetected for six weeks.
The university released a 20-page post-incident report [pdf] on Wednesday that shone new light on the attack, which was publicly announced in June.
The intrusion was only detected in April “during a baseline threat hunting exercise”. ANU said it engaged defence contractor Northrop Grumman to lead the cleanup effort and forensics.
ANU said the attack was initiated in November 2018 via a spearphishing email that was previewed by a senior staffer.

Its report lays out a detailed chronology of the attack.
“Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment,” the university said.
“This ‘interaction-less’ attack resulted in the senior staff member’s credentials being sent to several external web addresses. 
“It is highly likely that the credentials taken from this account were used to gain access to other systems. 
“The actor also gained access to the senior staff member’s calendar - information which was used to conduct additional spearphishing attacks later in the actor’s campaign.”
The attacker is thought to have first used the stolen credentials to access a web server, and then moved internally to a “legacy server hosting trial software” that was scheduled for decommissioning in late 2019.
“Unfortunately, the server was attached to a virtual LAN with extensive access across the ANU network,” ANU said.
ANU is uncertain how the attacker managed to access the legacy server, but suspects a “privilege escalation exploit was used to gain full control”.
Vastly more here:
The ABC also provided great coverage here:
Here is the direct link to the report (.pdf):
This report is really a fabulous and very concerning read and is more than worth your time to download and read carefully.
I am no expert but the deliberate and determined nature of the attack – over many months and using all sorts of sophisticate tools fills me with dread. This team could compromise almost any organization they set their minds to attack I believe.
I would love someone to explain to us dummies how an e-mail that has not been clicked / opened can wreak such carnage! While you are at that you can explain what we should do to protect ourselves.
The ANU deserves many plaudits for making this all public – and it is ominous that within an hour they were again under sustained attack.
I hope those at the AHDA are wide awake and absorbing lessons! While the are reviewing that they can research the problems from Victoria and Barwon Health – Not a pretty sight!
David.

3 comments:

  1. May well have been launch simply by the email preview pane.

    Won’t take much to exploit the ADHA secure messaging solution. The way it is designed and the government wanting to operate aspects. Recipe for disaster. The Cyber Security Manual is not designed to support clinical needs, just government processes where time is of no consequence.

    I agree with you David, the transparent nature and natural desire to share their lessons is impressive. Some out there don’t even published what they are required too

    ReplyDelete
  2. the aim of the pcehr was to make it easier to access your health data. ADHA should be careful what they wish for.

    ReplyDelete
  3. The cyber risk should blame the email software & OS. It started with an email that was previewed with email client software which processes HTML, JavaScript, images et. al. A pure text based email client avoids that risk.

    Quote:
    “Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment,” the university said.

    ReplyDelete