[CoIT-Security] Threat Advisory: Higher Education Alert ( OK-ISAC )

[Goode, April]

CoIT Members,

We are sharing this threat advisory with you.
April Goode, MBA, SPP
Director of OneNet Strategic Planning and Communications
Oklahoma State Regents for Higher Education
405.225.9251
april at onenet.net<mailto:april at onenet.net>

>>>>

Subject: Threat Advisory: Higher Education Alert ( OK-ISAC )


Good Morning,



Passing along a threat advisory from Texas A&M and provided by the OK-ISAC on a phishing campaign targeting Higher Education. Please see the summary below along with additional details such as IOCs in the attached file.



Summary

On September 17, 2021, the Texas A&M Engineering Cyber Response Team (CRT) became aware of a widespread targeted phishing campaign by a persistent threat actor. This campaign is targeting higher education institutions with the goal of gaining access to those institutions' mail servers to engage in further phishing attacks internally and externally. CRT analysts assess that the primary goal of this campaign is to leverage trusted mail infrastructure to conduct phishing attacks against financial sector customers, however, the group may additionally make use of gathered credentials for other operations. This actor has engaged in this activity since early 2017 and has engaged with nearly identical tradecraft over the past four years. They have recently proven their capability to bypass 2FA by prompting users to provide OTPs or approve requests.



Details

In this phishing campaign, the actor was successful in phishing and bypassing Two-Factor Authentication (2FA) against UNIVERSITY with upwards of 15 compromised user accounts. The actor used a consistent method to access these 2FA protected accounts. The actor harvested credentials and the DUO Mobile Passcode from USER. The actor immediately used USER's credentials and DUO Mobile Passcode to authenticate to UNIVERSITY's account management service. This allowed the actor to add a new device to USER's DUO profile for 2FA. With an actor-controlled device added for 2FA, the actor authenticates to Microsoft Office 365 using USER's credentials and a 2FA DUO push responded to on the actor-controlled phone. The actor authenticates to the Exchange Outlook Web Application from the actor-controlled phone. The actor then authenticates to UNIVERSITY's Virtual Open Access Lab environment using the DUO Mobile Passcode from the actor-controlled phone. With this access, the actor downloaded mass mailing applications and began sending internal and external phishing emails.





Thanks,
Chris Kosciuk


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20210924/8fd12940/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TEES-21-1330 Activity Advisory [1].pdf
Type: application/pdf
Size: 123022 bytes
Desc: TEES-21-1330 Activity Advisory [1].pdf
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20210924/8fd12940/attachment-0001.pdf>