How Hackers Compromised Cambridge University's Security to Spread Malware via a Firefox Zero-Day Vulnerability

What exactly is the biggest problem of modern online security? Advanced hacking tools? Badly written software applications? Vendors that don't do enough to protect users' data? You could argue that technically, all these answers are correct to some extent. From a more fundamental perspective, however, we reckon that the biggest problem is that we assume too much.

We assume that hackers won't be interested in us. We assume that tech-savvy users will never fall for the scammers' tricks. We also assume that the security of a world-renowned organization such as the University of Cambridge can withstand virtually any attack. A recent blog post from software engineer Robert Heaton busts these (as well as a few other) myths wide open, and it gives us a brilliant real-world example of how wrong we could be sometimes.

A cyberattack that leaves tech-savvy users none the wiser

Although, as we'll find out in a minute, Robert Heaton was the target of an extremely sophisticated cyberattack, he managed to come out of it completely unscathed. His story is no less fascinating, however, and one of the most disconcerting things about it is that he, a person that has spent most of his conscious life around computers, had absolutely no idea what was going on throughout the whole ordeal.

It all began in early June when Heaton received an email from a certain Gregory Harris who, the message said, was from the University of Cambridge. Harris was inviting Heaton to be a part of the jury that awards this year's Adam Smith Prize. The email said that Heaton had been recommended by other specialists in the field, and it included a link with more information on the award.

Robert Heaton was a bit confused. He opened the link which confirmed his suspicion that the Adam Smith Prize is an award that Cambridge University gives to people who excel in the field of economics. His career as a software engineer didn't make him the perfect candidate for the job. Nevertheless, he admits in his blog post that he has some interest in economics which is why he replied to the initial email asking for more information on what he will be required to do if he decides to accept the invitation. Gregory Harris said that Heaton would need to assess and evaluate some projects which would be sent to him shortly.

Robert Heaton was feeling even more uneasy. He felt that he was not qualified, and he voiced his concerns in another email to Gregory Harris. The reply stated that there might indeed be a mistake. Harris promised that he'd double check and get back to Heaton which he then failed to do.

Heaton thought nothing of it, but a couple of weeks later, he learned just how close he had been to getting his computer infected with malware.

A close call

Robert Heaton wasn't reckless when he was communicating with Gregory Harris. He did what he called "some basic security hygiene checks" – the ones we should all perform every time we get an email we're not expecting. He confirmed that the sender's address was hosted at cam.ac.uk, and he also made sure that the link leads to a URL that is also a part of Cambridge University's website. Heaton even googled the name of the person he was communicating with, and even though he was unable to find too much information, he wasn't especially suspicious.

It turned out, however, that Gregory Harris is most likely a fake persona and that the link Robert Heaton had clicked on was, in fact, malicious. The cybercriminals had managed to break through Cambridge University's security, they created two new email addresses, and used the Adam Smith Prize scenario to trick victims into visiting a couple of pre-uploaded web pages that were designed to infect Mac users with malware. According to Mac security expert Patrick Wardle, the payload was a backdoor known as OSX.NetWire.A.

Other users reported the same attack and claimed that in their cases, it was successful. Like them, Robert Heaton was using a Mac at the time, and yet, he didn't get infected. Why?

His only saving grace was that his browser of choice is Google Chrome. The web page he opened contained some malicious JavaScript code which exploited a zero-day vulnerability in Mozilla Firefox. If Heaton had opened the link in Firefox, he would have been infected.

Mozilla has now patched the hole, and those of you who haven't updated their browsers should do it as soon as possible.

The hackers made some mistakes as well

As Heaton noted in his blog post, if the malicious web page had said something along the lines of "View this page in Mozilla Firefox", the attack would have been more successful. They could have done better at picking their targets as well.

The goal of the whole attack was to steal cryptocurrency. Initially, the crooks were targeting Coinbase employees, but after limited success, they widened the net and started attacking people who they thought were in possession of some digital coins. In the case of Robert Heaton, however, they were setting their sights on the wrong person. He noted in his blog post that he has never really had any significant interest in cryptocurrency.

This doesn't make the whole story any less worrying. Security specialists won't stop telling us what we need to do in order to stay safe, but it becomes blatantly clear that this is not really enough in the case of an attack that is planned well enough. And although real-world incidents rarely involve zero-day vulnerabilities, the attack above shows us that when they do, even technically competent, security conscious users can be rendered completely powerless. The really unfortunate thing is that we can do little more than hope that the properly sophisticated attacks remain as few and far between as possible.