from Hacker News

Dutch university hit by cyber attack on its Windows systems

by stepri on 12/24/19, 3:21 PM with 36 comments

• by chroem- on 12/24/19, 4:14 PM

  It's interesting how the language around these incidents has shifted to give the impression that cybercommandos have stormed into cyberspace with their cyber assault rifles, when in reality the chances are very high that some university administrator probably downloaded a shady program from a porn site.

• by DavideNL on 12/24/19, 4:18 PM

  Allegedly it's the CLOP ransomware.

  "All dhcp-servers, Exchange-servers, domaincontrollers and networkdrives have been encrypted."

  Source in Dutch: https://tweakers.net/nieuws/161538/deel-diensten-universitei...

  Clop: https://securingtomorrow.mcafee.com/blogs/other-blogs/mcafee...

• by kjhioyiurewr on 12/24/19, 4:45 PM

  Central point of control (domain), central point of infection.

  As someone else said it, many networks are crunchy on the outside, chewy on the inside.

  We need a new model, that makes lateral movement much harder. There's no reason to allow an infected domain controller to infect the whole network, but I don't know what the solution looks like which still allows centralized control.

• by throw0101a on 12/24/19, 4:57 PM

  Are there any documented reports of Linux/Unix systems ever being hit by ransomware? Or files on NAS appliances (NetApp, Isilon, etc) being encrypted in a way that is unrecoverable (especially since snapshots can be scheduled regularly)?

  Certainly you can steal data from non-Windows systems, so exfiltration attacks are similar on both, but AFAICT, these "we've got your data" style attacks are unique to Windows. If an IT (desktop/laptop) environment was more Mac-heavy, would these be an issue either?

• by gshubert17 on 12/24/19, 6:35 PM

  Big list of ransomware or possible ransomware attacks in 2019 at:

  https://techtalk.pcmatic.com/2019/01/09/ransomware-attacks-2...

  I think the date should be December 2019 (not January), judging from the list of incidents by month.

  One I know of, against Regis University in Colorado, occurred in late August (first reports from August 22).

  https://www.regisupdates.com/regis-quick-updates/test-post

  It's mainly a Windows shop. Lots of disruptions for weeks (I teach there part-time, but was not teaching that term). By November(!) things were pretty much back to normal:

  https://www.regisupdates.com/regis-quick-updates/its-updates...

• by bathory on 12/24/19, 4:17 PM

  according to an insider, tweakers [0] is reporting that it is a ransomware attack and many device have been encrypted

  [0] https://tweakers.net/nieuws/161538/deel-diensten-universitei...

• by neverhigh on 12/25/19, 6:21 AM

  Interesting to read, the University in Gießen (Germany) is down for weeks with similar issues. https://www.uni-giessen.de/index.html (engl. Version below). They use Instagram and Facebook to organize 38.000 people and distribute passwords offline https://www.instagram.com/jlu.giessen/?hl=en

  - https://www.denbi.de/news/763-shut-down-of-de-nbi-services-h... - https://www.instagram.com/jlu.giessen/?hl=en

• by supakeen on 12/24/19, 4:13 PM

  There really isn't more information about this than the above so we don't know.

  Here's a few Dutch sources at the bottom you can throw through a translation service: "nearly all windows computers were hacked", "we dont know if this was criminal and if the perpetrator(s) demand money".

  Noteworthy quote "We are researching if the attackers could access that. Our expectation is that this is very difficult." on the storage of scientific data.

  https://nos.nl/artikel/2316120-cyberaanval-op-computers-van-... https://www.1limburg.nl/groot-cyberhack-bij-um-criminele-aan...

• by Twiebie on 12/24/19, 6:15 PM

  Is this similar to what happened this month in Germany? https://www.zdnet.com/article/more-than-38000-people-will-st...

• by ozim on 12/24/19, 9:57 PM

  Huh that note reads like something generated by this: https://whythefuckwasibreached.com/

• by samsquire on 12/24/19, 10:46 PM

  Remote browser isolation protects against this sort of thing

  https://en.wikipedia.org/wiki/Browser_isolation

• by raverbashing on 12/24/19, 3:51 PM

  on its Windows systems