Educause Security Discussion mailing list archives
Re: [External Email] [SECURITY] Risks from partner/3rd party who's victim of ransomware attack
From: "Jim A. Bole" <jbole () STEVENSON EDU>
Date: Mon, 30 Nov 2020 16:17:11 +0000
Mike, Great list! Thankfully no AD trust. Password change for anyone with K12 creds is something added to my list. Jim From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Michael J Behun Sent: Monday, November 30, 2020 10:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [External Email] [SECURITY] Risks from partner/3rd party who's victim of ransomware attack This email originated from outside of Stevenson University. Use caution with links or attachments unless you know the content is safe. Just a few suggestions to think about. 1. First - verify you have offline backups - If you can see your backups online, then they likely can be deleted/ecrypted. 2. Take a look at your accounts * Password - Anyone that has an account at the K12 and university may be vector if they use the same password for both accounts or logged on through a compromised K12 computer. - suggest a password reset * Check/monitor any privileged accounts (Backup Admin and Windows Domain Admin) at University - suggest MFA be enabled for privileged accounts. * monitor RDP access or require MFA 3. Ensure Unversity domain controllers are patched - break trust to BCPS 4. Disable PowerShell or whitelist applications Vector seems to be more account compromise, privilege escalation, and reconnaissance. It is less likely email will contain a payload. Mike. Michael Behun Director of Information Security Chief Information Security Officer Binghamton University 607-777-6198 Office 607-644-3427 Direct behun () binghamton edu<mailto:behun () binghamton edu> On Mon, Nov 30, 2020 at 9:48 AM Jim A. Bole <jbole () stevenson edu<mailto:jbole () stevenson edu>> wrote: Are there any good precautionary measures to help reduce risks coming from a partner who's been the victim of a ransom attack? The K-12 org in our area was hit by a major ransomware attack just before Thanksgiving: Baltimore County schools closed Monday, Tuesday due to ransomware attack (wbaltv.com<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwbaltv.com%2F&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817919672%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=NKKcpVwUafl8OglvjnLmzBJt4or8uy5GacotT1PItHQ%3D&reserved=0>)<https://www.wbaltv.com/article/baltimore-county-public-schools-closed-monday-tuesday-ransomware-attack/34811334<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wbaltv.com%2Farticle%2Fbaltimore-county-public-schools-closed-monday-tuesday-ransomware-attack%2F34811334&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817929668%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Wa%2Fqjz4wLRjYFK5SnDbgmvUdfN7gHzleb9%2FtkjqUzag%3D&reserved=0>> We have some students and faculty who are also connected with the school district (BCPS). They just got their public-facing website back up yesterday: Baltimore County Public Schools (bcps.org<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbcps.org%2F&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817939658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8NakRoWmlhCSwnTTnh%2FiF01l0nERX2hl3LlHVwE9WCU%3D&reserved=0>)<https://www.bcps.org/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bcps.org%2F&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817939658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=W%2FvLPMtKce7x%2BeLJLZmTuxi3E5eUACzmYnJtNfrELvY%3D&reserved=0>> Out of an abundance of caution, we've temporarily quarantined all inbound email from BCPS. We are also recommended that anyone who may have used their personal computer to connect to BCPS resources to not use the device until more information is known. We're also doing a general review of good practices (patching, monitoring, etc). Our VPN is limited to a handful of key staff members. Most faculty/staff/student connecting remotely to resources via cloud apps or RDP instance restricted to a few on-prem apps. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817949655%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vDZ7mU7VrydchskAqRZNBIm9isfQcejTplDdrUpZZq0%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjbole%40STEVENSON.EDU%7Cd41c332c10a84a078e6f08d8954573e2%7C93599c7168554022bac5141d808346d1%7C0%7C1%7C637423472817959651%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PcTUNhfw2LbRlFeVHLHs5E0wTWNdk%2BX9SMxhmybcqDw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Risks from partner/3rd party who's victim of ransomware attack Jim A. Bole (Nov 30)
- Re: [External Email] [SECURITY] Risks from partner/3rd party who's victim of ransomware attack Michael J Behun (Nov 30)
- Re: [External Email] [SECURITY] Risks from partner/3rd party who's victim of ransomware attack Jim A. Bole (Nov 30)
- Re: [External Email] [SECURITY] Risks from partner/3rd party who's victim of ransomware attack Michael J Behun (Nov 30)