[chroem-]

It's interesting how the language around these incidents has shifted to give the impression that cybercommandos have stormed into cyberspace with their cyber assault rifles, when in reality the chances are very high that some university administrator probably downloaded a shady program from a porn site.

[noinsight]

> chances are very high that some university administrator probably downloaded a shady program from a porn site.

Nah, in reality someone probably clicked a link in a malicious email that launched a backdoor on their computer. The likelihood of that approaches 100% on untrained users. And, as this is a university environment, that user likely had local admin.

You only need 1 successful click to breach the good ol' "secure internal network" after which all bets are off - few companies sufficiently secure their networks from "internal" attackers.

On a traditional Windows network, credential hygiene practices are woeful and Domain Admin (admin access to every single domain-joined device on the network) level credentials are lying around everywhere and once those are compromised, every single domain-joined device on the network can be compromised.

I've seen this all happen in the span of 10 minutes - a remote user with VPN gets compromised, the attacker connects to the corporate network through them, gets Domain Admin and spreads malware through Active Directory to every single device on the network - X thousand workstations, Y hundred servers etc.

There's no actual vulnerability to remediate - you just have to "administrate properly" to prevent this. (https://aka.ms/spa)

[FDSGSG]

>Nah, in reality someone probably clicked a link in a malicious email that launched a backdoor on their computer. The likelihood of that approaches 100% on untrained users.

In 2019 this is actually very unlikely. Driveby exploits have been pretty rare for years now.

[noinsight]

It's still one of the top methods.

See for example Symantec's report [1] with lots of data.

[1] https://www.symantec.com/content/dam/symantec/docs/reports/i...

[FDSGSG]

I'm sorry, I can't seem to find any references to driveby exploits in that report. I see many mentions of malicious office documents with downloader macros and similar attacks that certainly happen regularly today.

I do not see any mentions of attacks fitting the driveby pattern you described earlier. I am aware such targetted attacks do exists, but they're extremely rare these days compared to a few years back.

Almost all attacks today rely on social engineering to trick the victim into handing out their credentials or opening a malicious file, not a link.

[igetspam]

I literally just got a call about someone being hit. The avenues used to penetrate are email spam and RDP.

[FDSGSG]

When was the last time you saw email spam linking to a browser driveby exploit?

[nyolfen]

exploit office docs are less rare

[FDSGSG]

They're less rare because they've almost completely replaced the attacks I described as "very unlikely".

In 2019 it's extremely rare that anyone gets owned just by clicking a link, we've moved very far from that.

[iwantagrinder]

All of this shit comes through phishing emails with Office docs containing malicious macros or links. Literally 99% of it. All of these stories should say "Sysadmins ignored best practices of disabling unapproved macros, allowing malware to gain a foothold, dump privileged credentials on the system, and move laterally through the environment with ease"

[briffle]

Its a university, so more likely "Sysadmins implemented best practices of disabling unapproved macros, but due to an extreme number of complaints from academic staff that all their research would be ruined, had to disable it again."

[iwantagrinder]

So you allow it for those folks and block it for the rest, there will always be edge cases but you need to reduce risk and attack surface. So hopefully they have those academic staff members on record as accepting the risk.

[gruez]

>So hopefully they have those academic staff members on record as accepting the risk.

Then what? Use them as the scapegoat when the network does get compromised? Feels like the exact opposite of blameless postmortems.

[WrtCdEvrydy]

Jason from Defcon had an interesting quote about it...

"It's not an Advanced Persistent Threat, it's Basic Ass Threat, but you just want your cyberinsurance policy to pay out. Fuck off"

[noinsight]

Why would you blow your zero days on something when you can just download stuff off GitHub that works?

Russia initially compromised the 2018 Olympics with publicly available malware off GitHub.

See: https://www.wired.com/story/untold-story-2018-olympics-destr...