Re: [External Email] [SECURITY] Risks from partner/3rd party who's victim of ransomware attack

["Jim A. Bole" <jbole () STEVENSON EDU>]

Mike,

Great list!

Thankfully no AD trust.

Password change for anyone with K12 creds is something added to my list.

Jim

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Michael J Behun
Sent: Monday, November 30, 2020 10:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [External Email] [SECURITY] Risks from partner/3rd party who's victim of ransomware attack

This email originated from outside of Stevenson University. Use caution with links or attachments unless you know the 
content is safe.
Just a few suggestions to think about.

1.  First - verify you have offline backups -  If you can see your backups online, then they likely can be 
deleted/ecrypted.
2.  Take a look at your accounts

  *   Password  - Anyone that has an account at the K12 and university may be vector if they use the same password for 
both accounts or logged on through a compromised K12 computer.  - suggest a password reset
  *   Check/monitor any privileged accounts (Backup Admin and Windows Domain Admin) at University  -  suggest MFA be 
enabled for privileged accounts.
  *   monitor RDP access or require MFA
3.  Ensure Unversity domain controllers are patched  - break trust to BCPS
4.  Disable PowerShell or whitelist applications

Vector seems to be more account compromise,  privilege escalation, and reconnaissance.   It is less likely email will 
contain a payload.

Mike.

Michael Behun
Director of Information Security
Chief Information Security Officer
Binghamton University
607-777-6198 Office
607-644-3427 Direct
behun () binghamton edu<mailto:behun () binghamton edu>


On Mon, Nov 30, 2020 at 9:48 AM Jim A. Bole <jbole () stevenson edu<mailto:jbole () stevenson edu>> wrote:
Are there any good precautionary measures to help reduce risks coming from a partner who's been the victim of a ransom 
attack?

The K-12 org in our area was hit by a major ransomware attack just before Thanksgiving:

Baltimore County schools closed Monday, Tuesday due to ransomware attack 
(wbaltv.com<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwbaltv.com%2F&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817919672%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=NKKcpVwUafl8OglvjnLmzBJt4or8uy5GacotT1PItHQ%3D&reserved=0>)<https://www.wbaltv.com/article/baltimore-county-public-schools-closed-monday-tuesday-ransomware-attack/34811334<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wbaltv.com%2Farticle%2Fbaltimore-county-public-schools-closed-monday-tuesday-ransomware-attack%2F34811334&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817929668%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Wa%2Fqjz4wLRjYFK5SnDbgmvUdfN7gHzleb9%2FtkjqUzag%3D&reserved=0>>

We have some students and faculty who are also connected with the school district (BCPS). They just got their 
public-facing website back up yesterday: Baltimore County Public Schools 
(bcps.org<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbcps.org%2F&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817939658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8NakRoWmlhCSwnTTnh%2FiF01l0nERX2hl3LlHVwE9WCU%3D&reserved=0>)<https://www.bcps.org/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bcps.org%2F&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817939658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=W%2FvLPMtKce7x%2BeLJLZmTuxi3E5eUACzmYnJtNfrELvY%3D&reserved=0>>

Out of an abundance of caution, we've temporarily quarantined all inbound email from BCPS.

We are also recommended that anyone who may have used their personal computer to connect to BCPS resources to not use 
the device until more information is known.

We're also doing a general review of good practices (patching, monitoring, etc).

Our VPN is limited to a handful of key staff members. Most faculty/staff/student connecting remotely to resources via 
cloud apps or RDP instance restricted to a few on-prem apps.

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817949655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vDZ7mU7VrydchskAqRZNBIm9isfQcejTplDdrUpZZq0%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817959651%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PcTUNhfw2LbRlFeVHLHs5E0wTWNdk%2BX9SMxhmybcqDw%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community