Good Evening, Thank you! Very much appreciated. Happily, all the ones they queried your DNS about for USU are either 3rd party hosted or not listening on standard ssh ports. I do know we had very similar behavior happen with a student account earlier this week too. I'll see what I can find out about that pass along anything that might help as well.
Thanks!
Blake
From: USHE-ISO ushe-iso-bounces@lists.dixie.edu On Behalf Of Jon Barclay via USHE-ISO Sent: Friday, April 28, 2023 8:42 PM To: Eric Bennick ebennick@weber.edu; Dustin Udy d.udy@utah.edu Cc: ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] Compromised account activity
We are seeing spikes of phishing and compromised accounts as well. Appreciate all the ioc's. It's frustrating so many users are giving away mfa codes.
Thanks, Jon ________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Sent: Friday, April 28, 2023 8:39:14 PM To: Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu> Cc: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Subject: Re: [USHE-ISO] Compromised account activity
EXTERNAL MESSAGE
Please verify the message is valid before you click any links, open any attachments, or reply to the message. I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail. Normal user authentications use saml. I'll include screen shots.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu> wrote: Seems like the same technique we saw.
Dustin ________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Sent: Friday, April 28, 2023 7:57:52 PM To: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Subject: Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu> wrote: We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[cid:ii_lh1bszlz0]