Welcome to our cybersecurity news roundup, where we highlight some major cyber-attacks and happenings. This week we're talking about the Western Sydney University data breach and the GhostEngine crypto mining attack that potentially stole invaluable data and funds respectively.
Here’s what went down this week:
Western Sydney University (WSU) has alerted students and staff to a significant data breach involving unauthorized access to its Microsoft 365 and SharePoint systems.
WSU, a prominent Australian educational institution, provides a comprehensive array of undergraduate, postgraduate, and research programs. The university serves 47,000 students and employs over 4,500 regular and seasonal staff, operating on a budget of $600 million USD.
In a recent announcement on its official website, WSU disclosed that cybercriminals had infiltrated its Microsoft Office 365 environment, compromising email accounts and SharePoint files.
"The investigation has indicated that the earliest known unauthorized access to the University's Microsoft Office 365 environment was on 17 May 2023 and included access to some email accounts and SharePoint files,"
Further investigations revealed that the University's Solar Car Laboratory infrastructure might have been exploited during the incident.
The data compromised varies for each individual, depending on the email communications and documents stored within the University's SharePoint environment.
The breach, discovered in January 2024, prompted the University's IT team to terminate the unauthorized access and initiate an internal investigation. Specialists from the NSW Police, CrowdStrike, and CyberCX were also involved.
The investigation has so far confirmed that approximately 7,500 individuals were affected. These individuals will soon receive personalized notifications via email and phone. However, this number may increase as investigations continue.
WSU has not provided extensive details regarding the nature of the breach. Notably, there has been no indication of system encryption or extortion threats involving the leaked data.
"There have been no threats received by the University to disclose any of the private information which was accessed, and the University has not received any demands in exchange for maintaining privacy," WSU stated.
The University's core operations remain unaffected, ensuring no disruption to classes, exams, registrations, or research programs.
Affected students and staff can seek support through a dedicated phone line and are advised to monitor WSU's website for updates. Additionally, Australia's national identity and cyber support service, IDCARE, is available to assist those impacted.
A new malicious crypto-mining campaign, codenamed 'REF4578,' has been identified deploying a payload called GhostEngine that leverages vulnerable drivers to disable security products and install an XMRig miner.
Researchers from Elastic Security Labs and Antiy have highlighted the advanced nature of these attacks in separate reports, providing detection rules to assist defenders in identifying and mitigating the threat.
The campaign begins with the execution of a file named 'Tiworker.exe,' which mimics a legitimate Windows file. This executable serves as the initial staging payload for GhostEngine, a sophisticated PowerShell script that downloads various modules to perform malicious actions on an infected device.
Upon execution, Tiworker.exe downloads a PowerShell script named 'get.png' from the attacker's command and control (C2) server. This script is the primary loader for GhostEngine, responsible for downloading additional modules, disabling Windows Defender, enabling remote services, and clearing Windows event logs.
The PowerShell script 'get.png' checks that the system has at least 10MB of free space, crucial for further infection stages. It then creates scheduled tasks—'OneDriveCloudSync,' 'DefaultBrowserUpdate,' and 'OneDriveCloudBackup'—to ensure persistence on the infected machine.
Following this, the script downloads and launches an executable named 'smartsscreen.exe,' which acts as the primary payload of GhostEngine. This malware component terminates and deletes Endpoint Detection and Response (EDR) software and launches XMRig to mine cryptocurrency.
To disable EDR software, GhostEngine employs two vulnerable kernel drivers: aswArPots.sys (an Avast driver) to terminate EDR processes, and IObitUnlockers.sys (an Iobit driver) to delete associated executables.
A list of the targeted EDR processes is hardcoded within the malware, ensuring it can neutralize a range of security tools.
For persistence, GhostEngine uses a DLL named 'oci.dll' loaded by a Windows service called 'msdtc.' This DLL downloads a fresh copy of 'get.png,' ensuring the malware can reinstall itself if removed.
To defend against GhostEngine, Elastic researchers advise monitoring for suspicious PowerShell execution, unusual process activities, and network traffic directed to crypto-mining pools. They also recommend treating the deployment of vulnerable drivers and creation of associated kernel mode services as red flags.
An aggressive defense measure involves blocking the creation of files from vulnerable drivers such as aswArPots.sys and IobitUnlockers.sys. Additionally, Elastic Security has provided YARA rules in their report to help defenders identify and stop GhostEngine infections.
Want to catch up on the latest security news? Check out: