UBC is experiencing a brute force attack against our identity management infrastructure. The attacks are originating from outside UBC from the TOR network. The attackers are exploiting a vulnerability that is caused by allowing direct remote access to PC’s, servers, and mobile devices via Remote Desktop Protocol (RDP). We are immediately shutting down the off campus access RDP. Please note that at this time, remote access is still available on University networks, via Virtual Desktop Interface (VDI) and Virtual Private Network (VPN).
We have identified 1300 systems that have RDP enabled on campus, but anticipate impact to users to be less, as not all users will be accessing RDP overnight.
We will be doing forensic analysis to determine whether any user accounts have been hacked, to determine whether we require a broad password reset.
We are seeing this type of attack happening at other major institutions. We will provide you with further update once we have further analysis on the situation.
Please contact the IT Network Operations Centre if you’re experiencing issues after hours at 604.822.3180.
UPDATE : April 15th, 2016 14:00 PT
Brute force attack against UBC identity management infrastructure is still currently under investigation. The machines that have been identified at risk were not meeting Information Security Standards with respect to internet-facing systems and services.
Below are the steps we are taking to mitigate the impacts:
- With the exception of accessing Remote Desktop Protocol (RDP) via Virtual Desktop Interface, and Virtual Private Network, off-campus access to RDP will remain shut down until further notice. If you require RDP and VDI or VPN is not an option, please contact the IT Service Centre.
- Determining whether a global password reset for EAD will be required
- Reviewing EAD password security protocols
- Reviewing our security infrastructure and policies to determine what actions we can take to prevent further impacts of the attack
- Considering if additional resources (internal or external to UBC) will be required
More information will be provided at a later update.
UPDATE : April 16th, 2016 09:00 PT
UBC has taken action to stop the attack, and investigation is ongoing. We are now determining whether a global password reset is necessary for Campus-Wide Login users. In order to mitigate risks and prevent future attacks, UBC is also reviewing its security infrastructure, protocols, and policies to determine what actions we can take to further strengthen the security of our network.
UPDATE: April 26, 2016 08:30 PT
After a thorough investigation, UBC has not found any evidence of account or information compromised. As such, a global password reset will not be mandated, but please note that password resets are still recommended when situations like this arise, particularly if someone has any concerns about the strength of their current password/passphrase. In order to mitigate risks and prevent future attacks, UBC is also reviewing its security infrastructure, protocols, and policies to determine what actions we can take to further strengthen the security of our network.