A recent phishing attack at Augusta University was enabled by an employee likely expected to know better.
According to documents obtained by The Augusta Press, the director of the cyber range – a facility at the Georgia Cyber Center used to test and train for cyber attacks – gave a bad actor access to his OneUSG Connect account three times.
The incident prompted AU to “reevaluate and immediately tighten our cybersecurity posture,” President Brooks Keel said in a June 9 staff email, which did not identify the employee.
The episode began with a May 26 onslaught of 978 phishing emails claiming an outbreak of monkeypox on campus. Those emails tricked eight unidentified employees into giving the bad actor access to their email accounts, which sent 6,742 more bogus emails through the system.
The university uses OneUSG to maintain private employee information such as bank account numbers and health information. It grants the employee access to OneUSG and other systems using Duo, a multi-factor authentication program that sends a confirmation message to a separate device or app before allowing access.
“Our cybersecurity team was able to quickly identify and isolate the threat,” Keel said, “but not before an employee accepted three Duo multi-factor authentication push requests that they didn’t initiate.”
The approvals left the door open to “systems” for seven days, during which the bad actor changed the employee’s direct deposit account numbers, he said.
In an AU Police Department report about the incident, AU Cyber Defense Security Operations Center Manager Daniel Punches told police an unknown actor had accessed cyber range Director David Ivey’s OneUSG account on June 2.
The actor then attempted “to divert 99% of his payroll funds” to another account.
Ivey’s salary was $135,000 last year, or about $11,000 a month.
Fortunately for Ivey, IT was able to detect the changes and stop them, the report said.
With an assigned location of Kansas City, Kans., the attack on Ivey’s account had the same internet protocol address as a May 26 attack that was not reported to police, it said.
Universities, cities and other institutions continue to cope with cyber-attacks such as the ransomware intrusion that continues to grip city of Augusta systems.
About a week ago, the university system announced its file transfer software MOVEIt had a vulnerability that likely has given cyber criminals unauthorized access.
The Augusta attack could have been allowed in by a phishing email that misled an unwitting employee. City officials have refused to discuss the incident.
At AU, staff using OneUSG or HealtheIntent have to log in and accept a Duo authentication request each time they log in. There will be no “remember me” allowed.
For all other systems, Duo will remember giving permission for just one day.
