Status

ITS has been monitoring all impacted systems and feels confident that the immediate campus-wide risk of malware activity has been mitigated for the present time. ITS will continue to actively monitor the campus network and will take appropriate action if needed.

While forensic investigation of the event continues, the majority of affected systems and accounts identified have been remediated and ITS feels that the environment has stabilized. Shared network drive access has been reactivated and should remain in normal working status going forward.

Remediation efforts will continue for several days, and Helpdesk response times will remain longer than normal as team members work with impacted clients.

Remediation efforts continue, and we expect work to continue next week.

• Computers impacted by this incident fall into two categories: ‘infected with the malware’ or ‘targeted.’
o All infected computers will need to be reformatted. If your computer was infected, ITS technicians will
coordinate with you to redeploy a like, replacement computer as soon as one is available.
o All targeted computers will be scanned, updated and returned. You should receive an email from the ITS
Helpdesk informing you that a service ticket was created for your computer replacement or scanning.
o ITS technicians will work over the weekend to address all computers that have been identified as being
infected or targeted.

• The shared network drives will be available until 5PM, but will be down for the weekend for maintenance. They will be available again at 7AM on Monday morning. We expect them to return to their normal operating schedule beginning on Monday.

• VPN access remains restricted and will most likely remain unavailable throughout the weekend. Clients who have previously had VPN access will be required to re-enroll through the Helpdesk.

• Last night, the Office 365 Safe Links feature was enabled, providing time-of-click email protection against malicious links or email attachments. When you click on links or attachments in emails, you will receive a warning if it the scan indicates it might be malicious. Do not open the link if you receive this warning.

• As noted in previous updates, ITS is evaluating additional security measures that may be enacted in the near future. You will be informed of any changes that may affect you.

• Continue to be wary of unfamiliar emails and to refrain from clicking on links or attachments. The following brief Lynda.com training may help clarify this guidance for some individuals: www.lynda.com/Business-Software-tutorials/Avoiding-phishing-scams/624136/624201-4.html. All MSU Denver faculty and staff can access Lynda.com at no cost; to access this resource, go to the Faculty & Staff Hub, click on the 'Lynda.com' link and log in with your MSU Denver NetID and password. Once logged in, you may also search for "Avoiding Phishing Scams" to find the recommended training.
• Please shut down your computer when you leave for the day as well as any time it’s not in use.

This is the final update for Thursday, June 21, regarding our ongoing information security response. We intend to provide at least one update tomorrow to keep you informed.

• ITS technicians will disable access to all shared drives from 5:00PM this evening until 7:00AM tomorrow. At this time, ITS also plans to disable access to these resources between 5:00PM Friday and 7:00AM Monday.

• VPN access remains restricted and will most likely remain unavailable throughout the weekend.

• As noted in previous updates, ITS is evaluating additional security measures that may be enacted in the near future. You will be informed of any changes that may affect you.

• ITS technicians are actively contacting clients whose assigned workstations have been impacted by this event to coordinate the reformatting and replacement of each device. We anticipate that this process will continue into and beyond next week.

• Continue to be cautious of suspicious emails – even it they appear to be from someone within MSU Denver – don’t click on any links or open any attachments and forward anything suspicious to spam@msudenver.edu.

• If you notice any suspicious activity with your MSU Denver accounts – email or computer – please contact the ITS Helpdesk at 303-352-7548 or support.msudenver.edu.

• For the duration of this incident, please shut down your computer when not in use.

This is the first update for Thursday, June 21, regarding our ongoing information security response. Overall, conditions have not changed significantly since yesterday afternoon.

• ITS technicians did disable access to all shared drives from 5:00PM yesterday until 7:00AM today, and intend to do the same this evening.

• ITS technicians are actively contacting clients whose assigned workstations have been impacted by this event to coordinate the reformatting and replacement of each device. We anticipate that this process will continue into and beyond next week.

• Consultants are on-site today assisting with the implementation of new security tools to protect critical technology infrastructure. In the meantime, ITS is examining additional configuration and procedural changes that can further mitigate the ongoing threat posed by this malware.

• We would like to remind you to be wary of unfamiliar emails and to refrain from clicking on links or attachments. The following brief Lynda.com training may help clarify this guidance for some individuals: www.lynda.com/Business-Software-tutorials/Avoiding-phishing-scams/624136/624201-4.html. All MSU Denver faculty and staff can access Lynda.com at no cost; to access this resource, go to the Faculty & Staff Hub, click on the "Lynda.com" link and log in with your MSU Denver NetID and password. Once logged in, you may also search for "Avoiding Phishing Scams" to find the recommended training.

• If you notice any suspicious activity with your MSU Denver accounts – email or computer – please contact the ITS Helpdesk at 303-352-7548 or support.msudenver.edu.

• For the duration of this incident, please shut down your computer when not in use.

This will be our final update for today, Wednesday, June 20. We will resume updates tomorrow morning.
• ITS technicians successfully reactivated all network services for the Administration Building at around 12:15PM MDT. We will continue to closely monitor network activity for any unexpected malicious network traffic.
• ITS is actively researching and implementing additional, global security configurations which will further safeguard the University’s network. As changes are instituted, they will be communicated with campus.
• As part of the incident response and out of an abundance of caution, University shared drives will be unavailable from 5:00PM on Wednesday, June 20 until 7:00AM on Thursday, June 21. Use of Office 365, OneDrive and SharePoint will not be affected.
• Compromised computers must be reformatted and redeployed. If your computer was impacted, you will receive a replacement computer. ITS technicians will work with you to ensure the least possible interruption in your daily tasks.
• If you notice any suspicious activity with your MSU Denver accounts – email or computer – please contact the ITS Helpdesk at 303-352-7548 or support.msudenver.edu.
• As a reminder, avoid clicking on any links in emails – even if the email appears to be sent from someone within MSU Denver. Forward any suspicious messages to spam@msudenver.edu.
• For the duration of this incident, please shut down your computer when not in use.

We are continuing to work on a fix for this issue.

ITS technicians are preparing to reactivate all network services for the Administration Building. This change will be implemented at 12:15PM MDT. We are closely monitoring network activity and will reverse course if any unexpected malicious network traffic is identified following this change.

Thank you for your continued patience as ITS responds to this ongoing security event. We would like to provide an update on the incident response thus far.

There were no major increases in malware activity overnight, and the team continues to respond to the vulnerabilities identified over the previous 48 hours.

We plan to communicate around 12:00PM MDT regarding reactivation of Administration Building network services.

As the investigation of this event has proceeded, it has become clear that the best course of action is to reformat and redeploy any computer impacted by this event. Work on this has already begun and will proceed as rapidly as possible.

ITS will require a password update for any account impacted by this event. Pending further analysis, a broader subset of the campus community may also be asked to reset their passwords.

As a reminder, please avoid clicking on any links in emails – even if the email appears to be sent from someone within MSU Denver. Forward any suspicious messages to spam@msudenver.edu.

If you notice any suspicious activity with your MSU Denver accounts – email or computer – please contact the ITS Helpdesk at 303-352-7548 or support.msudenver.edu.

Visit the ITS Service Status Page at its.msudenverstatus.com for up-to-date information about this incident or contact the ITS Helpdesk if you have any questions or concerns.

This will be our final update for today, Tuesday, June 19. We will resume updates tomorrow morning.

• All of the wireless network security enhancements mentioned in a previous update have been implemented at this time. We believe that these changes will minimize the spread of this malware over wireless networks.

• ITS retains an outside information security consultant for a range of services, such as annual assessments, regular check-ins and ongoing security awareness. In addition, this provider is prepared to assist ITS in incident response cases like this. The consultant has been working with us since yesterday afternoon, and has both validated the steps taken thus far and provided valuable guidance on the mitigation/remediation steps ahead. We anticipate that the heaviest disruption in system access and service availability is largely behind us, but some impact will persist for some individuals for the next several days.

• As a reminder, please avoid clicking on any links in emails and forward any suspicious messages to spam@msudenver.edu.

• If you notice any suspicious activity with your MSU Denver accounts – email or computer – please contact the ITS Helpdesk at 303-352-7548 or support.msudenver.edu.

It has been roughly two hours since our last update, so we would like to provide the latest information about this critical security incident.

Wireless network security changes have been applied to the majority of MSU Denver’s network, with the remainder scheduled for completion later today.

ITS continues to update and install security software on user workstations and critical server infrastructure. New phishing email attempts have been blocked and detected; please avoid clicking on any links in emails and forward any suspicious messages to spam@msudenver.edu.

In an earlier update, we mentioned there is a difference between managed and unmanaged computers. To determine if your computer is managed or not, follow the instructions on the Asset Management Self Service Overview webpage at msudenver.edu/technology/helpdesk/kb/assetmanagementprogram/selfservicefaq.

ITS is unable to provide the same level of support for personal devices as University-owned equipment. To avoid compromise of your computer(s) or account(s), do not plug any personal devices into the MSU Denver network and check to make sure they have the latest patches and software updates installed.

ITS is currently implementing new security settings on both wireless networks - MSU Denver and MSUDenver-Guest - in order to mitigate the spread of the malware. If you are connected to either of the wireless networks, you will temporarily be disconnected and will need to re-connect.

Additionally, if you receive ANY suspicious email messages, please forward them to spam@msudenver.edu. Do not click on links in unsolicited emails, as this may cause further spread of infection.

While work continues, ITS wishes to share a brief update on present status and next steps.

• At this time, wired network connections within the Administration Building remain disabled – this quick response from our Security and Network teams successfully contained the scope of this incident, avoiding a spread across campus. We hope to reactivate these connections later today pending the results of further threat mitigation.

• Information Security team members are working to deploy advanced security tools to all managed and unmanaged devices within the Admin Building to further identify and clear the infection. Some devices (less than 20 at this time) will need to be erased and re-configured, but user files will be recoverable. In the meantime, all networked devices should be considered quarantined - do not connect these devices to other networks/locations.

• All impacted unmanaged devices in the Administration Building will need to be brought to ITS for evaluation and remediation before they can regain network access.

• Lastly, as this malware attempted to capture MSU Denver NetIDs and passwords, all Administration Building users will be required to change their passwords shortly. More detail on this process will be available later today.

We understand the ongoing impact of this incident, and are working to restore services as quickly and as safely as possible. Further updates on this incident will be available within 2 hours; all campus community members can also subscribe to critical system updates via its.msudenverstatus.com.

If you notice any suspicious activity with your MSU Denver accounts – email or computer – please contact the ITS Helpdesk at 303-352-7548 or support.msudenver.edu.

The investigation of the virus / malware infection in the Admin PCs is still ongoing. We are working with our antivirus vendors to resolve this problem.

4:15pm

Dear MSU Denver faculty, staff and students,

This morning, several Microsoft Windows computers in the Administration Building were infected with what appears to be a previously-unknown malicious application. Unfortunately, standard and advanced antivirus and endpoint protection software solutions are unable to detect the signature of this Trojan application.

To prevent the spread of this malicious software, the Administration Building’s primary networks have been isolated from the rest of campus while Information Technology Services (ITS) investigates and tries to resolve the issue. Additionally, VPN access for all MSU Denver accounts will be unavailable until the infection has been fully eliminated.

MSU Denver faculty, staff and students must exercise extreme caution to prevent further spreading of this malware. Please do the following until further notice:
All computers (University-provided and personal) that have been connected to the MSU Denver network in the Administration Building should be treated as though they are quarantined. Moving these machines to another building or home will most likely spread the infection to the new location.
Although the source of the intrusion has not yet been determined, phishing emails are suspected. Be more vigilant than normal when deciding whether or not to open or click on an email. When in doubt, just delete it.
Any computers that are not in use should be powered-off completely.
If you notice any suspicious activity with your MSU Denver accounts – email or computer – please contact the ITS Helpdesk at 303-352-7548 immediately.
The outbreak seems to have been contained in the Administration Building, however ITS is monitoring all MSU Denver networks. Also, currently only Microsoft Windows computers have been infected, but we cannot guarantee that Apple OS computers are not affected.

If you have any questions or concerns, please contact the ITS Helpdesk at 303-352-7548 or support.msudenver.edu.


Information Technology Services @ MSU Denver
msudenver.edu/technology

We are continuing to investigate this issue.

Due to an active malaware event, the ITS Sercurity team is requesting that all clients in the Administration Building power-off any devices connected to the physical network. ITS techicians are actively canvassing the AD building to assist in removal of the malware.