We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[image: Screenshot 2023-04-28 194746.png]
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick ebennick@weber.edu wrote:
We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[image: Screenshot 2023-04-28 194746.png]
Seems like the same technique we saw.
Dustin ________________________________ From: USHE-ISO ushe-iso-bounces@lists.dixie.edu on behalf of Eric Bennick via USHE-ISO ushe-iso@lists.dixie.edu Sent: Friday, April 28, 2023 7:57:52 PM To: ushe-iso@lists.dixie.edu ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu> wrote: We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[Screenshot 2023-04-28 194746.png]
Shoot, I forgot one important IOC. Look for troll comments dropped in cmd.exe. The hacker left us this lovely "lol" statement.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy d.udy@utah.edu wrote:
Seems like the same technique we saw.
Dustin
*From:* USHE-ISO ushe-iso-bounces@lists.dixie.edu on behalf of Eric Bennick via USHE-ISO ushe-iso@lists.dixie.edu *Sent:* Friday, April 28, 2023 7:57:52 PM *To:* ushe-iso@lists.dixie.edu ushe-iso@lists.dixie.edu *Subject:* Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick ebennick@weber.edu wrote:
We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[image: Screenshot 2023-04-28 194746.png]
I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail. Normal user authentications use saml. I'll include screen shots.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy d.udy@utah.edu wrote:
Seems like the same technique we saw.
Dustin
*From:* USHE-ISO ushe-iso-bounces@lists.dixie.edu on behalf of Eric Bennick via USHE-ISO ushe-iso@lists.dixie.edu *Sent:* Friday, April 28, 2023 7:57:52 PM *To:* ushe-iso@lists.dixie.edu ushe-iso@lists.dixie.edu *Subject:* Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick ebennick@weber.edu wrote:
We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[image: Screenshot 2023-04-28 194746.png]
We are seeing spikes of phishing and compromised accounts as well. Appreciate all the ioc’s. It's frustrating so many users are giving away mfa codes.
Thanks, Jon ________________________________ From: USHE-ISO ushe-iso-bounces@lists.dixie.edu on behalf of Eric Bennick via USHE-ISO ushe-iso@lists.dixie.edu Sent: Friday, April 28, 2023 8:39:14 PM To: Dustin Udy d.udy@utah.edu Cc: ushe-iso@lists.dixie.edu ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] Compromised account activity
EXTERNAL MESSAGE
Please verify the message is valid before you click any links, open any attachments, or reply to the message.
I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail. Normal user authentications use saml. I'll include screen shots.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu> wrote: Seems like the same technique we saw.
Dustin ________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Sent: Friday, April 28, 2023 7:57:52 PM To: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Subject: Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu> wrote: We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[Screenshot 2023-04-28 194746.png]
Good Evening, Thank you! Very much appreciated. Happily, all the ones they queried your DNS about for USU are either 3rd party hosted or not listening on standard ssh ports. I do know we had very similar behavior happen with a student account earlier this week too. I'll see what I can find out about that pass along anything that might help as well.
Thanks!
Blake
From: USHE-ISO ushe-iso-bounces@lists.dixie.edu On Behalf Of Jon Barclay via USHE-ISO Sent: Friday, April 28, 2023 8:42 PM To: Eric Bennick ebennick@weber.edu; Dustin Udy d.udy@utah.edu Cc: ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] Compromised account activity
We are seeing spikes of phishing and compromised accounts as well. Appreciate all the ioc's. It's frustrating so many users are giving away mfa codes.
Thanks, Jon ________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Sent: Friday, April 28, 2023 8:39:14 PM To: Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu> Cc: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Subject: Re: [USHE-ISO] Compromised account activity
EXTERNAL MESSAGE
Please verify the message is valid before you click any links, open any attachments, or reply to the message. I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail. Normal user authentications use saml. I'll include screen shots.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu> wrote: Seems like the same technique we saw.
Dustin ________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Sent: Friday, April 28, 2023 7:57:52 PM To: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Subject: Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu> wrote: We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[cid:ii_lh1bszlz0]
Eric,
Did you send the list of IOC's and I missed it?
Dustin
________________________________________ From: Eric Bennick ebennick@weber.edu Sent: Friday, April 28, 2023 8:39 PM To: Dustin Udy Cc: ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] Compromised account activity
I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail. Normal user authentications use saml. I'll include screen shots.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu> wrote: Seems like the same technique we saw.
Dustin ________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Sent: Friday, April 28, 2023 7:57:52 PM To: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Subject: Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu> wrote: We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[Screenshot 2023-04-28 194746.png]
I didn't send it yet. We actually had a second account break into the VPN on Saturday. This one somehow was able to add their own device to a faculty account and could accept their own pushes. They dropped some files on a virtual machine a did some more scanning. I'm trying to compare the two to see if it's the same group. I'll send you the list of what I've got soon.
On Mon, May 1, 2023 at 10:37 AM Dustin Udy d.udy@utah.edu wrote:
Eric,
Did you send the list of IOC's and I missed it?
Dustin
From: Eric Bennick ebennick@weber.edu Sent: Friday, April 28, 2023 8:39 PM To: Dustin Udy Cc: ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] Compromised account activity
I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail. Normal user authentications use saml. I'll include screen shots.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy <d.udy@utah.edumailto: d.udy@utah.edu> wrote: Seems like the same technique we saw.
Dustin ________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto: ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Sent: Friday, April 28, 2023 7:57:52 PM To: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu < ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Subject: Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edumailto: ebennick@weber.edu> wrote: We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[Screenshot 2023-04-28 194746.png]
Yikes. Best of luck.
Sounds very similar to ours.
________________________________ From: Eric Bennick ebennick@weber.edu Sent: Monday, May 1, 2023, 10:44 AM To: Dustin Udy d.udy@utah.edu Cc: ushe-iso@lists.dixie.edu ushe-iso@lists.dixie.edu; Jesse Adams Jesse.Adams@utah.edu Subject: Re: [USHE-ISO] Compromised account activity
I didn't send it yet. We actually had a second account break into the VPN on Saturday. This one somehow was able to add their own device to a faculty account and could accept their own pushes. They dropped some files on a virtual machine a did some more scanning. I'm trying to compare the two to see if it's the same group. I'll send you the list of what I've got soon.
On Mon, May 1, 2023 at 10:37 AM Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu> wrote: Eric,
Did you send the list of IOC's and I missed it?
Dustin
________________________________________ From: Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu> Sent: Friday, April 28, 2023 8:39 PM To: Dustin Udy Cc: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] Compromised account activity
I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail. Normal user authentications use saml. I'll include screen shots.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy <d.udy@utah.edumailto:d.udy@utah.edu<mailto:d.udy@utah.edumailto:d.udy@utah.edu>> wrote: Seems like the same technique we saw.
Dustin ________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu<mailto:ushe-iso-bounces@lists.dixie.edumailto:ushe-iso-bounces@lists.dixie.edu>> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu<mailto:ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu>> Sent: Friday, April 28, 2023 7:57:52 PM To: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu<mailto:ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu<mailto:ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu>> Subject: Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edumailto:ebennick@weber.edu<mailto:ebennick@weber.edumailto:ebennick@weber.edu>> wrote: We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[Screenshot 2023-04-28 194746.png]
Here's the info I have put together on IOCs. The sheet also contains a link to a gdrive share containing an archive of the file drops and a screenshot. I've got more stuff to go through, if I find anything else interesting I'll add it to the list. I bolded stuff I thought might be the most useful. Based on the files captured, it appears that hackers in both instances set up tunnels with lots of random traffic coming through, possibly for reselling bandwidth. The hacker we booted from the network on Saturday was setting up a new mail server when they got kicked, probably for perpetuating more phishing attacks. The folder called node-m in the attached archive has their mail server configuration and scripts. Nothing in the archive came back with a positive detection, still be careful! I tried to redact all the user data, but I'm not 100% sure I got all of it so please treat the information as confidential.
If you have any questions please let me know!
Eric B.
On Mon, May 1, 2023 at 12:13 PM Dustin Udy d.udy@utah.edu wrote:
Yikes. Best of luck.
Sounds very similar to ours.
*From:* Eric Bennick ebennick@weber.edu *Sent:* Monday, May 1, 2023, 10:44 AM *To:* Dustin Udy d.udy@utah.edu *Cc:* ushe-iso@lists.dixie.edu ushe-iso@lists.dixie.edu; Jesse Adams < Jesse.Adams@utah.edu> *Subject:* Re: [USHE-ISO] Compromised account activity
I didn't send it yet. We actually had a second account break into the VPN on Saturday. This one somehow was able to add their own device to a faculty account and could accept their own pushes. They dropped some files on a virtual machine a did some more scanning. I'm trying to compare the two to see if it's the same group. I'll send you the list of what I've got soon.
On Mon, May 1, 2023 at 10:37 AM Dustin Udy d.udy@utah.edu wrote:
Eric,
Did you send the list of IOC's and I missed it?
Dustin
From: Eric Bennick ebennick@weber.edu Sent: Friday, April 28, 2023 8:39 PM To: Dustin Udy Cc: ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] Compromised account activity
I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail. Normal user authentications use saml. I'll include screen shots.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy <d.udy@utah.edumailto: d.udy@utah.edu> wrote: Seems like the same technique we saw.
Dustin ________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto: ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Sent: Friday, April 28, 2023 7:57:52 PM To: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu < ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Subject: Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edumailto: ebennick@weber.edu> wrote: We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[Screenshot 2023-04-28 194746.png]
I wanted to follow up with one last important IOC I've discovered after digging in to the logs of compromised accounts. In our cases, the hackers have been enabling the "allow less secure apps" feature in Gmail. If they manage to stand up an internal mail server, they use the password for insecure apps to connect to their mail server to the Gmail SMTP relay. This allows them to maintain the connection even if all sessions are revoked and the primary password is changed, due to the less secure app passwords never expiring and not updating even if the primary account password is changed.
On Tue, May 2, 2023, 6:53 PM Eric Bennick ebennick@weber.edu wrote:
Here's the info I have put together on IOCs. The sheet also contains a link to a gdrive share containing an archive of the file drops and a screenshot. I've got more stuff to go through, if I find anything else interesting I'll add it to the list. I bolded stuff I thought might be the most useful. Based on the files captured, it appears that hackers in both instances set up tunnels with lots of random traffic coming through, possibly for reselling bandwidth. The hacker we booted from the network on Saturday was setting up a new mail server when they got kicked, probably for perpetuating more phishing attacks. The folder called node-m in the attached archive has their mail server configuration and scripts. Nothing in the archive came back with a positive detection, still be careful! I tried to redact all the user data, but I'm not 100% sure I got all of it so please treat the information as confidential.
If you have any questions please let me know!
Eric B.
On Mon, May 1, 2023 at 12:13 PM Dustin Udy d.udy@utah.edu wrote:
Yikes. Best of luck.
Sounds very similar to ours.
*From:* Eric Bennick ebennick@weber.edu *Sent:* Monday, May 1, 2023, 10:44 AM *To:* Dustin Udy d.udy@utah.edu *Cc:* ushe-iso@lists.dixie.edu ushe-iso@lists.dixie.edu; Jesse Adams < Jesse.Adams@utah.edu> *Subject:* Re: [USHE-ISO] Compromised account activity
I didn't send it yet. We actually had a second account break into the VPN on Saturday. This one somehow was able to add their own device to a faculty account and could accept their own pushes. They dropped some files on a virtual machine a did some more scanning. I'm trying to compare the two to see if it's the same group. I'll send you the list of what I've got soon.
On Mon, May 1, 2023 at 10:37 AM Dustin Udy d.udy@utah.edu wrote:
Eric,
Did you send the list of IOC's and I missed it?
Dustin
From: Eric Bennick ebennick@weber.edu Sent: Friday, April 28, 2023 8:39 PM To: Dustin Udy Cc: ushe-iso@lists.dixie.edu Subject: Re: [USHE-ISO] Compromised account activity
I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail. Normal user authentications use saml. I'll include screen shots.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy <d.udy@utah.edumailto: d.udy@utah.edu> wrote: Seems like the same technique we saw.
Dustin ________________________________ From: USHE-ISO <ushe-iso-bounces@lists.dixie.edumailto: ushe-iso-bounces@lists.dixie.edu> on behalf of Eric Bennick via USHE-ISO <ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Sent: Friday, April 28, 2023 7:57:52 PM To: ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu < ushe-iso@lists.dixie.edumailto:ushe-iso@lists.dixie.edu> Subject: Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick <ebennick@weber.edumailto: ebennick@weber.edu> wrote: We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[Screenshot 2023-04-28 194746.png]
participants (4)
-
Blake Rich -
Dustin Udy -
Eric Bennick -
Jon Barclay