Ransomware Hits Maastricht University, All Systems Taken Down

[Gandalf_The_Grey]

Update #11: cyber attack UM:

At present, we are still working hard to get all UM systems operational again. The most important education-related computer systems are up and running again, though to a limited extent. Work is currently being done to create a clean and safe working environment and to make back-up files available for computer systems that are important for regular business operations, such as email and file servers.

Update #11: cyber attack UM

www.maastrichtuniversity.nl

 

[ForgottenSeer 823865]

Did i say somewhere that universities were poor in cybersecurity?

 

[upnorth]

I can't recall ever seen or heard about anyone update and share their information as frequent after a cyber attack as this University. That specific, I have no problem give credit for.

 

[Gandalf_The_Grey]

I can't recall ever seen or heard about anyone update and share their information as frequent after a cyber attack as this University. That specific, I have no problem give credit for.

Yeah, that's indeed good (to read) and open from them.
They also shared information with other universities in The Netherlands so that they can beef up their defences.
Confirmed in the Dutch news (Trouw) for Leiden University.
In Dutch:

Universiteit Leiden neemt beveiligingsmaatregelen na cyberaanval in Maastricht

De Universiteit Leiden heeft de beveiliging van haar computersystemen opgeschaald naar aanleiding van de cyberaanval op de Universiteit Maastricht. Dat blijkt uit een e-mail aan het personeel van de universiteit die in handen is van Trouw.

www.trouw.nl

Update 12 now live:

Update #12: cyber attack UM

www.maastrichtuniversity.nl

 

[Gandalf_The_Grey]

Update 13:

Today saw the resumption of a large part of our work. Our experts have managed to make Outlook and the network drives accessible again very soon, which is very important for our research, education and our organisation as a whole.

Email
Outlook, including email and calendar, will be fully operational from Tuesday 7 January. All emails sent since 23 December will come in.

Data
For storing data, we use shared network drives, such as the J disk (note: letters can vary per unit). These drives are fully accessible again from Tuesday 7 January; files can be opened, viewed, edited, saved and overwritten as usual.

The first operational day
Despite a number of limitations, many activities could continue after the Christmas break without major problems. For example, education started according to schedule and students were able to work in the libraries as usual. In addition, most UM members have now changed their passwords and minor problems with accessing the Wi-Fi have been solved by our help desks.

People responded calmly and showed understanding for the situation at our faculties. Second-year Psychology students applauded when they were briefed at the start of their lectures about the efforts made behind the scenes. At the Faculty of Science and Engineering, scheduled projects started without significant problems. The town hall meeting for Law employees was well attended and there was a lot of understanding and goodwill. Colleagues at the School of Business and Economics were also briefed at the start of the day and a help desk was set up to answer questions. Crowds at the SSC information desk were managed very well.

New Year's reception UM
At the New Year's reception at the end of the afternoon, Martin Paul looked back on the past two hectic weeks. There was a lot of praise for the colleagues who sacrificed their holidays to restore a number of vital processes in a remarkably short time. The Executive Board has a special message for them and all other UM members.

Update #13: cyber attack UM

www.maastrichtuniversity.nl

Message from the Executive Board - 6 January 2019 - Message from the Executive Board - 6 January 2019 - Maastricht University

www.maastrichtuniversity.nl

 

[Gandalf_The_Grey]

Update #16 cyber attack UM
Lessons learnt
In a few weeks' time, UM expects to be able to publicise the lessons learnt following the attack on our computer systems. For our own sake, but also for the academic colleagues, and other stakeholders. Also towards the media. We expect this to happen on 6 February, when we also want to answer questions that we cannot address while the investigation is still ongoing, so as not to harm the interests of our students and employees as well as the university as a whole.

Update #16 cyber attack UM

www.maastrichtuniversity.nl

I'm curious what they have to say and will share with us

 

[upnorth]

I'm curious what they have to say and will share with us

Same here and the only thing I lacked in all this official information so far is, " We did Not pay the ransom ".

 

[Gandalf_The_Grey]

Same here and the only thing I lacked in all this official information so far is, " We did Not pay the ransom ".

I hope they will tell us on the 6th of February if they paid or not.

 

[Antus67]

These college students are trying hard to get a education now they have to worry about the College itself surviving cyber attacks

 

[Gandalf_The_Grey]

Update #17: cyber attack UM
We are still working very hard to gradually release more computer systems. We have now entered a phase where daily updates are not to be expected. As soon as there is news, we will report this. We expect to publish a new update on Monday 13 January.

Update #17: cyber attack UM

www.maastrichtuniversity.nl

 

[Gandalf_The_Grey]

Update #18: cyber attack UM
Symposium ‘Lessons learnt’ on 5 February
The symposium planned by UM to provide more details about the cyber attack will not take place on Thursday 6 February as previously announced, but on Wednesday 5 February. UM would like to share the lessons learned in the wake of the attack on its computer systems with the wider public. During the symposium, the university will also address questions that could not be answered while the investigation was still ongoing. There will be an opportunity for the media to ask questions.

Update #18: cyber attack UM

www.maastrichtuniversity.nl

 

[woodrowbone]

Does anyone know what security soft was used on the endpoints, or did I miss that?

/W

 

[Gandalf_The_Grey]

Update #19: cyber attack at UM
Why do cabled internet, printing/scanning/copying and VPN not work yet?
Because of cyber security, it is necessary to monitor workplaces for suspect activities. For that purpose, the monitoring software Carbon Black is currently being installed at all workplaces. As soon as this software is installed at (almost) all workplaces, the cabled network can be opened again. VDI workplaces have a special status, because these are 100% equipped with Carbon Black and therefore already have access to the internet.
For AthenaDesktop workplaces we have (amply) reached the set standard. It is therefore important that also the non-AthenaDesktop workplaces are equipped with the software. The sooner the set standard is reached, the sooner the internet connection can be opened to the entire UM. Look at the FAQ to find out how you can check if your workplace has already been equipped with the correct software. If not, then please contact your local support officer.

News | Maastricht University

www.maastrichtuniversity.nl

 

[upnorth]

symposium on 5 February, which will be available to everyone via livestream

News | Maastricht University

www.maastrichtuniversity.nl

 

[Gandalf_The_Grey]

News | Maastricht University

www.maastrichtuniversity.nl

There is also some more info on Carbon Black in that post:

What is Carbon Black?
In response to the cyber attack, UM has taken proactive security measures. One of these measures is the installation of the Carbon Black security tool. This programme runs on all Windows servers and workstations (desktops, laptops, VDI) that fall under the UM domain (for which you have to log in with your UM username and password). Carbon Black is being used in conjunction with the regular virus scanner that UM already uses, with the advantage that threats can be detected faster. The tool monitors specific activity on a computer to enable early detection if malicious parties try to gain access to that computer or to the entire UM network.
What does it mean for your privacy?
Carbon Black cannot access your personal information. Just as a virus scanner scans the files you work on or the websites you visit, so does Carbon Black. The monitoring software examines metadata, such as IP addresses. If it detects an IP address that hackers use, it will set off the alarm bells. In other words, UM is using Carbon Black to detect security incidents, and it does not monitor the behaviour of individual employees or to look into their files.

 

[upnorth]

I wonder what their "regular" virus scanner is.

Hopefully asked about and answered on the 5th. If I can, I'll watch the stream.

 

[Gandalf_The_Grey]

I wonder what their "regular" virus scanner is.

Hopefully asked about and answered on the 5th. If I can, I'll watch the stream.

I have the same question after reading that post
I will be at work on the 5th so not able to see that stream.
Hopefully, I can see it at a later time.

 

[Burrito]

Does anyone know what security soft was used on the endpoints, or did I miss that?

I wonder what their "regular" virus scanner is.

Exactly.

While one should not issue a damning indictment for whatever AV they have that missed the ransomware --- our MT minds want to know..

So assuming that they already have a full AV -- which they obliquely referenced as "the regular virus scanner that UM already uses" -- they are doubling up on AVs.

I know that's considered 'overkill' now here in MT. But I've pretty much always doubled up on detection/response capabilities on my 'computers that count.'

I used an unmanaged Carbon Black endpoint for a couple of years. It's good. And yep, I ran it with another detection capability too.. At the time, I was running Cylance, CrowdStrike, and Carbon Black on different computers -- and Carbon Black was my least liked of the three -- but it is good. And no, I don't pay for all these... my organization is a highly sought after large customer which sometimes results in free licenses for me.

 

[Dex4Sure]

These cyber criminals have sunk to a all time low when attacking a college university. These students are trying hard to get a education and than a job when they graduate and I'm sure they will have to pay a partial amount of money towards their education. These cyber bums need to be sent to college and learn how to become human beings

Hackers/malware coders are often times smarter and more knowledgeable than your average college students or IT admins for that matter. And college does not teach you how to be a human being, no idea where you got that from. Fact of the matter is there are people who are more likely to become criminals than others, its partly genetic, partly about upbringing. These people have decided to use their skills in wrong manner, yes that is correct... But it also shows how bad of a job the college's IT department has done. Maybe if these malware writers were hired for the job instead, they might be able to do a lot better job at keeping these systems safe.

Its sad to say this, but most people who come out of college have this 9 to 5 mentality and you'll never become exceptionally skilled in anything with that mentality. You just do your job, but refuse to spend any extra time in honing your skills. Well, guess what... The people who are the best programmers, hackers, businessmen whatever it is you want to do, they are the kind of people who are obsessed about their profession. They are workaholics. They spend most of their free time in honing their skills. They learn constantly through their life. This is the mindset that breeds success in real life.

I could go on a ramble just how much current education system sucks and how much improvement there is to be made, but I'll leave it for another time.

 

[Sampei Nihira]

Although outdated, the best ransomware analysis is that of McAfee:

Clop Ransomware | McAfee Blog

This new ransomware was discovered by Michael Gillespie on 8 February 2019 and it is still improving over time. This blog will explain the technical

www.mcafee.com

Beyond the use of the bat file, the subsequent variants are probably executed in the malware code, it is interesting to note the abuse of:

vssadmin, bcdedit, net.

I would like to advise MT members to monitor these commands.
Needless to say, OSA has predefined rules for controlling them.

Some MT members may want to block commands via registry with the value "Disallowrun".
On my OS XP this does not block command execution at a prompt.
It would be interesting to find out what happens in post XP OS.