Hacks, Two for One

by Duf Anything and Everything

I had a stressful and hectic day of work as I was trying to juggle burning fires on multiple fronts.  The most attention grabbing was getting a call from one of our vendors, telling us they received a phishing email from one of our employees.  After getting sent a copy of the email and investigating the employees access record I was able to quickly verify that their email account had been compromised.  It looks like several days ago someone successfully logged into this account outside of our area, waited a few days and then sent this spear phishing email to over 100 addresses in this persons contact list.  Not only did they send them, they were camped out in the account, answering emails sent back asking if this was legitimate, which they emailed back confirmation.

The email itself was easily identifiable as bogus with bad grammar and a premise that made little sense.  However I know at least one recipient blindly clicked the link which supposedly landed them on another page asking for private information.  This was the classic email compromise scenario.  Ironically, we had just started rolling out multi-factor authentication over the last couple weeks, requiring a secondary confirmation via SMS for access to Office 365 outside of our network.  MFA was not turned on for this user yet.

The user technically didn’t directly cause the breach, if what I was told was true.  I asked if the password was used in any variation on other internet sites.  The answer was no.  The password itself was not robust at all, a common word followed by a number.  The user said they had a hard time remembering complex passwords, I basically said “too bad”.  I did assure them that they were not alone in bad password practices, despite our repeated training we give employees about the importance of hardened, complex passwords.

The first thing I did was sign the user out of all authenticated Office 365 sessions.  The users password was then reset and MFA was turned on for that account.  Investigating this incident lead me to pour over access logs that revealed that there were a handful of other accounts that have been unsuccessful hack targets, with access attempts from countries all over the world, including China and Russia.  This hack also is leading us to fast track multi-factor authentication for all network users as well as my adding additional rules that will not allow access to IPs outside of the US. This is far from fool proof but will stop some of these attempts dead in their tracks.  I will now be watching the access attempts like a hawk so the hacker has lost their element of surprise.  However having someone with full access to a mailbox gives them access to a lot of information about an organization.  Paranoia will be running high for quite awhile.

Another step we are looking into is an office wide password management system like LastPass, which I have used for my personal PWs for years.  It is a rather pricey option but gives users a much easier and secure way to manage passwords while giving administrators the ability to keep an eye on password requirement compliance.

So at the same time I was working on that hack I was also dealing with continued bugs after upgrading our main file server to Windows Server 2019 last weekend.  Normally this upgrade is not a big deal, I have upgraded a number of other servers already without a hiccup.  However because of the role this server has, some of the annoying and sort of inexcusable issues of 2019 are coming out.  The biggest issue is network performance. Server 2019 has a bad habit of performing significantly worse than it’s two most recent predecessors, Server 2016 and Server 2012 R2.  Microsoft made some changes to networking that really have had a negative impact on it’s adopters.  If you look up “Windows Server 2019 network problems” you will be inundated with ME TOO pages of users complaining.

In our situation the problems manifested itself in several ways, print queues hanging up, issues with AD Sync with the cloud, remote control sessions needing to be reset often, and the most troublesome, corruption of files in our accounting app that runs off of this server.  I have been trying tweak after tweak which has resulted in some improvement but not a total disappearance of the issue.  Today I took the drastic step of moving these files to another server on the network so I can keep troubleshooting the problem without impacting the accounting department.

I finally received my FedEx package from Vroom today.  I plan to send it back to them tomorrow and see if things progress as they say.  The car should be scheduled for pickup and then 2-3 days after that the transaction should be completed with a payoff to the bank and the balance into my bank account.  I have read enough Vroom horror stories to make me nervous but I have everything documented as I need and the extra time if needed to make sure it all goes down as promised.