We got hit by an alarmingly well-prepared phish spammer

After the takedown of APT28, I continued to receive spam from IP ranges that were associated with APT29&#x27;s malware campaigns.<p>Turns out there&#x27;s a lot of fake shell companies that act either as hosting companies specifically for malware campaigns from Russia and China or specifically as a company that tries to fraud people, e.g. their CEO being on the FBI most wanted list or the company being sanctioned by the UN.<p>I&#x27;m currently creating some sort of cyber map of these spam&#x2F;phish&#x2F;malware campaign overlaps, as part of my antispam [1] effort.<p>I got tired of LLM based targeted spam where they have a system in place that is trained on my social media profiles, because they are very hard to identify as being spam.<p>Blocking specific domains is a useless effort because they keep on spawning new fake company domains that are either copies of legit ones or are generated fake profiles. They are so automated that they also create staff members and fake profiles on LinkedIn, specifically for that spam effort. Nobody at LinkedIn gives a shit about those fake avatars, I reported hundreds by now and they did absolutely nothing.<p>Anyways, long story short, here&#x27;s the blocklist of those ASNs and companies. I&#x27;m working on the map at the moment and don&#x27;t wanna publish it until I can prove its correctness:<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;cookiengineer&#x2F;antispam">https:&#x2F;&#x2F;github.com&#x2F;cookiengineer&#x2F;antispam</a>

When I was in the US Navy, I learned most of the time, the weak points in security were usually people. Attackers know this and exploit it. And it usually wasn&#x27;t movie plot style &quot;do this or your wife gets it&quot; exploits. Those seemed to get blown up easily. It was mundane things. Distracting a watch stander with something that was actually stupid. Making someone late for duty. Putting something really gross in the garbage hoping the inspector would skip that bag. So many little lapses in human judgement. Most completely innocent. This was with vigilant, uniformed people subject to military discipline, and those thing happened.<p>So you have to focus on process and systems. Some easy stuff:<p>* Never ask customers&#x2F;employees for a password. If someone does it&#x27;s a scam.<p>* Refund money only to the payment method used to pay for the product&#x2F;service.<p>* 2FA is your friend no matter how much the VP of Sales whines about it.<p>* have a way to expire tokens and force reset of passwords.

&gt; People connecting through our VPN have access to an internal-only SMTP gateway machine that doesn&#x27;t require SMTP authentication.<p>Time to clean that up while you&#x27;re at it.

Seems like a lot of effort to just send spam. Almost feels like their preparation outweighs their imagination by a large margin.<p>I&#x27;d have thought there would be a lot more that could be done with VPN access than immediately burn it by sending spam.

&gt; People connecting through our VPN have access to an internal-only SMTP gateway machine that doesn&#x27;t require SMTP authentication.<p>This part sounds... not great. Even bad actor within org could send messages as someone else: president to payroll etc.

TFA describes a perfect example of unwarranted implicit trust. Any tunnel-in should terminate in an environment not unlike being outside a regular perimeter, with internal per-host access control (perhaps by RADIUS or some coordinated ACL - which would also have fixed the parallel account problem )... especially to an unsecured Internet mail server. I wish the misnomer &quot;Zero Trust&quot; were better crafted and understood as a broad philosophy. I think it&#x27;s psychologically difficult to do the role-play and imagine &quot;what if I couldn&#x27;t trust myself?&quot;

I don&#x27;t know where is the tech ability bar for spammers but this doesn&#x27;t strike me as unusually clever or well prepared.

I see a lot of posts, articles, etc... stating that people are surprised by the complexity of a cyber attack or scam. It seems that most people haven&#x27;t yet learnt that this is a full blown industry targeting countless businesses, institutions and individuals 24&#x2F;7, not just some script kiddies in their bedroom. There are office blocks full of trained professionals with sophisticated tools working to compromise digital security and manipulate human nature to gain access to accounts, data and funds. Everyone needs to be adopting a form of zero trust or trust but verify to every digital interaction and every use of technology.

No auth smtp server sounds like a very bad idea and the real culprit here. Security by obscurity (VPN in this case) never works.

That&#x27;s why we have now 2FA enabled on most external access, VPN included.

This is a university. I expect they have a higher than normal proportion of attackers who know the system and exactly how they&#x27;d escalate having gained some access, and have the free time to prepare a customized attack.<p>On the other hand, those attackers are probably less malicious than the average Russian ransomware group.

The invisible lesson here is to just use 2FA everywhere or accept the risk of this happening to you.

In the comments, the author mentions this:<p>&quot;As for information on our VPN setup (and our mail sending setups), it&#x27;s on our support site (for obvious reasons) so we assume the attacker read it in advance.&quot;<p>That really changes the level of complexity for the attacker here

I thought our unauthenticated SMTP got shutoff after switching to Office 365. I looped over the SMTP servers in the hop list in the headers of an email and one of the Microsoft domains accepted unauthenticated requests from within the network.

&gt; It seems extremely likely that the attacker had already researched our mail and VPN environment before they sent their initial phish spam, since they knew exactly where to go and what to do.<p>As someone else said, I would increasingly suspect that apparently targeted or seemingly highly-invested hacking behaviour is just a new breed of scripts that are puppeteer by phishing AI multi-agent systems (maybe backed by deepseek now).<p>Just like self driving cars that will never make the same mistake twice, these things will likely keep a catalog of successful tactics, and so always be learning obscure new tricks

Or you can ask a GPT, that has already indexed your publicly available support docs, to prioritize potential places for a user looking to keep access as a backup.<p>AI is available to everyone, and we’re not prepared.

Sounds like it is possibly an automated script or agent doing most of this work accessing the VPN and SMTP server. Really shouldnt have any open mail servers anywhere.

You got hit by a former employee

I feel bad for cks, but I probably would have handled it a little differently...<p>- shut their accounts off network-wide<p>- drop all related network connections<p>- forcibly reset their password and make them choose a new one in person. They may have changed it earlier, but do it again<p>- increase logging to catch any potential reoccurrences against the same user or other users<p>- inspect ACLs and reduce access for all users if possible<p>- prevent users from connecting from areas outside of their usual network sphere<p>- let the user back on, and ask them to be more careful in the future<p>- better mail filtering would be nice, but they&#x27;ll always find a way to beat the spam filter<p>- (i hate this option the most, but...) send fake scam emails internally to see if anyone else takes the bait<p>This is of course ignoring 2fa, but 2fa isn&#x27;t perfect either with sim swapping... but I personally don&#x27;t think changing the password is enough for an event like this.

I have concluded that I will eventually fall for a scam and pay a medical bill for some service I never received. All the bills look like scams, and for one service there are often 3 separate bills from different areas so it would be easy for someone to tack on one more and get some cash from me...

&gt; because they are very hard to identify as being spam.<p>Why not just use Duckduckgo&#x27;s free e-mail protection? Generate a new forwarding address for a new service&#x2F;website&#x2F;account takes a second.

I&#x27;ve gotten emails with links &quot;From&quot; my parents names, but checking the addresses it was accounts on random .edu domains. The fact that separate emails came from two different names I knew really made me feel targeted.

ztna+ can help here. VPN give access to entire network, with all the rubbish services sysadmins have laying around like unauthenticated smtp servers (sounds total shit but it happen everywhere.... need to send email notifications from all sorts of shit and no one wants to manage these accounts... sadstory..) ztna+ will for users kind of seem like vpn, good protection,but it only give access to services the user is allowed to access, not the entire vpn network.<p>it help alot against these type of scenarios.<p>also, how fast is fast? you can scan an internal network on a single port in the blink of an eye, so if u don&#x27;t have good network IDS&#x2F;IPS internally, u will not really see the scan and it seems like someone &#x27;knows the network in advance&#x27; because they scan it in like 2 seconds and based on results automatically run scripts etc. - it doesn&#x27;t need to be knowledge gained in advance.<p>- monitor internal network properly, asif its external network. - use ztna+ if you can afford such solution - do regular audits for things like unauthenticated services and use these kind of incident to in a friendly manner educate sysadmins about risks of such services. they will usually understand it, especially after an incident. aslong as you bring it friendly with a good explanation, not some demanding attitude.<p>- use a lot of mail filtering... more is better. it can be a bit tedious. at my company we have more than 4 solutions to scan all email and attachements etc. , still stuff slip through, but not a lot... - also scan outbound or &#x27;local&#x27; email. (BEC fraud etc.)<p>- do good post-incident reviews and use learnings each time something happens (sounds obvious, but this is often omitted, the learnings are only kept within sec teams, or turnt into one-off remediations rather than process etc. )<p>edit: oh.. and also monitor for logon anomalies. a lot of solutions support this. e.g. a user logs in from a unique new ip - alert on it, or even block it. , that action depends a bit on what&#x27;s normal, so here actually ML and such solutions are great.. but basic statistical analysis etc. can also help if u can&#x27;t pay or create ml solution. (its not too hard to create really, basic models will suffice.)

Maybe we just stop using email.