INFORMATION SECURITY ALERT: RISK LOW - Universities are being targeted

By: Jeff Gardiner

September 21, 2018

In 2014, the Iranian government targeted Western and other Canadian universities to steal credentials and intellectual property in an incident known as “MABNA Institute’.   The US State Department obtained evidence and charge several individuals with this large-scale attack and provided details to Western by way of the Canadian government.

https://www.fbi.gov/wanted/cyber/iranian-mabna-hackers

Recently, Western received information that the Iranian government was active again, this time working with a group known as ‘COBALT DICKENS’.  The goal and approach seem to be the same.  Attached is a .pdf explaining the threat.

  1. Hackers target credentials.  81% of all breaches involve in some form stolen, default, or weak passwords and identities.
  2. It is easier to breach a system with credentials than by other means.
  3. Normal 'meaning perimeter-based security' provides no protection against identity and credential-based threats.

Because of this, the cybersecurity team is investigating institutionally.  Even so, central IT may not be the only place evidence of compromise might appear.

INDICATORS OF COMPROMISE:

In Logs or network steams look for the following:

 

IP ADDR:

208.115.226.68

 

DOMAINS:

lib-service.com

ebookfafa.com

unvc.me

unts.me

untf.me

untc.me

univ.red

unisv.xyz

unir.ml

unir.gq

unir.cf

unip.gq

unip.cf

unin.icu

unie.ml

unie.ga

uncr.me

nimc.cf

jhbn.me

eduv.icu

anvc.me

 

ACTION:

If any of the above IPs or Domains appear in logs or netstreams please contact security@uwo.ca.


Published on  and maintained in Cascade CMS.