It seems to happen almost on a cycle: the Army in 2014; Tribune Publishing in 2020; GoDaddy just a few months later. Yes, we’re talking about the phishing tests that result in high-profile backlash from angry users.

This time, Oregon Health & Science University found itself in the crossfire after it sent staff a bogus email promising up to $7,500 in assistance to staff “experiencing financial hardship as a result of the coronavirus pandemic.” And this is academia we’re talking about⁠—⁠where armies of poorly compensated, indebted adjuncts, untenured faculty, and grad students already widely complain of exploitation—it’s not hard to see why this struck a nerve.

One tweet from a person who appeared to be a PhD student at OHSU asked, “Is this a joke???” and got nearly 160,000 likes. The American Federation of State, County, and Municipal Employees Local 328, the union representing some OHSU employees, issued a statement that read, in part, “our members are subjected to the whims of OHSU’s worst ideas and behaviors.” OHSU, which said the email was a clone of a real phishing attack and part of regularly occurring exercises, eventually apologized.

“First and foremost, we want to sincerely apologize to the OHSU community,” OHSU spokesperson Sara Hottman told IT Brew in an email, calling the way the test was carried out a “mistake.”

Don’t do it just to play gotcha

Experts told IT Brew that phishing simulation programs shouldn’t come out of nowhere, even if the actual email does. Even when they’re preceded by comprehensive training, institutions can often fail to convey the intent and purpose behind the training, or its importance to users’ safety and security on and off the job.

Daniel Pienta, an assistant professor of information systems and business analytics at Baylor University, said that sometimes organizations can go too far in trying to trick recipients, creating scenarios that would be difficult for an attacker to pull off in the first place.

“I think what a lot of companies do and a lot of security officers do is to trick people, rather than make this an exercise that really tests [whether you] can identify a phishing email,” Pienta told IT Brew. “They have such contextualized knowledge of their employee base and so much information that they can really make these tests easily manipulated in their favor.”

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.

In the time span of roughly one The Batman, hackers completed a full ransomware attack from access to encryption, according to in-depth details and screenshots from The DFIR Report. The target of the intrusion was not disclosed.

DFIR analysts revealed findings on their site demonstrating how the threat actors spread Quantum ransomware (and Quantum Locker ransomware) laterally throughout a domain in approximately three hours and 46 minutes—“one of the fastest ransomware cases we have observed,” said the group.

(Keep in mind, the “quantum” here is more of a rebrand of speedy ransomware and not a reference to, say, the physics of supercomputers.)

How it went down:

• A user was sent an email believed to be an “invoice” but instead contained a file known as an ISO archive, a disk image.
• When the user opened the ISO file, they saw what looked like a single document, which, in fact, was just a link to a hidden executable: IcedID malware. The ISO contained a DLL file (the IcedID malware) and a LNK shortcut to execute it.
• IcedID initiated discovery tasks through built-in Windows utilities like ipconfig and systeminfo before any “hands-on-keyboard activity” took place, according to the DFIR report. A scheduling feature made the attack persistent.
• Then, the hands-on-keyboard activity began. The attackers performed network reconnaissance, determining the environment’s many hosts and the organization’s Active Directory structure.
• The threat actors used the command-and-control framework Cobalt Strike to achieve remote access and proceeded to make Remote Desktop Protocol (RDP) connections to other servers in the environment.
• The executable moved from machine to machine throughout the network, delivering ransomware software and encrypting discs.

The attack was an example of Quantum ransomware, which was first spotted in August 2021. The speed of propagation, while noteworthy to two security experts who spoke to IT Brew, was not necessarily the most distressing feature of the break-in, according to John Burke, CTO at Nemertes Research, a Lusby, Maryland-based consulting firm. “This is pretty fast, but it’s nothing groundbreaking,” he said, adding that he was more struck by the malware’s direction than speed. Burke expressed concern at the idea that the target organization had network policies in place that allowed Microsoft’s Remote Desktop Protocol to connect laterally to other PCs.

The PCs did not appear to be configured to drop RDP traffic in general, which would be the right policy, said Burke, if the organization had no sanctioned RDP use cases.

“Why were those policies set up? And why were those kinds of communications allowed in the first place?” said Burke.

Read more here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Today’s top IT reads.

Stat: $986,400, the amount in proposed civil penalties from the US Department of Transportation faced by Colonial Pipeline for “management failures,” after a May 2021 cyberattack forced its shutdown for around five days. (Reuters)

Quote: “I believe that full disconnect from the internet would still be an extreme approach, even now.”—Lukasz Olejnik, an independent cybersecurity researcher, on the topic of Russia and its potential “sovereign internet”

Read: Rapid changes and updates to projects are great, but there’s one aspect of development that has long suffered from quick iteration: project documentation. (TechRepublic)

Today’s IT leaders are on a modern-day Odyssey, sailing turbulent seas in an increasingly digital world. Sirens, cyberattacks, Trojan horses, malware… we’re no longer in the bygone days of printer jams and fax machine snafus.

With so much happening in the world of IT, we’re excited to sit down with PwC’s Cloud & Digital Managing Partner, Dan Priest, to discuss how to navigate the new era of IT and manage the department’s changing role within organizations. We look forward to seeing you at our IT Brew virtual launch, sponsored by Robin, on May 19 at 12pm ET. Register here.