[BreachExchange] SANS infosec training org suffers data breach after phishing attack

Wed Aug 12 10:11:31 EDT 2020

https://www.bleepingcomputer.com/news/security/sans-infosec-training-org-suffers-data-breach-after-phishing-attack/

The SANS cybersecurity training organization has suffered a data
breach after one of their employees fell victim to a phishing attack.

The SANS Institute is one of the largest organizations that offer
information security training and security certification to users
worldwide.

In a notification posted to their site today, SANS states that one of
their employees fell for a phishing attack that allowed a threat actor
to gain access to their email account.

This compromise was discovered on August 6th as part of a review of
their organization's email configuration.

"We have identified a single phishing e-mail as the vector of the
attack. As a result of the e-mail, a single employee's email account
was impacted. Aside from the affected user, we currently believe that
no other accounts or systems at SANS were compromised," states the
SANS data incident notification.

The threat actor then proceeded to configure a rule that forwarded all
email received in this account to an "unknown external email address"
and installed a malicious Office 365 add-on.

SANS has not provided much information about this add-on, but it
likely an Office 365 Oauth app used to gain persistence to the email
account.

Example Office 365 OAuth app

This configured rule forwarded a total of 513 emails, with some
containing a total of approximately 28,000 records of personal
information (PII) for SANS members.

This information does not include passwords or financial information
such as credit cards, does include email addresses, full names, phone
numbers, work title, company names, and physical addresses.

SANS instructors are conducting the investigation

As a cybersecurity training organization, few entities are better
equipped to perform the incident response into this compromise using
their own personnel.

As such, SANS states that their digital forensics instructions are
heading up the investigation and are working to make sure no other
systems are compromised and harden their existing systems and
security.

As an educational opportunity, SANS states that they will host a
webcast that includes information about this incident that would be
useful to the greater security community.

"SANS digital forensics instructors are heading up the investigation.
We are working to ensure that no other information was compromised and
to identify opportunities to harden our systems and improve our
response. When the investigation is complete, we will run a webcast to
outline our learnings if there is information that we think would be
useful to the community."

Those affected are being notified and should be on the lookout for
targeted phishing attacks utilizing the stolen information.

BleepingComputer has reached out to SANS to learn more about the
phishing attack and whether it was targeted but has not heard back.