It's interesting how the language around these incidents has shifted to give the impression that cybercommandos have stormed into cyberspace with their cyber assault rifles, when in reality the chances are very high that some university administrator probably downloaded a shady program from a porn site.
> chances are very high that some university administrator probably downloaded a shady program from a porn site.
Nah, in reality someone probably clicked a link in a malicious email that launched a backdoor on their computer. The likelihood of that approaches 100% on untrained users. And, as this is a university environment, that user likely had local admin.
You only need 1 successful click to breach the good ol' "secure internal network" after which all bets are off - few companies sufficiently secure their networks from "internal" attackers.
On a traditional Windows network, credential hygiene practices are woeful and Domain Admin (admin access to every single domain-joined device on the network) level credentials are lying around everywhere and once those are compromised, every single domain-joined device on the network can be compromised.
I've seen this all happen in the span of 10 minutes - a remote user with VPN gets compromised, the attacker connects to the corporate network through them, gets Domain Admin and spreads malware through Active Directory to every single device on the network - X thousand workstations, Y hundred servers etc.
There's no actual vulnerability to remediate - you just have to "administrate properly" to prevent this. (https://aka.ms/spa)
All of this shit comes through phishing emails with Office docs containing malicious macros or links. Literally 99% of it. All of these stories should say "Sysadmins ignored best practices of disabling unapproved macros, allowing malware to gain a foothold, dump privileged credentials on the system, and move laterally through the environment with ease"
Uh so they don’t have up-to-date AV definitions? Sounds like McAfee was on it in August and Windows Defender has it no later than the 9th of December [1].
Central point of control (domain), central point of infection.
As someone else said it, many networks are crunchy on the outside, chewy on the inside.
We need a new model, that makes lateral movement much harder. There's no reason to allow an infected domain controller to infect the whole network, but I don't know what the solution looks like which still allows centralized control.
Are there any documented reports of Linux/Unix systems ever being hit by ransomware? Or files on NAS appliances (NetApp, Isilon, etc) being encrypted in a way that is unrecoverable (especially since snapshots can be scheduled regularly)?
Certainly you can steal data from non-Windows systems, so exfiltration attacks are similar on both, but AFAICT, these "we've got your data" style attacks are unique to Windows. If an IT (desktop/laptop) environment was more Mac-heavy, would these be an issue either?
I had a linux system hit with a virus early 2000s. I had more confidence than linux skills back then and made some colossal blunders to make it happen. But whatever you use as your daily machine, it isn't immune. It's a smaller target, but there is still malware out there for Linux. One of the first widespread computer worms was Unix based[1].
PS Edit: Many routers are linux/unix based so it is a much bigger target than a lot of people on this thread are making out. If you have control of a company's routers you are in position to do a lot of damage.
Ten years ago or so, our NMR spectrometer was held ransom. OK, it was a completely out-of-date Solaris, not Linux, but if don't use Windows you are not immune.
Linux systems are less targeted because they're less commonly used, their userbase on average knows more about technology and they're inherently more secure.
It's mainly a Windows shop. Lots of disruptions for weeks (I teach there part-time, but was not teaching that term). By November(!) things were pretty much back to normal:
There really isn't more information about this than the above so we don't know.
Here's a few Dutch sources at the bottom you can throw through a translation service: "nearly all windows computers were hacked", "we dont know if this was criminal and if the perpetrator(s) demand money".
Noteworthy quote "We are researching if the attackers could access that. Our expectation is that this is very difficult." on the storage of scientific data.
[+] [-] chroem-|6 years ago|reply
[+] [-] noinsight|6 years ago|reply
Nah, in reality someone probably clicked a link in a malicious email that launched a backdoor on their computer. The likelihood of that approaches 100% on untrained users. And, as this is a university environment, that user likely had local admin.
You only need 1 successful click to breach the good ol' "secure internal network" after which all bets are off - few companies sufficiently secure their networks from "internal" attackers.
On a traditional Windows network, credential hygiene practices are woeful and Domain Admin (admin access to every single domain-joined device on the network) level credentials are lying around everywhere and once those are compromised, every single domain-joined device on the network can be compromised.
I've seen this all happen in the span of 10 minutes - a remote user with VPN gets compromised, the attacker connects to the corporate network through them, gets Domain Admin and spreads malware through Active Directory to every single device on the network - X thousand workstations, Y hundred servers etc.
There's no actual vulnerability to remediate - you just have to "administrate properly" to prevent this. (https://aka.ms/spa)
[+] [-] iwantagrinder|6 years ago|reply
[+] [-] WrtCdEvrydy|6 years ago|reply
"It's not an Advanced Persistent Threat, it's Basic Ass Threat, but you just want your cyberinsurance policy to pay out. Fuck off"
[+] [-] DavideNL|6 years ago|reply
"All dhcp-servers, Exchange-servers, domaincontrollers and networkdrives have been encrypted."
Source in Dutch: https://tweakers.net/nieuws/161538/deel-diensten-universitei...
Clop: https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee...
[+] [-] taspeotis|6 years ago|reply
[1] I’d expect it to be earlier than that, but this article date is the only thing I’ve found: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclo...
[+] [-] kjhioyiurewr|6 years ago|reply
As someone else said it, many networks are crunchy on the outside, chewy on the inside.
We need a new model, that makes lateral movement much harder. There's no reason to allow an infected domain controller to infect the whole network, but I don't know what the solution looks like which still allows centralized control.
[+] [-] throw0101a|6 years ago|reply
Certainly you can steal data from non-Windows systems, so exfiltration attacks are similar on both, but AFAICT, these "we've got your data" style attacks are unique to Windows. If an IT (desktop/laptop) environment was more Mac-heavy, would these be an issue either?
[+] [-] daveguy|6 years ago|reply
[1] https://en.wikipedia.org/wiki/Morris_worm
PS Edit: Many routers are linux/unix based so it is a much bigger target than a lot of people on this thread are making out. If you have control of a company's routers you are in position to do a lot of damage.
[+] [-] rb808|6 years ago|reply
[+] [-] jlgaddis|6 years ago|reply
[+] [-] HarryHirsch|6 years ago|reply
[+] [-] mmilgauss|6 years ago|reply
[+] [-] gshubert17|6 years ago|reply
https://techtalk.pcmatic.com/2019/01/09/ransomware-attacks-2...
I think the date should be December 2019 (not January), judging from the list of incidents by month.
One I know of, against Regis University in Colorado, occurred in late August (first reports from August 22).
https://www.regisupdates.com/regis-quick-updates/test-post
It's mainly a Windows shop. Lots of disruptions for weeks (I teach there part-time, but was not teaching that term). By November(!) things were pretty much back to normal:
https://www.regisupdates.com/regis-quick-updates/its-updates...
[+] [-] bathory|6 years ago|reply
[0] https://tweakers.net/nieuws/161538/deel-diensten-universitei...
[+] [-] neverhigh|6 years ago|reply
- https://www.denbi.de/news/763-shut-down-of-de-nbi-services-h... - https://www.instagram.com/jlu.giessen/?hl=en
[+] [-] supakeen|6 years ago|reply
Here's a few Dutch sources at the bottom you can throw through a translation service: "nearly all windows computers were hacked", "we dont know if this was criminal and if the perpetrator(s) demand money".
Noteworthy quote "We are researching if the attackers could access that. Our expectation is that this is very difficult." on the storage of scientific data.
https://nos.nl/artikel/2316120-cyberaanval-op-computers-van-... https://www.1limburg.nl/groot-cyberhack-bij-um-criminele-aan...
[+] [-] Twiebie|6 years ago|reply
[+] [-] ozim|6 years ago|reply
[+] [-] samsquire|6 years ago|reply
https://en.wikipedia.org/wiki/Browser_isolation
[+] [-] raverbashing|6 years ago|reply