Email based attack on University

classic Classic list List threaded Threaded
70 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Email based attack on University

Keith Bainbridge-2
Good evening Folks

I guess some of you have heard that a major Australian university was
attacked by an email scam.

I wonder if having /home on a 'noexec' partition would stop this attack,
please?


Details are at


https://www.abc.net.au/news/2019-10-02/anu-cyber-hack-how-personal-information-got-out/11550578

https://www.abc.net.au/news/2019-10-02/the-sophisticated-anu-hack-that-compromised-private-details/11566540





--
Keith Bainbridge

[hidden email]

+61 (0)447 667 468

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Jeremy Nicoll
On Wed, 2 Oct 2019, at 10:03, Keith Bainbridge wrote:

> Details are at
>
> https://www.abc.net.au/news/2019-10-02/anu-cyber-hack-how-personal-information-got-out/11550578
> https://www.abc.net.au/news/2019-10-02/the-sophisticated-anu-hack-that-compromised-private-details/11566540

It seems to me that everything follows from whatever access the initial 'unclicked email' malware
gave to the hackers.

But how can malware jump from an email that's not "clicked", into some part of the university's
systems?

Unless... the email was being viewed via a webmail system running on a server not owned by the
university?

Then... is this just malware of the sort that any website could deliver to any visitor?

Even if it was, one might expect the viewer to have been using a desktop PC of some sort, with -
surely - whatever anti-malware software the university deems appropriate for their PCs?

Or... do all their staff use a mish-mash of personal devices, and those don't have to have any
anti-malware apps on them?

--
Jeremy Nicoll - my opinions are my own.

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Torben Schou Jensen
Interesting story.

I am missing technical details.
I do not understand how preview of e-mail can result in hackers stealing
userid and password, what kind of mail program was used?

It say
"The attack on ANU was possible because of the university's old computer
network"

I prefer to use Debian Stable on my server, and expect mail programs are
safe to use - Exim, Dovecot and SquirrelMail.
I am not aware of a security case on Debian where it is possible per
e-mail preview to get password of user.

/Torben


> On Wed, 2 Oct 2019, at 10:03, Keith Bainbridge wrote:
>
>> Details are at
>>
>> https://www.abc.net.au/news/2019-10-02/anu-cyber-hack-how-personal-information-got-out/11550578
>> https://www.abc.net.au/news/2019-10-02/the-sophisticated-anu-hack-that-compromised-private-details/11566540
>
> It seems to me that everything follows from whatever access the initial
> 'unclicked email' malware
> gave to the hackers.
>
> But how can malware jump from an email that's not "clicked", into some
> part of the university's
> systems?
>
> Unless... the email was being viewed via a webmail system running on a
> server not owned by the
> university?
>
> Then... is this just malware of the sort that any website could deliver to
> any visitor?
>
> Even if it was, one might expect the viewer to have been using a desktop
> PC of some sort, with -
> surely - whatever anti-malware software the university deems appropriate
> for their PCs?
>
> Or... do all their staff use a mish-mash of personal devices, and those
> don't have to have any
> anti-malware apps on them?
>
> --
> Jeremy Nicoll - my opinions are my own.
>
>


--
Torben Schou Jensen
Swamp Thing
Homepage: http://swampthing.dk/~tsj/
Skype: swampthing38


Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Curt
On 2019-10-02, Torben Schou Jensen <[hidden email]> wrote:
> Interesting story.
>
> I am missing technical details.
> I do not understand how preview of e-mail can result in hackers stealing
> userid and password, what kind of mail program was used?
>

Yeah, it's better to go directly to the publicly available incident report:

https://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf

But the email program used by Client 0 is unspecified.

The original spearphishing email (which is assumed to have contained
some sort of self-executable code) was deleted (too late!) and proved
unrecoverable.

Subsequent spearphishing emails, however, used Word attachments as a
vector (Appendix A, B, and C of the report). I also note a zip file
attachment in the Appendix.

--
"There are no foreign lands. It is the traveler only who is foreign."
-- Robert Louis Stevenson

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Henning Follmann
In reply to this post by Jeremy Nicoll
On Wed, Oct 02, 2019 at 10:40:34AM +0100, Jeremy Nicoll wrote:

> On Wed, 2 Oct 2019, at 10:03, Keith Bainbridge wrote:
>
> > Details are at
> >
> > https://www.abc.net.au/news/2019-10-02/anu-cyber-hack-how-personal-information-got-out/11550578
> > https://www.abc.net.au/news/2019-10-02/the-sophisticated-anu-hack-that-compromised-private-details/11566540
>
> It seems to me that everything follows from whatever access the initial 'unclicked email' malware
> gave to the hackers.
>
> But how can malware jump from an email that's not "clicked", into some part of the university's
> systems?

Well, somebody is not telling the truth. Understandable, considering the consequences.


>
> Unless... the email was being viewed via a webmail system running on a server not owned by the
> university?
>
> Then... is this just malware of the sort that any website could deliver to any visitor?
>
> Even if it was, one might expect the viewer to have been using a desktop PC of some sort, with -
> surely - whatever anti-malware software the university deems appropriate for their PCs?
>
> Or... do all their staff use a mish-mash of personal devices, and those don't have to have any
> anti-malware apps on them?
>


And back to the original question: noexec home directories.
No this does not help. It might in a very few cases prevent some damage, but once the
code runs on the computer (not launched from the home directory) the damage is pretty
much done.

Here is one thing which actually make everybody safer: Do NOT (NEVER!) accept files
which might include executable code.
Office files (MS or OO )
only PDF/A is OK every other PDF, throw it out.
No multimedia (movies, mp3).

And I hear already the crowds crying, but we need this for work.
No you don't!
I do not need a powerpoint presentation in my mail. If you want bullet points
just use "-" and indentation. You can do that in a text made from ASCII characters
only.
Excel is  shit to begin with. Get rid of it, not only in e-mail.
Whatever can be written in Word, can be written just in ASCII text.
And you suck at typography anyway, do not even try.


-H

--
Henning Follmann           | [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Carl Fink-4
On Wed, Oct 02, 2019 at 08:41:11AM -0400, Henning Follmann wrote:

> Here is one thing which actually make everybody safer: Do NOT (NEVER!) accept files
> which might include executable code.
> Office files (MS or OO )

Open MS files with LibreOffice, which won't run the VBA, or with the
Word/PowerPoint viewer apps from Microsoft, which work great under Wine and
also can't run VBA. Have LO files ever actually been vectors?

> only PDF/A is OK every other PDF, throw it out.
> No multimedia (movies, mp3).

Really? MP3? Paranoid much?
--
Carl Fink                           [hidden email]

Read John Grant's book, Corrupted Science: http://a.co/9UsUoGu 
Dedicated to ... Carl Fink!

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Henning Follmann
On Wed, Oct 02, 2019 at 09:27:37AM -0400, Carl Fink wrote:

> On Wed, Oct 02, 2019 at 08:41:11AM -0400, Henning Follmann wrote:
>
> > Here is one thing which actually make everybody safer: Do NOT (NEVER!) accept files
> > which might include executable code.
> > Office files (MS or OO )
>
> Open MS files with LibreOffice, which won't run the VBA, or with the
> Word/PowerPoint viewer apps from Microsoft, which work great under Wine and
> also can't run VBA. Have LO files ever actually been vectors?
>
> > only PDF/A is OK every other PDF, throw it out.
> > No multimedia (movies, mp3).
>
> Really? MP3? Paranoid much?

Well, maybe.
OTOH these massive exploits these days were considered very unlikely some
time ago. And a vectors in remains a vector in, and most likely becomes
a common attack vector. Your point because it is not widely used _now_,
it is safe, is just ridiculous.

-H

--
Henning Follmann           | [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Nicholas Geovanis-2
On Wed, Oct 2, 2019 at 9:06 AM Henning Follmann <[hidden email]> wrote:
On Wed, Oct 02, 2019 at 09:27:37AM -0400, Carl Fink wrote:
> On Wed, Oct 02, 2019 at 08:41:11AM -0400, Henning Follmann wrote:
>
> > No multimedia (movies, mp3).
>
> Really? MP3? Paranoid much?

Well, maybe.
OTOH these massive exploits these days were considered very unlikely some
time ago. And a vectors in remains a vector in, and most likely becomes
a common attack vector. Your point because it is not widely used _now_,
it is safe, is just ridiculous.

True enough but with the following difference:  By specification, to the best of my amateur knowledge,
the MP3 format does not permit executable content. Whereas Word and PDF files do.

-H

--
Henning Follmann           | [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Lee-7
In reply to this post by Curt
On 10/2/19, Curt <[hidden email]> wrote:

> On 2019-10-02, Torben Schou Jensen <[hidden email]> wrote:
>> Interesting story.
>>
>> I am missing technical details.
>> I do not understand how preview of e-mail can result in hackers stealing
>> userid and password, what kind of mail program was used?
>>
>
> Yeah, it's better to go directly to the publicly available incident report:
>
> https://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf
>

Thanks for the link!

> But the email program used by Client 0 is unspecified.

As is the operating system - or did I miss that?

Lee

> The original spearphishing email (which is assumed to have contained
> some sort of self-executable code) was deleted (too late!) and proved
> unrecoverable.
>
> Subsequent spearphishing emails, however, used Word attachments as a
> vector (Appendix A, B, and C of the report). I also note a zip file
> attachment in the Appendix.
>
> --
> "There are no foreign lands. It is the traveler only who is foreign."
> -- Robert Louis Stevenson
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Lee-7
In reply to this post by Henning Follmann
On 10/2/19, Henning Follmann <[hidden email]> wrote:

> On Wed, Oct 02, 2019 at 10:40:34AM +0100, Jeremy Nicoll wrote:
>> On Wed, 2 Oct 2019, at 10:03, Keith Bainbridge wrote:
>>
>> > Details are at
>> >
>> > https://www.abc.net.au/news/2019-10-02/anu-cyber-hack-how-personal-information-got-out/11550578
>> > https://www.abc.net.au/news/2019-10-02/the-sophisticated-anu-hack-that-compromised-private-details/11566540
>>
>> It seems to me that everything follows from whatever access the initial
>> 'unclicked email' malware
>> gave to the hackers.
>>
>> But how can malware jump from an email that's not "clicked", into some
>> part of the university's
>> systems?
>
> Well, somebody is not telling the truth.

With so much left out of the public report, lying hardly seems necessary.

Take a look at
  https://portal.msrc.microsoft.com/en-us/security-guidance
select severity: critical & remote code execution, security feature
bypass & information disclosure inpacts.
Which security patches seem applicable here?

>> Unless... the email was being viewed via a webmail system running on a
>> server not owned by the
>> university?

What if the email was being viewed via webmail using Windows Internet Explorer?

Regards,
Lee

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Paul Sutton-2
In reply to this post by Keith Bainbridge-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On 02/10/2019 10:03, Keith Bainbridge wrote:

> Good evening Folks
>
> I guess some of you have heard that a major Australian university
> was attacked by an email scam.
>
> I wonder if having /home on a 'noexec' partition would stop this
> attack, please?
>
>
> Details are at
>
>
> https://www.abc.net.au/news/2019-10-02/anu-cyber-hack-how-personal-inf
ormation-got-out/11550578
>
>
>
> https://www.abc.net.au/news/2019-10-02/the-sophisticated-anu-hack-that
- -compromised-private-details/11566540
>
>
>

Not seen this but the BBC seem to be reporting of a Malware (well
Ransomware) attack on some US Hospitals

US hospitals turn away patients as ransomware strikes

https://www.bbc.co.uk/news/technology-49905226

Paul
- --
Paul Sutton
http://www.zleap.net
gnupg : 7D6D B682 F351 8D08 1893  1E16 F086 5537 D066 302D
https://fediverse.party/ - [hidden email]
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCgAdFiEEfW22gvNRjQgYkx4W8IZVN9BmMC0FAl2UvaYACgkQ8IZVN9Bm
MC3hrg/9E/z3Tl0NOTE8ZdnWt/kiqo3Bm7N2BkpLz6fCy+5HPCNDw8SGMGKDF21N
9JByhGntW3OJ0E8STq0Uo2SCtux6k5WcItGWeMuPUjateE01cvzvh1x42h110dow
RGldDdrIt8ryFXpDmUv8Zw1mMmtDgnhHQkwXbbCDybdU5I5+qXCyBGKkqfUI83YQ
FAL1VGquNTqWu8e1owM7hI2jSEL8TEvKGszN+jxoPmpGryzK0HT7gvpIbxX0Ez4c
s/7i3y/CYnIr8TKlseAvahRJFTZs/7EbdPyrMCG8ypBPmHUPjHnLykHNAKJQTdhP
CyK9n2xuY1TI92PTk6FRig6BmOocLJoKvswo2OqUCwdwh9tkUH8RVYW4ozsMctrT
GY2cHqUp6O4p4j6PF9M9KhB9AeVu3gujE8uGHB5xorYyBSGY5dF4evpWFYZ8vMEW
xAWDWV1oVPRM1br5o2ZRdWgfh4tiNp9ZS54kYmAD5GCbjiss0OexNvfSm64TnxUN
OZbS6gLLgC0n4nEkhXR3DgBJ9V96x/jvufJ/l9+ZopywF9h5x1w3B77s90EXKZ3X
OdR4E0+ir4mkgUUxwfZBSS9RAs4Nspw5BV2oWrtktGOkkd8s5j3ecUq38g8329Vx
pp037LhUTw9MdUZClH+hUPp1uXrekC6SaKSsj2nWOvg1Un6n2kQ=
=aOti
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

tomas@tuxteam.de
In reply to this post by Nicholas Geovanis-2
On Wed, Oct 02, 2019 at 09:33:18AM -0500, Nicholas Geovanis wrote:

[...]

> True enough but with the following difference:  By specification, to the
> best of my amateur knowledge,
> the MP3 format does not permit executable content. Whereas Word and PDF
> files do.

Specifically for MP3 there seem to have been player vulnerabilities,
including some of the "code execution" flavour.

IOW a vulnerable renderer is just some kind of (Rube-Goldbergian)
interpreter :-)

Cheers
-- t

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Étienne Mollier
Nicholas Geovanis, on 2019-10-02:

> Henning Follmann, on 2019-10-02:
> > On Wed, Oct 02, 2019 at 09:27:37AM -0400, Carl Fink wrote:
> > > On Wed, Oct 02, 2019 at 08:41:11AM -0400, Henning Follmann wrote:
> > > > only PDF/A is OK every other PDF, throw it out.
> > > > No multimedia (movies, mp3).
> > >
> > > Really? MP3? Paranoid much?
> >
> > Well, maybe.
> > OTOH these massive exploits these days were considered very unlikely some
> > time ago. And a vectors in remains a vector in, and most likely becomes
> > a common attack vector. Your point because it is not widely used _now_,
> > it is safe, is just ridiculous.
>
> True enough but with the following difference:  By
> specification, to the best of my amateur knowledge, the MP3
> format does not permit executable content. Whereas Word and PDF
> files do.
I don't believe MP3 allows executable code by specifications
either, so shouldn't the PNG image format.  But think of DSA
4435 which affected libpng earlier this year.  When the OS
library for handling multimedia has flaws, if an HTML email
embeds a specifically crafted PNG image inlined in the content,
then you wouldn't even have to hit the “preview” button to be
screwed:

        https://www.debian.org/security/2019/dsa-4435

tomás, on 2019-10-02:
> Specifically for MP3 there seem to have been player vulnerabilities,
> including some of the "code execution" flavour.
>
> IOW a vulnerable renderer is just some kind of (Rube-Goldbergian)
> interpreter :-)

Yup, that's the idea.  Even if the format is clean, there might
be bugs in libraries interpreting that format.  Kids, keep your
systems up to date!


Going back to the main topic leveraged by Keith, setting
apparmor(7) policies /may/ be a bit more helpful than doing a
mount noexec in these situations, if I understood properly its
purpose.  The nice thing is that Debian does it for you!

MUAs like Thunderbird come with what I believe would be
appropriate Apparmor default settings; although having a look
inside /etc/apparmor.d/usr.bin.thunderbird shows a lot of work
TODO left.  It should prevent effects of such attacks by
limiting the area of action of the whole thunderbird process,
and its children processes I would expect, to only a fraction of
the resources available on the machine, in case some operation
on untrusted data goes rogue[1].

[1] although, the apparmor profile does give a lot of margin to
    the /usr/bin/thunderbird process relative to the home
    directory, primarily to not break the “Save as...” button,
    so it depends on what the attacker will target.

Kind Regards,  :)
--
Étienne Mollier <[hidden email]>
Fingerprint:  5ab1 4edf 63bb ccff 8b54  2fa9 59da 56fe fff3 882d



signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Curt
In reply to this post by Lee-7
On 2019-10-02, Lee <[hidden email]> wrote:

>>
>> https://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf
>>
>
> Thanks for the link!
>
>> But the email program used by Client 0 is unspecified.
>
> As is the operating system - or did I miss that?
>

I don't think you did miss it.  

--
"There are no foreign lands. It is the traveler only who is foreign."
-- Robert Louis Stevenson

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Carl Fink-4
In reply to this post by Étienne Mollier
On Wed, Oct 02, 2019 at 05:55:32PM +0200, ??tienne Mollier wrote:

> I don't believe MP3 allows executable code by specifications
> either, so shouldn't the PNG image format.  But think of DSA
> 4435 which affected libpng earlier this year.  When the OS
> library for handling multimedia has flaws, if an HTML email
> embeds a specifically crafted PNG image inlined in the content,
> then you wouldn't even have to hit the ???preview??? button to be
> screwed:

That would logically apply to ASCII text as well.
--
Carl Fink                           [hidden email]

Read John Grant's book, Corrupted Science: http://a.co/9UsUoGu 
Dedicated to ... Carl Fink!

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Étienne Mollier
On 02/10/2019 18.47, Carl Fink wrote:

> On Wed, Oct 02, 2019 at 05:55:32PM +0200, ??tienne Mollier wrote:
>
>> I don't believe MP3 allows executable code by specifications
>> either, so shouldn't the PNG image format.  But think of DSA
>> 4435 which affected libpng earlier this year.  When the OS
>> library for handling multimedia has flaws, if an HTML email
>> embeds a specifically crafted PNG image inlined in the content,
>> then you wouldn't even have to hit the ???preview??? button to be
>> screwed:
> That would logically apply to ASCII text as well.
Indeed,

Injection of control codes in a plain text email, if those are
improperly escaped along the way, may mangle the terminal of the
unsuspecting user.  ;)

That takes a lot of "if"s though...
--
Étienne Mollier <[hidden email]>
Fingerprint:  5ab1 4edf 63bb ccff 8b54  2fa9 59da 56fe fff3 882d


signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

David Wright-3
In reply to this post by Carl Fink-4
On Wed 02 Oct 2019 at 12:47:13 (-0400), Carl Fink wrote:

> On Wed, Oct 02, 2019 at 05:55:32PM +0200, ??tienne Mollier wrote:
>
> > I don't believe MP3 allows executable code by specifications
> > either, so shouldn't the PNG image format.  But think of DSA
> > 4435 which affected libpng earlier this year.  When the OS
> > library for handling multimedia has flaws, if an HTML email
> > embeds a specifically crafted PNG image inlined in the content,
> > then you wouldn't even have to hit the ???preview??? button to be
> > screwed:
>
> That would logically apply to ASCII text as well.

I'm not sure why an ASCII email would be handed to a multimedia library.

Cheers,
David.

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

deloptes-2
In reply to this post by Henning Follmann
Henning Follmann wrote:

> And I hear already the crowds crying, but we need this for work.
> No you don't!
> I do not need a powerpoint presentation in my mail. If you want bullet
> points just use "-" and indentation. You can do that in a text made from
> ASCII characters only.
> Excel is  shit to begin with. Get rid of it, not only in e-mail.
> Whatever can be written in Word, can be written just in ASCII text.
> And you suck at typography anyway, do not even try.

I suggest you go and talk to my boss who has specific expectations. I
understand your point but it is BS for business. I sent management today
one PP and one Excel. Everybody is happy and you want to destroy it?!

regards

Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Brad Rogers
In reply to this post by Lee-7
On Wed, 2 Oct 2019 10:38:44 -0400
Lee <[hidden email]> wrote:

Hello Lee,

>Thanks for the link!
>
>> But the email program used by Client 0 is unspecified.  
>
>As is the operating system - or did I miss that?

As stated in the paper itself, to avoid being an instructional for
up and coming ne'er-do-wells, the paper is necessarily vague about
certain things.  Thus, such details as OS & MUA are omitted.

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
Life goes quick and it goes without warning
Bombsite Boy - The Adverts

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Email based attack on University

Andrew McGlashan
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 3/10/19 3:32 am, Brad Rogers wrote:

> On Wed, 2 Oct 2019 10:38:44 -0400 Lee <[hidden email]> wrote:
>
> Hello Lee,
>
>> Thanks for the link!
>>
>>> But the email program used by Client 0 is unspecified.
>>
>> As is the operating system - or did I miss that?
>
> As stated in the paper itself, to avoid being an instructional for
> up and coming ne'er-do-wells, the paper is necessarily vague about
> certain things.  Thus, such details as OS & MUA are omitted.

So, NOT very transparent at all then!

Cheers
A.
-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXZTn3AAKCRCoFmvLt+/i
+yZdAQCh6WolrWq3g4t7BrTB9xKugzrx3zBkhG8ajZ1383i2mwD+L3Nd+SVUqoQT
+FTbUGpNVhj+fJYD8N0aaPCz1Hs0Fxw=
=ImIZ
-----END PGP SIGNATURE-----

1234