On 10/2/19, Henning Follmann <hfollmann@itcfollmann.com> wrote:
> On Wed, Oct 02, 2019 at 10:40:34AM +0100, Jeremy Nicoll wrote:
>> On Wed, 2 Oct 2019, at 10:03, Keith Bainbridge wrote:
>>
>> > Details are at
>> >
>> > https://www.abc.net.au/news/2019-10-02/anu-cyber-hack-how-personal-information-got-out/11550578
>> > https://www.abc.net.au/news/2019-10-02/the-sophisticated-anu-hack-that-compromised-private-details/11566540
>>
>> It seems to me that everything follows from whatever access the initial
>> 'unclicked email' malware
>> gave to the hackers.
>>
>> But how can malware jump from an email that's not "clicked", into some
>> part of the university's
>> systems?
>
> Well, somebody is not telling the truth.
With so much left out of the public report, lying hardly seems necessary.
Take a look at
https://portal.msrc.microsoft.com/en-us/security-guidance
select severity: critical & remote code execution, security feature
bypass & information disclosure inpacts.
Which security patches seem applicable here?
>> Unless... the email was being viewed via a webmail system running on a
>> server not owned by the
>> university?
What if the email was being viewed via webmail using Windows Internet Explorer?
Regards,
Lee
+1 for this as it makes lots of sense in this case as the code was executed in the browser we're it could easily reach the saved passwords. From there on it is just a matter of using those credentials to gain system access, nothing ever reached a disk to get executed there.