Without getting into who really hacked, the cause behind the hack, I just wanted to dissect it as an interesting case of multi-stage attack which proves that just securing your application is not good enough.
Anatomy of the MIT Hack
Step 1: MIT Network Operations Center (NOC) person is sent an email with a malicious link containing a browser exploit.
Step 2: Victim opens the email, clicks the link and gets compromised
Step 3: Attacker steals the “Educause” credentials of the NOC person
Step 4: Attacker creates a cloudflare account with DNS entries pointing to their own servers. Attacker also adds MX records such that mails are forwarded to their own servers.
Step 5: Attacker logs into the Educause domain control panel and changed the nameserver to point to the cloudflare account created before. Also they change the password of the domain control panel
Learning from the MIT hack
• Just securing the applications is not enough
• You need to look into complex possibilities of social engineering vectors
• Have a robust Emergency Response process
How MIT website got hacked despite having any vulnerability