UC a Target of Nationwide Cyber Attack
Updated May 10, 2021
On December 24, 2020, UC’s Accellion FTA was the target of an international attack, where perpetrators exploited a vulnerability in the application. Over 100 organizations were similarly attacked, including universities, government agencies and private companies. In connection with the attack, certain UC data was accessed without authorization. We identified on March 29, 2021 that some of this data was posted on the Internet.
When the University discovered the issue, we took the system offline and patched the Accellion vulnerability. We are in the process of transitioning to a more secure solution. The University is cooperating with the FBI and working with external cybersecurity experts to investigate this matter and determine what happened, what data was impacted and to whom the data belongs.
There is no evidence that other University systems were impacted.
To inform and protect the UC member community, the University notified the community via email, hosted interactive workshops at several campuses and posted information about the event and how individuals can protect themselves to its websites. The University also arranged for free credit monitoring and identity theft protection services for the entire University community through Experian IdentityWorks.
Learn more from the UCOP Substitute Notice of Data Breach here.
This video produced by UC San Diego provides information on how to to register for credit monitoring and identity theft protection and take other steps to protect yourself. The video is also available in Spanish.
This FAQ addresses what to do if you recieve an alert from Experian IDWorks that some of your information has been found on the web.
For even more information, please click the links below:
- UCOP - Data Security
- UCOP - Frequently Asked Questions about the Accellion Data Breach
- UCOP Investigating Extent of Data Breach
- UC Offers Free Protection From ID Theft
- How to Protect Your Credit
- 5 Ways to Protect Online Information
Please note: This issue has been fully resolved.
Recently, OIT and the Library learned that users running Mac OS X "Catalina" are unable to access Library resources via the UC Merced VPN because their Internet Service Provider is assigning them an IPv6. If you are a Mac user running OS X "Catalina" and have been unable to access Library resources using the UC Merced VPN, read on to understand why, what UC Merced is doing to fix this, and the steps you can take now to address the problem.
What is IPv6?
IPv6 is the next generation IP technology that governs how computers connect to the internet. IPv6 is not widely implemented across the internet, but is currently offered by a number of institutions. UC Merced does not offer IPv6 at this time.
Where is the IPv6 address coming from?
The IPv6 addresses in question are coming from your local Internet Service Provider (ISP) - Comcast, AT&T, and so on. These companies offer IPv6 as part of their packages.
When are users running into a problem?
Users experience this problem when attempting to access the Library CDL resources while running Mac OS X “Catalina” using the UC Merced VPN.
If I upgrade to Mac OS 11 "Big Sur," will that fix the problem?
The OIT Information Security team has confirmed that this problem persists with the new 'Big Sur' OS. Keep in mind that the 'Big Sur' OS also poses other compatibility issues in its current state, so OIT has advised that UC Merced users wait to update their Mac OS.
What is being done to fix this problem?
The Office of Information Technology has engaged our vendor support and is working towards finding a permanent solution for this issue. In the interim, we have created a self-service Knowledge Base article to walk you through running a simple script to disable IPv6 on your system as a temporary fix
- KB Article: How to Disable IPv6 on OS X
This workaround should help alleviate the current impact to UC Merced students, staff, and faculty who need to access Library resources to continue their work.
Will disabling IPv6 have any other effects?
The technology behind IPv6 is not widely implemented, and most sites do not use it as their only way to connect to your computer.
What if I find a site that needs IPv6?
If you do find a resource that requires IPv6 to function, we have also created a self-service Knowledge Base article to help you reactivate IPv6 on your OS X system.
- KB Article: How to Enable IPv6 on OS X
Please note that while IPv6 is activated, any IP authenticated website or resource may be affected.
Visibility for Protection
Information security in higher education faces increasing challenges, accelerated by the pandemic-driven need and expectation to access data and resources “anywhere, from any device, anytime.” Attackers are increasingly taking advantage of vulnerabilities on “endpoint” devices - desktops, laptops, tablets, and smart phones – to access institutional data for financial gain or sabotage. In environments where we bring our own devices and work from anywhere, information security teams often lack the visibility and monitoring capabilities necessary to ensure that endpoints (and therefore our institutional data) are properly protected.
You may have heard about a recent information security incident at UCSF. To avoid similar situations and to address the issue of endpoint security at UC Merced, the Information Security team has developed and implemented the Bobcat Desktop Endpoint Management environment. Bobcat Desktop allows OIT to deploy, update, and troubleshoot connected systems on an opt-in basis - ensuring they are configured correctly, updated automatically, and secured against attacks.
In this COVID-19 environment, the protection and management of devices connected to UC Merced systems and resources have become increasingly important. Remote work, learning and teaching has created an environment with increased attack surface, and Bobcat Desktop is more helpful than ever to UC Merced users. We've been expediting our efforts to get Bobcat Desktop rolled out to more endpoints.
To protect and manage endpoints regardless of where they are, we have developed a three-part solution;
1. Bobcat Desktop Endpoint Management
2. Mobile Device Management (MDM)
3. FireEye HX Endpoint Security Management
The Information Security team has been working closely with departments to deploy these endpoint tools as needed. Recently, we have successfully completed deployments to the Administrative Coordination Team (ACT) and Student Health Services. These tools are critical as part of our endpoint management effort to prevent incidents similar to the one that happened at UCSF.
The shift to remote learning, remote instruction, and remote work and the associated rise in use of personal devices to do University work has led to an increased risk to UC Merced’s information security posture. We want to remind you that the threat of social engineering, phishing and disinformation campaigns surrounding Coronavirus (COVID-19) remains high. Please be on the alert!
Across the globe, there is an increased amount of phishing and ransomware activities initiated by criminal organizations and nation state actors. These sophisticated attempts are targeting COVID-19 researchers, health providers, and anyone who might have access to institutional resources and data assets mostly in the form of COVID-19 exposure notification messages. These activities are also confirmed by FBI through public service announcements.
In general, criminals and bad actors are using the COVID-19 pandemic to raise fear and concern via phishing emails and text messages. These scams might indicate that you have been infected and/or you were near someone that is infected with COVID19, say that found out about you due to social tracking, and instruct you to download a form and proceed immediately to the nearest hospital.
Even before COVID-19 contact tracing programs have legitimately been rolled out in Merced, cyber criminals have been sending emails alleging that staff members have been infected. These malicious messages—ostensibly from institutions such as the World Health Organization (WHO), or Center for Disease Control (CDC), University of California faculty and staff, or even medical professionals—are intended to spread disinformation and disrupt economic recovery efforts. Many instances of this type of cyber crime are also very targeted, such as the Social Services Letter circulating in Merced County indicating COVID-19 testing is mandatory for all households and failure to comply will result in a suspension of benefits.
Please be aware that the United States government and medical professionals and institutions do not do any social tracking of the COVID-19 virus. Hackers will say that they traced you down via your phone or a charge card receipt for a location or someone that you might know. Typically, they try and keep everything as vague as possible so that you will click on the link included with the message. Keep these tips in mind:
- Please do not click on any suspicious links in messages. Read messages critically, even if they’re about COVID-19.
- Visit websites that you know and trust such as UC Merced’s Campus Covid-19 Updates or the Centers for Disease Control and Prevention for legitimate information.
- Do not respond to texts, emails, or calls about checks or the government stimulus package. This is another way for actors to obtain your personal information and infect your devices with malicious code.
- Ignore online offers for vaccinations and home-test kits. No such approved products exist currently.
- Hang up on robocalls.
- Visit our Phishing Email Archive: https://it.ucmerced.edu/phishing#heading-3 for regularly-updated examples of phishing attempts and stay informed to stay safe!
UC Merced Information Security has noticed a large spike in phishing scams and spam emails using a subject line containing “Coronavirus” or “COVID-19” as the lure to entice our campus community to click on links, download files, and open attachments. Many of these emails impersonate legitimate institutions and authorities.
One specific threat, reported by the Health Sector Cybersecurity Coordination Center (HC3), is an alert that cyber criminals have already begun circulating links to a “Live Coronavirus - COVID-19 map” falsely claiming to be from Johns Hopkins University, which actually contains malware. This malware can steal your browser history, cookies, cryptocurrency and other credentials including email addresses, passwords and credit card numbers.
More generally, beware of emails and sites containing information about or selling products that would allegedly cure or prevent COVID-19. These are also potential sources of phishing and spam.
As always, we urge users to:
- Exercise caution when clicking on links or opening attachments, even if they look like they’re from someone you know
- Whenever possible, go to web pages by a path you know is legitimate instead of clicking on a link in a message
- If an attachment is unexpected, contact the sender by a method you know is legitimate to confirm they sent it
If you’re unsure if an email is legitimate or if you know for certain it isn’t, please report it directly to Information Security at email@example.com. For more information, be sure to visit our How to Spot a Phish page.
In November, 2019, Americans told Pew Research Center they're feeling frustrated that companies and the government are constantly tracking them online and collecting their personal information, but they're also increasingly vulnerable to identity theft as security breaches rapidly proliferate.
According to data retrieved from Privacy Rights Clearinghouse, the number of educational institutions (EDU) records exposed in reported data breaches each year from 2004 to 2017 remained steady at less than 5 million records. In 2017, this number increased to 7.6 million records. However, there was a dramatic increase in 2018 when a single data breach exposed 40 million records, bringing the total number of exposed records for the year to almost 41 million.
During the same time period, the number of reported EDU data breaches decreased from 64 reported data breaches in 2004, climbing to a high of 107 reported data breaches in 2007, and then dropping to 17 data breaches in 2015 and 2018. This demonstrates that cyber-criminals have steadily gotten better at accessing greater amounts of data with fewer breaches—as is most evident in the case outlined above, when the single data breach yielded 40 million records.
Armor, a Cloud Security company, reports that educational institutions were hard hit by ransomware in 2019. According to Armor, there were ransomware attacks against 72 school districts (links to map) from the period of January 1 through December 31, which may have impacted as many as 1,039 schools in the U.S.
Analysis on attack methods for ransomware reveals that most attacks begin with phishing, spear-phishing, and social engineering. For this reason, it’s important that educational institutions train their users via awareness campaigns to help protect their networks. Awareness campaigns should include education about current and emerging cybersecurity risks and phishing emails. Training should focus on policies regarding how to maintain secure passwords and how to properly respond to suspected phishing scams.
LogMeIn, a subsidiary of LastPass Password Management company, published the results of a survey they conducted in the first half of 2018. According to LastPass, even though 91% of respondents said they understood the risks of password reuse across websites, a staggering 59% reported doing it anyway. There are several reasons for user apathy, but the main culprit seems to be fear of forgetting what their password is.
Compounding this risky user behavior, 53% of respondents said that although they were aware of the risks, they had not changed their passwords in the past 12 months or longer. This holds true even when they learn of a data breach that involved user passwords. Adding still more to their risk profile, nearly 60% engaged in these behaviors: password reuse and failure to change passwords despite a data breach.
LogMeIn explored whether there was a significant difference in how users create passwords for personal and work use. Almost half of users said they didn’t do anything unique between creating personal or work passwords and, even worse, 62% said they reuse the same password between personal and work accounts. Only about one in five users reported creating stronger passwords for work than for personal use.
As part of their 2019 National Cybersecurity Awareness Month reporting, TechRepublic highlighted the findings of a recent survey conducted by Google. Here are some of the key numbers on American's cybersecurity habits:
- 59% = Percentage who have incorporated a name or birthdate into their password
A further break down of this last percentage reveals:
- 33% = A pet's name
- 22% = Their own name
- 15% = Spouse or partner's name
- 14% = Child's name