Dutch university hit by cyber attack on its Windows systems
maastrichtuniversity.nlIt's interesting how the language around these incidents has shifted to give the impression that cybercommandos have stormed into cyberspace with their cyber assault rifles, when in reality the chances are very high that some university administrator probably downloaded a shady program from a porn site.
> chances are very high that some university administrator probably downloaded a shady program from a porn site.
Nah, in reality someone probably clicked a link in a malicious email that launched a backdoor on their computer. The likelihood of that approaches 100% on untrained users. And, as this is a university environment, that user likely had local admin.
You only need 1 successful click to breach the good ol' "secure internal network" after which all bets are off - few companies sufficiently secure their networks from "internal" attackers.
On a traditional Windows network, credential hygiene practices are woeful and Domain Admin (admin access to every single domain-joined device on the network) level credentials are lying around everywhere and once those are compromised, every single domain-joined device on the network can be compromised.
I've seen this all happen in the span of 10 minutes - a remote user with VPN gets compromised, the attacker connects to the corporate network through them, gets Domain Admin and spreads malware through Active Directory to every single device on the network - X thousand workstations, Y hundred servers etc.
There's no actual vulnerability to remediate - you just have to "administrate properly" to prevent this. (https://aka.ms/spa)
>Nah, in reality someone probably clicked a link in a malicious email that launched a backdoor on their computer. The likelihood of that approaches 100% on untrained users.
In 2019 this is actually very unlikely. Driveby exploits have been pretty rare for years now.
It's still one of the top methods.
See for example Symantec's report [1] with lots of data.
[1] https://www.symantec.com/content/dam/symantec/docs/reports/i...
I'm sorry, I can't seem to find any references to driveby exploits in that report. I see many mentions of malicious office documents with downloader macros and similar attacks that certainly happen regularly today.
I do not see any mentions of attacks fitting the driveby pattern you described earlier. I am aware such targetted attacks do exists, but they're extremely rare these days compared to a few years back.
Almost all attacks today rely on social engineering to trick the victim into handing out their credentials or opening a malicious file, not a link.
I literally just got a call about someone being hit. The avenues used to penetrate are email spam and RDP.
When was the last time you saw email spam linking to a browser driveby exploit?
exploit office docs are less rare
They're less rare because they've almost completely replaced the attacks I described as "very unlikely".
In 2019 it's extremely rare that anyone gets owned just by clicking a link, we've moved very far from that.
All of this shit comes through phishing emails with Office docs containing malicious macros or links. Literally 99% of it. All of these stories should say "Sysadmins ignored best practices of disabling unapproved macros, allowing malware to gain a foothold, dump privileged credentials on the system, and move laterally through the environment with ease"
Its a university, so more likely "Sysadmins implemented best practices of disabling unapproved macros, but due to an extreme number of complaints from academic staff that all their research would be ruined, had to disable it again."
So you allow it for those folks and block it for the rest, there will always be edge cases but you need to reduce risk and attack surface. So hopefully they have those academic staff members on record as accepting the risk.
>So hopefully they have those academic staff members on record as accepting the risk.
Then what? Use them as the scapegoat when the network does get compromised? Feels like the exact opposite of blameless postmortems.
Jason from Defcon had an interesting quote about it...
"It's not an Advanced Persistent Threat, it's Basic Ass Threat, but you just want your cyberinsurance policy to pay out. Fuck off"
Why would you blow your zero days on something when you can just download stuff off GitHub that works?
Russia initially compromised the 2018 Olympics with publicly available malware off GitHub.
See: https://www.wired.com/story/untold-story-2018-olympics-destr...
Allegedly it's the CLOP ransomware.
"All dhcp-servers, Exchange-servers, domaincontrollers and networkdrives have been encrypted."
Source in Dutch: https://tweakers.net/nieuws/161538/deel-diensten-universitei...
Clop: https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee...
Uh so they don’t have up-to-date AV definitions? Sounds like McAfee was on it in August and Windows Defender has it no later than the 9th of December [1].
[1] I’d expect it to be earlier than that, but this article date is the only thing I’ve found: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclo...
Central point of control (domain), central point of infection.
As someone else said it, many networks are crunchy on the outside, chewy on the inside.
We need a new model, that makes lateral movement much harder. There's no reason to allow an infected domain controller to infect the whole network, but I don't know what the solution looks like which still allows centralized control.
Are there any documented reports of Linux/Unix systems ever being hit by ransomware? Or files on NAS appliances (NetApp, Isilon, etc) being encrypted in a way that is unrecoverable (especially since snapshots can be scheduled regularly)?
Certainly you can steal data from non-Windows systems, so exfiltration attacks are similar on both, but AFAICT, these "we've got your data" style attacks are unique to Windows. If an IT (desktop/laptop) environment was more Mac-heavy, would these be an issue either?
I had a linux system hit with a virus early 2000s. I had more confidence than linux skills back then and made some colossal blunders to make it happen. But whatever you use as your daily machine, it isn't immune. It's a smaller target, but there is still malware out there for Linux. One of the first widespread computer worms was Unix based[1].
[1] https://en.wikipedia.org/wiki/Morris_worm
PS Edit: Many routers are linux/unix based so it is a much bigger target than a lot of people on this thread are making out. If you have control of a company's routers you are in position to do a lot of damage.
Basically 99.99% of companies and governments use windows so its unlikely to see this happening.
What orifice did you pull that stat from?
There was (recently) some ransomware for (unpatched, IIRC) Synology devices.
Ten years ago or so, our NMR spectrometer was held ransom. OK, it was a completely out-of-date Solaris, not Linux, but if don't use Windows you are not immune.
Linux systems are less targeted because they're less commonly used, their userbase on average knows more about technology and they're inherently more secure.
Ha! This got a good chuckle out of me. Check again; this happens more often than you would think in the web hosting business, especially the small to medium business segment. "It's just a website how hard could it be?"
If I had a nickel for every RHEL 5 (yes, 5!) box still running after we begged customers to please, please move to something actually receiving patches...
In theory ransomware shouldn't have as large of an impact, but in practice backups are not a magical wand of "restore website and lose 0 transactions" either. That's assuming the backups are actually configured to grab the correct data, and haven't been silently failing for months...
I meant for people using it as their daily driver operating system (not servers).
Most linux enthusiasts know a bit more/are interested in technology so they would be likely to engage in better security practices than a typical "home user" using Windows. In addition features like package managers and actually functioning permissions systems help as well (how long has Windows had public UAC bypasses?)
Of course you're correct and most servers run linux and get hacked every millisecond otherwise though because they don't keep them updated.
>inherently more secure
What now?
Big list of ransomware or possible ransomware attacks in 2019 at:
https://techtalk.pcmatic.com/2019/01/09/ransomware-attacks-2...
I think the date should be December 2019 (not January), judging from the list of incidents by month.
One I know of, against Regis University in Colorado, occurred in late August (first reports from August 22).
https://www.regisupdates.com/regis-quick-updates/test-post
It's mainly a Windows shop. Lots of disruptions for weeks (I teach there part-time, but was not teaching that term). By November(!) things were pretty much back to normal:
https://www.regisupdates.com/regis-quick-updates/its-updates...
according to an insider, tweakers [0] is reporting that it is a ransomware attack and many device have been encrypted
[0] https://tweakers.net/nieuws/161538/deel-diensten-universitei...
Interesting to read, the University in Gießen (Germany) is down for weeks with similar issues. https://www.uni-giessen.de/index.html (engl. Version below). They use Instagram and Facebook to organize 38.000 people and distribute passwords offline https://www.instagram.com/jlu.giessen/?hl=en
- https://www.denbi.de/news/763-shut-down-of-de-nbi-services-h... - https://www.instagram.com/jlu.giessen/?hl=en
There really isn't more information about this than the above so we don't know.
Here's a few Dutch sources at the bottom you can throw through a translation service: "nearly all windows computers were hacked", "we dont know if this was criminal and if the perpetrator(s) demand money".
Noteworthy quote "We are researching if the attackers could access that. Our expectation is that this is very difficult." on the storage of scientific data.
https://nos.nl/artikel/2316120-cyberaanval-op-computers-van-... https://www.1limburg.nl/groot-cyberhack-bij-um-criminele-aan...
Is this similar to what happened this month in Germany? https://www.zdnet.com/article/more-than-38000-people-will-st...
Huh that note reads like something generated by this: https://whythefuckwasibreached.com/
Remote browser isolation protects against this sort of thing
on its Windows systems