SANS Institute security breach

Topic

New Reply

Wow. If SANS can’t keep their systems secure, what hope do the rest of us have? Looks like somebody sent a malicious Office 365 add-in to a SANS emplo
[See the full post at: SANS Institute security breach]

6 users thanked author for this post.

ve2mrx, Nibbled To Death By Ducks, abbodi86, Alex5723, Elly, Kirsty

Reply | Quote

Replies

As a result of this incident, 513 emails were forwarded to an unknown external email address.

How can a forwarding rule, which was discovered, forward emails to an unknown address?

Reply | Quote

[Nibbled To Death By Ducks]

woody wrote:

Wow. If SANS can’t keep their systems secure, what hope do the rest of us have?

Truly, it lends another meaning to the maxim, “Quis custodiet ipsos custodes?” (Who will guard the guardians?)

I think I just heard another pillar of civilization hit the ground…

What a way to start the week…

1. Security issues and CVE’s galore
2. Our state just reported Covid under counts due to a “system glitch”
3. The State Public Health Officer just resigned
4. In our county, all servers dealing with Social Services seem to be down.

Helmets and armor on, all, it’s gonna be a bumpy week.

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

• This reply was modified 4 years, 10 months ago by Nibbled To Death By Ducks. Reason: Clarity

Reply | Quote

We had a discussion about this recently.
https://www.askwoody.com/forums/topic/forwarding-exchange-emails-to-a-private-email-account/

cheers, Paul

Reply | Quote

If SANS can’t keep their systems secure, what hope do the rest of us have?

I am thinking just this thought! It’s so scary.  I consider myself better than average when it comes to security and I think I am very careful.  But I make mistakes, of course, and big ones!  It is hard to remain constantly, consistently vigilant!!  E.g. I might, could fall for something like this, as described in bleeping computer, where it appears that MS is asking for permission, see graphic below this sentence in the article: SANS has not provided much information about this add-on, but it likely an Office 365 Oauth app used to gain persistence to the email account.

https://www.bleepingcomputer.com/news/security/sans-infosec-training-org-suffers-data-breach-after-phishing-attack/

sometimes I am quick to click, without thinking.  How are we to best protect ourselves?  Just don’t click, ever?  Never ever click a link in an email?  Guard against malicious websites. Run antivirus. What else can we/should we be doing?  I run windows defender & Malwarebytes premium on Windows.  I only go to known websites.  I try to do all web browsing on iOS  and I check links on virus total before clicking.  But, really how can we protect ourselves? What other advice do you all have?

Reply | Quote

Yup. Weekly backups, on two alternating external drives. Store in different locations. -NTDBD

2 users thanked author for this post.

ve2mrx, Microfix

Reply | Quote

dmt_3904 wrote:

sometimes I am quick to click, without thinking. How are we to best protect ourselves? Just don’t click, ever?

It can be hard, but you have to try to not click without thinking. If you see a permission dialog or warning message, stop to think what it is that is asking for permission, what it is asking for permission to do, and if that is reasonable given what you are doing. I haven’t seen this particular thing, as I’ve never used Office 365, but I have seen web pages that claim to have a “great” Firefox addon, and they exhorted me to accept the installation when the permission dialog came up.

I hadn’t asked to download an addon, and the site had not redirected me to the Mozilla addon site to serve up the addon, so there’s no way I would find that reasonable. If in doubt, don’t allow it.

The sample authorization dialog on Bleeping Computer would trigger the same kind of questions. Did I initiate some kind of action that would trigger this? Who is the party listed, and why do they want access to my files? If you have not initiated some kind of connection to your Office account, meaning that a dialog like this was expected, decline it. It’s similar to receiving a file from an unknown source… if you receive an authentication dialog from an unknown source, treat it the same way. If you were not expecting it, don’t accept it.

I don’t know what others use for email, but I use Thunderbird, and when I mouse over a link in an email, I can see in the status bar where the link is actually pointing. It’s a trick of scammers and other miscreants to put a link whose text is something like http://www.google.com, but the link itself actually points to something like 85.fdfrgr.net, or something equally not google.com-ish.  I always look at a link’s target before clicking.

Unfortunately, not even seeing a recognized sender in the From: field means that everything contained in the email is safe, even if the person listed is trusted. I’ve received emails from previously trusted individuals that seemed suspicious… links to sites I had never heard of just suddenly arriving, without any context, or file attachments in the same way. The last one I received was an office document with a macro in it, which immediately made me highly suspicious. I don’t have Office, but I suspected strongly that the person whose computer sent that attachment does, and that they had themselves run the Office macro and become infected. It must have read the person’s address book and sent more copies of itself to everyone in there.

I sent them an email advising them that they were likely infected with an Office macro malware, and that they should take action accordingly to remove it and prevent it from trying to spread itself further. I never got a reply, but I also did not get any more malware from them.

Just think of NO as your default answer for anything asking for permission to do anything on your PC. If it has to ask, it should be either something you were expecting to ask for permission, or else the answer is NO. It can be easy to develop a habit of saying YES, and I fell victim to that once myself, despite my efforts to maintain the right mindset. I had a host intrusion prevention system (HIPS) installed as part of my firewall and antimalware suite, and I had it set to alert on every little thing that could be malware. Anything that was normal given what I was doing could be remembered in that context so that it would not ask next time, but each program had its own permissions, so that a slight change would result in the same alerts as last time. I made an effort to diligently read each alert and think about it rather than just accepting without thinking, and for years the only alerts were normal things.

One day, though, I went to what should have been an innocuous web site, but it had some strange cryptic text about drug use, and immediately my HIPS alerted. The force of habit engaged, and I automatically hit “accept,” even though part of my mind was yelling, “Stop! Stop!”

As soon as I accepted it, I knew I’d messed up. I’d actually known before that, but I was powerless to stop the habit, rolling on its way like a boulder rolling down a mountain.

I immediately hit the tray icon to stop all traffic, then unplugged the ethernet cable from the back of the PC (no wireless on that one). The malware had not gotten far after my first “accept,” as even the simplest thing often triggered a series of prompts for each thing it was doing in succession. The second prompt was already there before I even managed to turn off the net traffic, and that one was triggered by the malware trying to set a registry entry, presumably to autorun itself at boot time. I hit “block and terminate,” and it terminated the malware process.

I found the malware by looking in the HIPS logs, and I zipped it with a password and emailed it to several security companies according to their procedures. One emailed back a day or two later and said it was a previously unknown malware and that it was added to their detection database. It had managed to get in to my system via the Java plugin (not Javascript), a plugin known today for being a security risk (at least as bad as Flash, maybe more). It’s also largely obsolete now, but back then, most people used Java, and most people who ran XP did it with admin privileges, as I did. Fortunately my HIPS did its job, even though I could have performed better. At least it alerted me that something was going on.

I would have thought that I would have answered correctly when the time came, but I didn’t. Still, the habit of inspecting things and thinking about what I was doing did stick… even as I acted by force of habit, the conscious part of my mind was analyzing and came to the correct conclusion that this was probably actual malware and not a false alarm. I’d probably been robotically hitting Accept and concluding (rationally) that whatever it was that I ‘d accepted was okay after the fact for some time, but not really been aware the timing was off. This just happened to be the first time the habit and the analysis that happened afterward disagreed.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Thank you, great advice to just make NO my default answer.

Reply | Quote