An unknown hacking group has been able to infiltrate servers that are used by Samsung and the Oxford University. Apparently the intrusion was made by launching a very sophisticated attack on the Microsoft Office 365 services used by them.
h2>Microsoft Office 365 Attack Used To Hijack Oxford University and Samsung Servers
An experienced hacking group has overtaken control of servers that are used by Samsung and Oxford University. The contaminated devices are responsible for the email servers and domain controls used by the establishments. The attackers are using phishing email messages in order to impersonate senders and contents that will likely be interacted with. In these messages there are links to a Office 365 Voicemail which will include virus contents. What is distinctive about them is that they may even include personalized greetings. This information can be automatically filled by the hacking toolkit or manually by the hackers.
What is more dangerous about the infections is that the criminals have managed to actually send them though the servers operated by the Oxford University system. This has been done by bypassing the corporate email security system — at the moment the exact mechanism is not known.
By following the link will direct the victims to a Samsung domain which is hosted by Adobe. Apparently it has been planned to be used during the Cyber Monday 2018 campaign, but has remained unused. As soon as the links are followed the users will be shown a login landing page which in fact is spoofing the service.
The main mechanism of the attack scenario is to redirect the victims to the hacker-controlled phishing page. As this is done via a legitimate domain this is categorized as an advanced infection strategy. Apparently the hackers were able to change certain URL parameters in the provided link to lead the victims to the hacker-controlled page. The actual Adobe server which hosts the Samsung site has not been penetrated. Upon receiving news of the incident Adobe is working on updates that should remedy any of their impacted clients.
One of the reasons for the attack’s success. A code analysis of this page shows that there is a snippet which checks if the link is incoming from the hacker-controlled page. If the site is accessed directly or through another link it will not redirect properly.
As soon as Oxford University were made aware of the threat they mitigated all of the hacker-controlled email messages. As Adobe has patched their services the Samsung issue should be corrected as well. It is the apparent lack of two-factor authentication. This means that once the hackers gain access to the internal systems that belong to Samsung and the Oxford University they can cause a lot of damage. A second redirect following the hijacked landing page will be made which leads to a hacked WordPress page.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: