Seems like the same technique we saw.

Dustin

---

From: USHE-ISO <ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edu>
Sent: Friday, April 28, 2023 7:57:52 PM
To: ushe-iso@lists.dixie.edu <ushe-iso@lists.dixie.edu>
Subject: Re: [USHE-ISO] Compromised account activity

 

Tuesday, actually. That's what happens when you lose a night of sleep.

On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edu> wrote:

We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.