Yikes. Best of luck.
Sounds very similar to ours.
________________________________ From: Eric Bennick ebennick@weber.edu Sent: Monday, May 1, 2023, 10:44 AM To: Dustin Udy d.udy@utah.edu Cc: ushe-iso@lists.dixie.edu ushe-iso@lists.dixie.edu; Jesse Adams Jesse.Adams@utah.edu Subject: Re: [USHE-ISO] Compromised account activity
I didn't send it yet. We actually had a second account break into the VPN on Saturday. This one somehow was able to add their own device to a faculty account and could accept their own pushes. They dropped some files on a virtual machine a did some more scanning. I'm trying to compare the two to see if it's the same group. I'll send you the list of what I've got soon.
On Mon, May 1, 2023 at 10:37 AM Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu> wrote: Eric,
Did you send the list of IOC's and I missed it?
Dustin
________________________________________ From: Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu> Sent: Friday, April 28, 2023 8:39 PM To: Dustin Udy Cc: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] Compromised account activity
I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail. Normal user authentications use saml. I'll include screen shots.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu<mailto:d.udy@utah.edumailto:d.udy@utah.edu>> wrote: Seems like the same technique we saw.
Dustin ________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu<mailto:ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu>> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu<mailto:ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu>> Sent: Friday, April 28, 2023 7:57:52 PM To: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu<mailto:ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu<mailto:ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu>> Subject: Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu<mailto:ebennick@weber.edumailto:ebennick@weber.edu>> wrote: We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[Screenshot 2023-04-28 194746.png]