University of Wisconsin–Madison

Bitcoin malware removed from UW-Madison servers

UW System schools reported security concerns around activity on WebLogic web servers on December 29. UW Madison discovered that three servers had cryptocurrency malware (Bit Coin mining) installed through a vulnerability in Oracle WebLogic software. The servers were taken offline so malware could be removed and rebuilt to a more secure state. 

Cybersecurity and DoIT technical teams responded to complete a forensic analysis of the malware, and to restore services hosted on these servers to normal production. Once each system was restored, applications were then installed and tested. Due to the size and nature of these systems, this process has taken a week to complete. All services are now restored. The status of services affected has been regularly updated on the campus Outages page.  

The coin mining malware UW-Madison discovered is designed to look for evidence and instances of actual cryptocurrency like Bit Coin. Once those files or systems are discovered, the malware proceeds to extract the bitcoin and pass to a person who uses the currency for other purposes.  This malware is not used to extract files containing Personally Identifiable Information (PII) and is not considered a threat to personal data.  The issue is in the coin mining process where the use of system CPU memory and processor capacity affects availability of applications and other resources.

Please check the Outages page for service status updates. That is the primary source for campus information about both planned and unplanned systems status. The last update was at 5:00 p.m. today. The next update will be tomorrow morning.

Cybersecurity also reminds department IT admins to check their own software and devices–whether servers or endpoint devices–for malware, hacks and the like. Details on how to take these steps are found under Additional Resources on the Cybersecurity home page.