Security Incident — Feb. 16, 2021

The University of Memphis is committed to protecting the integrity and security of its IT infrastructure and is providing this information to help the University community understand the nature of a cyberattack detected on Feb. 16, 2021. This document will be updated as new information is available.

What happened?
The University detected a sophisticated cyberattack against its systems and took immediate steps to identify and contain the scope of the incident. The perpetrators infiltrated some desktop computers and servers running the Microsoft Windows operating system. The University engaged with external resources to assist with the incident and to support remediation efforts. The investigation determined that the cyberattack was designed to launch a ransomware attack against University computers. Immediate steps taken by the University and external resources prevented the attacker from successfully completing the attack. 

When did it happen?
IT Security first became aware of a potential attack on Feb. 16. Immediate steps were taken to contain the incident, and access was terminated by Feb. 18. All faculty and staff were notified via email on Feb. 19. Although we ultimately detected no evidence of unauthorized access to student personally identifiable information, students were notified via email on Feb. 23. Our investigation determined the malicious actors first gained access on Feb 13.

How was the attack detected? 
Anomalous behavior was reported regarding an IT service. Further research detected anomalous behavior of a user account. The security incident was identified, and investigation, response and remediation activities were initiated.

What “external resources” has the University engaged to assist with the incident? 
The University engaged with FireEye Mandiant (“Mandiant”) on this incident. Mandiant is a global leader in cyber security solutions including incident response and remediation.

Was any personally identifiable information inappropriately accessed?
We have no evidence that any personally identifiable information was inappropriately accessed.
What specific systems were affected?
Some desktop computers and servers running the Microsoft Windows operating system were the target of the cyberattack. The University implemented FireEye client software on 6,957 computers to supplement existing antivirus software. The University took immediate steps to contain this incident; 24 computers were quarantined due to malicious activity. Quarantined computers require appropriate inspection, remediation and approval before returning to service.

If I connect to the University VPN from my Windows home computer, am I affected?
The attack was limited to University computers joined to the Active Directory UOM domain. Personal computers are not allowed to join the UOM domain and were therefore not affected based on available information.

My Windows computer is not in the UOM domain. Am I affected?
No. Only computers joined to the UOM Active Directory domain were affected. However, individuals with University-owned workstations (even if they are not part of the UOM domain) are still required to adhere to all University policies and guidelines related to IT security. For more information, visit the Security Policies and Guidelines page.

How were attackers able to gain access to systems with Duo in place? 
Duo protects University systems by providing an extra layer of security when users attempt to authenticate. This requires both systems and users to use Duo multi-factor authentication. Although all faculty, staff and students are now required to use Duo, some University systems are not yet protected by Duo. The effort to add Duo to all University systems is ongoing.

Were online class systems affected?
The University's online class system, Desire2Learn (D2L), is hosted in the cloud and was not affected by the attack. Other cloud-based services such as Zoom and Microsoft Teams were unaffected.

Was this related to the Microsoft Exchange vulnerability recently announced in the news?
No. The Microsoft Exchange vulnerability did not impact the limited number of University systems involved in this incident.

How might I be affected?
The University took immediate steps to contain the incident. These steps require adherence to additional security requirements, and additional security controls will be implemented as warranted. Our response required temporary disruptions to portions of the infrastructure, such as network connectivity, workstations and service availability. 

Individuals who need assistance with technical alternatives or who have questions about service impact may contact the ITS Service Desk at 901.678.8888 or via email at umtech@memphis.edu.

What steps are being taken to prevent this in the future?
The University has collaborated with external forensics experts to mitigate risks and strengthen our information security program. Systems will have additional restrictions applied, all faculty, staff and students will continue using multi-factor authentication, and the VPN will be required to access additional services. 

The University will continue efforts to strengthen our security posture, and additional technologies will be deployed as appropriate.

How can I protect my systems and data?
It is critically important that individuals adhere to IT Security policies and guidelines related to protection of the University IT infrastructure. As such, all computers must be running supported operating systems that are fully patched and updated, and all computers must be running antivirus software. 
It is very important that documents or data on workstations be backed up. Many individuals already use OneDrive. Review the OneDrive information page for more information on how to use this service. Contact the ITS Service Desk at 901.678.8888 for assistance or to request assistance from your LSP. 
Data stored on the University’s enterprise infrastructure storage supported by ITS is regularly backed up.

My server or desktop is shut down. Can I turn it on?
During early stages of the incident, University-owned computers exhibiting anomalies were shut down and/or removed from the network. If your University-owned server or desktop is not available, please contact your LSP for assistance. 
In general, University-owned computers should be left powered on to ensure that appropriate patching and antivirus scans can occur during low-use hours.

Why did I need to change my password? / Why did my password expire?
As part of our investigation, we determined the threat actors gained access to certain IT infrastructure components. As a result of that access and out of an abundance of caution, we required all users to change their passwords by March 31. On April 1, all unchanged passwords expired, requiring those users to manually reset their passwords before accessing their University accounts.

Who can I contact for assistance?
Individuals who need assistance may contact the ITS Service Desk online, by email or by calling 901.678.8888.