Here's the info I have put together on IOCs. The sheet also contains a link to a gdrive share containing an archive of the file drops and a screenshot. I've got more stuff to go through, if I find anything else interesting I'll add it to the list. I bolded stuff I thought might be the most useful. Based on the files captured, it appears that hackers in both instances set up tunnels with lots of random traffic coming through, possibly for reselling bandwidth. The hacker we booted from the network on Saturday was setting up a new mail server when they got kicked, probably for perpetuating more phishing attacks. The folder called node-m in the attached archive has their mail server configuration and scripts. Nothing in the archive came back with a positive detection, still be careful! I tried to redact all the user data, but I'm not 100% sure I got all of it so please treat the information as confidential.

If you have any questions please let me know!

Eric B.


 Email IOCs


On Mon, May 1, 2023 at 12:13 PM Dustin Udy <d.udy@utah.edu> wrote:
Yikes. Best of luck. 

Sounds very similar to ours.

From: Eric Bennick <ebennick@weber.edu>
Sent: Monday, May 1, 2023, 10:44 AM
To: Dustin Udy <d.udy@utah.edu>
Cc: ushe-iso@lists.dixie.edu <ushe-iso@lists.dixie.edu>; Jesse Adams <Jesse.Adams@utah.edu>
Subject: Re: [USHE-ISO] Compromised account activity

I didn't send it yet. We actually had a second account break into the VPN on Saturday. This one somehow was able to add their own device to a faculty account and could accept their own pushes. They dropped some files on a virtual machine a did some more scanning. I'm trying to compare the two to see if it's the same group. I'll send you the list of what I've got soon.

On Mon, May 1, 2023 at 10:37 AM Dustin Udy <d.udy@utah.edu> wrote:
Eric,

Did you send the list of IOC's and I missed it?

Dustin

________________________________________
From: Eric Bennick <ebennick@weber.edu>
Sent: Friday, April 28, 2023 8:39 PM
To: Dustin Udy
Cc: ushe-iso@lists.dixie.edu
Subject: Re: [USHE-ISO] Compromised account activity

I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail.  Normal user authentications use saml. I'll include screen shots.

On Fri, Apr 28, 2023, 8:09 PM Dustin Udy <d.udy@utah.edu<mailto:d.udy@utah.edu>> wrote:
Seems like the same technique we saw.

Dustin
________________________________
From: USHE-ISO <ushe-iso-bounces@lists.dixie.edu<mailto:ushe-iso-bounces@lists.dixie.edu>> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edu<mailto:ushe-iso@lists.dixie.edu>>
Sent: Friday, April 28, 2023 7:57:52 PM
To: ushe-iso@lists.dixie.edu<mailto:ushe-iso@lists.dixie.edu> <ushe-iso@lists.dixie.edu<mailto:ushe-iso@lists.dixie.edu>>
Subject: Re: [USHE-ISO] Compromised account activity

Tuesday, actually. That's what happens when you lose a night of sleep.

On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edu<mailto:ebennick@weber.edu>> wrote:
We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.

[Screenshot 2023-04-28 194746.png]