Good afternoon,

Your test EIS server has been restored from backup and placed back in service. Please test.

As what I mentioned in my previous email, your Banner SSO login page customizations got lost due to the EIS upgrade. I will work with you and Ellucian in the following weeks to resolve the issue.

If you encounter any other issues in your testing please open a ticket by messaging this email address:

dbahosting@northcarolina.edumailto:dbahosting@northcarolina.edu

Thanks,

Lizhong

From: Kimberly A Smodic kasmodic@northcarolina.edu Sent: Saturday, April 30, 2022 12:18 PM To: exc-hosted-services@lists.northcarolina.edu; banner-hosting-outage-notification@lists.northcarolina.edu Cc: Keith E Werner kewerner@northcarolina.edu; Christopher Stefanick stefanic@northcarolina.edu; Chris Kerr ckerr@northcarolina.edu; Sean M Tierney smtierney@northcarolina.edu; Lizhong Liu lliu@northcarolina.edu; Allen R. Lakomiak lakomiak@northcarolina.edu; Christy Love cplove@northcarolina.edu; Haijing Ma hma@northcarolina.edu; Ross A. Yannayon rayannayon@northcarolina.edu; Kimberly A Smodic kasmodic@northcarolina.edu Subject: IMPORTANT ALERT - Security Incident Impacting Banner Importance: High

Good day,

We are closely monitoring the situation with the WS02 vulnerability and its impact on Banner. While collaborating with the JCTF (Joint Cyber-security Task Force), they reported hundreds of different schools being infected, lateral movement within infected environments, ransomware, and so on.

The JCTF has been working with numerous schools that have been infected. They've found that just applying the update from Ellucian is not sufficient to stop the threat actors. The JCTF team is recommending that we shut down all EIS servers until we have the opportunity to rebuild them or restore from backup.

We have opted to restore from backup, since this will greatly minimize downtown (relative to rebuilding). We have snap shots of the EIS VMs going back to February 26, 2022. The JCTF has confirmed that this is far enough back to be effective at removing any artifacts left by the threat actors.

Effective immediately, we are shutting down all EIS servers, production and non-production. Your Banner databases will remain up. Banner 8 SSB will remain up. But Banner 9 SSB and Banner Admin will effectively be down, since users will not be able to authenticate with EIS down. We apologize for any inconvenience this may cause you.

Once all EIS servers have been shut down, we will then restore the VMs from backup, apply the Ellucian update, and bring back online EIS, one server at a time. Our top priority is getting production up and running. We should have that complete this weekend. Our second priority is getting non-production up and running. We should have that completed early next week. Lastly, we will bring online redundant EIS servers, restoring high availability to the environment. We should have that completed in the 2nd week of May.

In addition, we are working with the JCTF on other measures to protect our systems. We are in a cat and mouse game with the threat actors and keeping one step ahead of them is an evolving situation.

As we keep in close contact with the vendor and JCTF we ask for your understanding that the situation may be very fluid as more information is released.

Regards,

--- Kim Smodic Chief Information Security Officer Division of Information Technology UNC System Office P.O. Box 2688 I Chapel Hill, NC 27515 p:919-559-9993 I f:919-843-9350 kasmodic@northcarolina.edumailto:kasmodic@northcarolina.edu www.northcarolina.eduhttp://www.northcarolina.edu/