Happy Friday!

Today I want to let you know about a recent incident that affected several computers at the Institute. It is very important to me to explain what happened and how it started. It is equally important to remind everyone of those things we must remain mindful of with regards to IT security. In addition, I have a couple of updates you need to be certain you have.

Recent Incident

• What was the incident?
  • On Thursday, 05/04, I received some calls from OIT’s Desktop Support informing me of Microsoft Defender alerts that were showing attempts to connect to different Institute-owned systems.
  • Desktop Support told me it didn’t appear that any systems were truly compromised, but there were many attempts to connect.
  • We discussed the appropriate thing to do was disable the systems from being on the network and OIT would send someone to rebuild these systems.
  • OIT created the trouble tickets and notified each user to let them know they were being removed from the network until their system was rebuilt.

• How did it happen?
  • OIT verified that the system involved was NOT an Institute-owned system.
  • The system involved was on the UTK campus.
  • The system involved had become vulnerable and allowed a hacker from another country to access that system.
  • Once the hacker gained access to that system, they tried to find other vulnerable systems to compromise.
  • In a situation like this one, the hacker typically uses scripts to try to gain access to as many systems as they can on that network.
  • In this case, there were plenty of systems on the UTK network and about eight on the UTIA campus that showed attempted connections.
  • Microsoft Defender started sending alerts to OIT to notify them of the suspicious behavior.
  • I have an agreement with OIT to notify me as soon as they get these kinds of alerts so I can do the required reporting to the state, if necessary, as well as to get a better idea of what changes we may need to make to Endpoint Central (formerly known as Desktop Central).
  • I could get the alerts myself, but OIT cannot differentiate UTIA versus UTK systems via the alerts settings, plus there is one of me and there are multiple people with OIT, so the agreement has been working well so far.

• Were any UTIA systems actually compromised with malware or other issues?
  • The logs indicated a lot of attempts to communicate with UTIA systems, with that communication being attempts to connect via certain Windows processes.
  • However, the logs did not show any system belonging to UTIA to be infected, breached, or otherwise compromised.
  • There were no logs showing anything other than connection attempts.

• If my system was not compromised, why did it have to be rebuilt?
  • When a hacker attempts to make a connection but they don’t actually get in, it doesn’t mean they failed completely.
  • There is no way to know if the hacker has left leave bits and pieces of malware that will be lying in wait to be activated at a later time.
  • This malware can sit dormant until you click something that causes it to install without your knowledge.
  • Even though these systems look to be uncompromised, I strongly believe in being proactive if there is any possibility something could happen.
  • Rebuilding the system completely wipes any file(s) that the hacker may be dropped on the network via the vulnerable system that caused this.

• How can we prevent this from happening again?
  • Unfortunately, there is no 100% guarantee events like this won’t happen.
  • However, I am proud of the Institute’s faculty and staff for being mindful of potential security risks.
  • By using Endpoint Central, we are getting Institute-owned systems patched in a quick manner to help keep our systems from being vulnerable.
  • By asking prior to clicking, you are helping me be aware of potential problems, but you are also keeping your system clean and secure to the best of your ability.

Browser, OS, and Software Updates

• Microsoft
  • Microsoft has released updates to address multiple vulnerabilities in Microsoft software.
  • Exploitation of these vulnerabilities could allow an attacker to obtain sensitive information.
  • Updates are being automatically pushed to Institute-owned computers.
  • If you have recently clicked to have your computer restart later to finish these updates, please make sure you reboot right away to ensure all available updates have been applied.
    
• Firefox
  • Mozilla has released security updates to address vulnerabilities in Firefox.
  • These vulnerabilities could allow an attacker to take control of an affected system.
  • Since your browsers are being managed by UTIA ITS, you should be getting the updates automatically.
  • If you do not close your browser regularly, you may not have the latest updates.
  • In your Firefox browser, go to Settings (the three lines in the upper right-hand corner) and scroll down to Help.
  • Click on Help, then click on About Firefox.
  • A window will open to show you if your browser is up to date and what version you should have.
  • If you don’t have Firefox 113, please restart the browser to get the update.

I thank you all so much for being so security conscious. I am always happy to answer questions about anything having to do with cybersecurity.

I hope you all have a wonderful and safe weekend!

Sandy

Important Note: Thank you so much for sharing these e-newsletters with family, friends, clients, students, and anyone else who may benefit from the information. I would like to stress that you should keep your students in mind, as non-employee students will not get this information without someone sharing. If anyone has an email group for students who are not employees of your department, please let me know what that address is and I can include it. I do this as a blind copy so student names and addresses will not show up!