ACTIVE Windows Exploits: INFORMATION SECURITY ALERT

Exploits released by the ShadowBrokers group on April 12th, are actively being used to attack Windows systems on the UCLA network. IT Security has detected ~300 UCLA systems infected with the DoublePulsar malware (that enables covert, backdoor administrative access) and the number of systems being exploited on the campus is growing rapidly.

To prevent further system compromises, IT Services will temporarily block the following network protocols at the campus border:

· Remote Desktop Protocol (RDP)

· Server Message Block (SMB) protocol

· NetBIOS over TCP/IP

This action will temporarily disrupt the following services:

· Remote connection to systems on the UCLA network via RDP from outside the UCLA network

· Remote connection to mapped network drives hosted on the UCLA network from outside the UCLA network

· Active Directory domain replication from outside the UCLA network

The following actions are necessary to protect against the DoublePulsar malware:

· Ensure that your Windows operating system has the latest MS 17-010 Patch. OS versions for this patch include:

§ Windows 7 or newer for workstations

§ Windows Server 2008 SP2, Windows Server 2008 R2 SP1, or newer for servers

· For older versions, you must upgrade your Microsoft OS to a current (but preferably the latest) version and install the MS 17-010 Patch.

IT Security is working to identify infected hosts and provide remediation instructions directly to the impacted campus units.

If you have concerns or questions, please contact Mike Story or myself directly or email the IT Security team at security@ucla.edu.

Additional information is also available on the IT Security Alerts website https://www.it.ucla.edu/security/advisories/windows-zero-days-affecting-smb-versions-123