NYU IT Security News and Alerts

NYU IT Security News and Alerts

New Ransomware Alert “Petya”

NYU IT has been notified by Homeland Security about an emerging ransomware email threat (a new strand of Petya) occurring in many countries around the world, and NYU’s Office of Information Security is actively monitoring for any impact at NYU.  Ransomware is a type of malicious software that infects a computer and restricts users’ access to the infected machine, including any attached storage until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cyber security threats, such as ransomware.

Phishing Alert: We advise you to treat unknown senders of email with vigilance and to not click on URLs in emails, without checking the actual URL (hover over the URL and check if it is going to the correct location).

Patching Alert: Please keep all systems up to date, with the latest security and software patches.

Anti-Virus Alert: Please update your Anti-Virus software to the latest version.

The following websites provide additional information:

https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported

https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/

If you require assistance or for urgent IT issues and security escalations, contact the IT Service Desk (24×7) at 212-998-3333 or email AskIT@nyu.edu.

This information will be available on the NYU IT Security News blog at: https://wp.nyu.edu/itsecurity/

For NYU IT Security information, see: https://www.nyu.edu/it/security

 

Additional Information:
This ransomware has been reportedly spreading globally via a malicious email attachment.  Petya is spreading using the same propagation method (a hacking tool called “EternalBlue”) as the WannaCry ransomware attack last month.  For more information on WannaCry, please click here and here. Petya does not encrypt individual files, rather it targets a computer’s master boot record and is aimed at a computer’s entire file system. Data is being held hostage pending receipt of a Bitcoin payment of $300.

The following is the message that displays on the screens of MicroSoft Windows devices which have been infected with Petya:

(Image courtesy of KrebsonSecurity)

Researchers report that this ransomware is using a modified version of EternalBlue to get inside the network (once the ransomware has been activated), and the PSExec command line tool to spread the ransomware from machine to machine. It is not yet clear if Petya mimics the worm capability of WannaCry and can spread between computers without user interaction.

For system administrators, it is recommended that the latest Microsoft patches be applied especially patch MS17-010.

Please be reminded that if you suspect a ransomware attack:

  1. Disconnect from the network and any file shares.
  2. Contact the IT Service Desk (24×7) at 212-998-3333 or email AskIT@nyu.edu.
  3. Wipe your device.
  4. Recover files from a backup or synch performed prior to the encryption.
  5. Disconnect backups by disconnecting backup devices or disconnecting from file sharing services.

For more information, please see:
https://arstechnica.com/security/2017/06/a-new-ransomware-outbreak-similar-to-wcry-is-shutting-down-computers-worldwide/

Mobile Phishing Attacks via SMS Text Messaging

There has been a recent uptick noted in the delivery of phishing via SMS text messages (a/k/a “SMiShing”) in the form “URL padding” or the front loading of a web address of a malicious site with a legitimate domain name. The goal of these attacks is credential stealing as users are prompted to enter their credentials in phishing pages to which they are directed.

Specifically, the true site domains are concealed, as the subdomain addresses are padded with enough hyphens to push the true link destinations out of view.  Another reason these attacks have been successful is with SMS messages, it is not possible to confirm the legitimacy of a site before clicking it, and upon arrival at the site, the URL padding masks the true site address.

Please see the following examples of URL padding:

(Image courtesy of Ars Technica)

The phishing pages are hosted on sites with legitimate domain names that have been compromised.

It is recommended that whenever possible you avoid clicking links that have been transmitted by SMS messages, and that you do not click links with hyphens (URL padding or front loading) as shown above.  If you visit a web page in which the URL appears to be front loaded, it’s likely a phishing page, and we recommend that you close the browser tab containing the page or exit the browser as it’s important to avoid clicking any elements on a possibly malicious web page or pop-up.

Update 5/16/2017 Re: WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0, and Wanna Decryptor) Malware/Ransomware

  1. Most critical to combating this strain of malware is to patch your Windows machine to the most current level. Refer to: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 or http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212 to find the appropriate patch level for your operating system.  This is especially important if you are running a version of Windows which is no longer supported, like XP or Windows Server 2003.
  2. Regardless of the patching steps you take, it is possible to be infected by WannaCry—subsequent to patching—if you click on a malicious email link or attachment. Please review our instructions on how to handle phishing messages and messages with odd attachments: http://www.nyu.edu/servicelink/KB0014438.
  3. After an initial machine is infected, WannaCry is spread via a vulnerability with SMB, the protocol which manages Windows file sharing. This vulnerability was patched by Microsoft in March. See https://technet.microsoft.com/en-us/library/security/ms17-010.aspx for more information.  So, if you’ve patched since March, you are not vulnerable to MS 17-010 unless you execute a malicious email attachment or link, so likelihood of infection is lower.
  4. We strongly recommend that machines with out-of-date operating systems be updated or retired. If you must use them, then they should be run in Standalone Mode, unconnected to the network. If you have questions about running an unsupported OS and how to transition your business process to a modern system, please contact the IT Service Desk at AskIT@nyu.edu.

WannaCry and Generic Ransomware Advice for Shared Network Drives  / NYU Box / Google Drive / DropBox

Since the WannaCry malware encrypts your data, the encrypted data can move to your backup or cloud-based file sharing service like Box, DropBox, Drive, and others, if you sync to those services.  The sequential steps to follow if you are the victim of the encryption via ransomware is:

  1. Talk to your local IT group or NYU IT Office of Information Security (security@nyu.edu)
  2. Wipe your device
  3. Patch system to an up-to-date level
  4. Recover files from a backup or a sync performed prior to the encryption.
  5. Disconnect backups by dismounting backup devices or disconnecting from file sharing services

As an example, in March an NYU user encountered ransomware, on a Windows machine, that encrypted files on computers, USB drives, and shared network drives. To recover from this event, they were able to recover files from Google Drive, NYU Box, and the respective system administrator’s departmental network drive backups.

For more information, see:

New Ransomware exploits MS vulnerability, spreading quickly

Update #2: May 15, 2017

Ransomware worm that takes advantage of a vulnerability in the Windows operating system remains a threat.

Please see the below PDF for a copy of an urgent security alert message from NYU CIO Len Peters. This message, relating to steps you should take to protect the data on Windows computers from the ransomware attack, was distributed to the entire NYU community via email on May 14 at 11:07pm ET. Should you have any questions or concerns about this message or the instructions it contains, please contact the NYU IT Service Desk, open 24×7: www.nyu.edu/it/servicedesk.

Download (PDF, 98KB)

Update #1: May 12, 2017

The following links will assist in determining which patch to apply, and both provide patch downloads: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 or http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212

Additional Resources:

https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/

https://www.nytimes.com/2017/05/12/world/europe/international-cyberattack-ransomware.html

Original post: May 12, 2017

A new ransomware worm, dubbed Wanna DecryptoR 2.0 and #WannaCry, has been spreading quickly throughout locations around the world. Particularly hard hit was the UK National Health Service (NHS). The malware spreads via a malicious link in an email phishing message and takes advantage of a vulnerability in the Windows operating system that was identified by the NSA and released by the hacking group “Shadow Brokers” several weeks ago. The good news is that Microsoft has already patched this vulnerability back in March. For more information on ransomware, read this article in Connect https://wp.nyu.edu/connect/2016/09/22/ransomware-scams/

You should take this opportunity to make sure that your Windows systems are patched and up to date, and if you have not restarted your computer recently, do so, to ensure that any applied patches take effect.

Widespread Phishing Attack on Google Docs

Beware of Emails Saying Someone Wants to Share a Google Doc with You

A phishing attack has been deployed at many universities (and possibly beyond) that use Google. You may see a message purporting to share a Google Doc with you that comes from someone you know.
And it shows you a button to click. DO NOT Click on this button. If you do then the email will be shared with those in your contact list.

We are blocking the originating email address, and have blocked several domains involved.
Google is working to mark the email as spam.

WHAT YOU SHOULD DO IF YOU CLICKED ON IT:
1. Go to https://myaccount.google.com/security#connectedapps
2. Click on Manage Apps
3. If you see “Google Docs”, click Delete
4. Change your NYU password as soon as possible via https://start.nyu.edu (this should not be necessary but as we are still gathering information about the severity of this, it will be wise)

NOTE: Step 3 does NOT delete your Google documents. “Google Docs”, if it shows up on this list of apps, it is not a real app.

Please call the IT Service Desk at 212/998-3333 or email AskIT@nyu.edu if you need assistance.

SANS Video of the Month – Passphrases

For tips on how to create passphrases (strong passwords), and for information on password managers, use of 2 factor authentication and more, watch this 3 minute and 43 second video from SANS. This video will be available throughout the month of May.

For information on NYU Multi-Factor Authentication, please click here.  For more information on password managers and password best practices, please see the following NYU IT Connect article.

Under Lock and Passphrase

Are your NYU Drive files correctly shared?

As a best practice, it is highly recommended that you share your NYU Drive files only as broadly as necessary to avoid the unintended disclosure of data. Please follow these quick and easy steps to ensure your files are shared correctly and securely:

  1. To confirm the share settings of existing NYU Drive files, use the Drive Eye add-on to locate any files shared within and outside the NYU community. The Drive Eye add-on will produce a report that allows you to click the links associated with listed documents and change the share settings. For instructions on how to install and use Drive Eye, see NYU Drive: Finding and securing shared files.
  2. View and confirm your share settings for individual documents as follows:
  • Click File, Share, or the Share button at the top right corner of your screen. 
  • In the following dialog, click Advanced.
  • Confirm that your file settings appear as follows. (Note: The “Private” option is enabled by default).
    • You can choose another share setting via Change.
    • Invite people or Google groups via Invite People.


  • Click Change to select from the following options:

  • Click Save to confirm your changes.
  • Click Done to return to your document.

For more information about NYU Drive support and training resources, please visit www.nyu.edu/it/drive.

Dropbox Themed Phishing Campaign

Please be advised of a widely spreading Dropbox themed phishing campaign, the goal of which is to steal credentials. The subject line of these spam messages references a purchase order number, an invoice, or simply requests that recipients open an attachment.

 

Once the attachment is opened, users may receive the following:

 

Users who click on the embedded link are redirected to a compromised site which hosts a credential phishing kit.

  • Please note that the URL displaying in the browser’s address bar may be shortened via bit.ly to hide the actual URL of the compromised site. To preview the destination of a Bitly.com URL, add a plus symbol to the end of a shortened link. For example, you can preview the destination of bit.ly/1bhjUN8 with bit.ly/1bhjUN8+ and be directed to a preview page on Bit.ly com with information about the shortened link.

Users are then prompted to select a verification type, and enter a username/password. In some cases, an account recovery phone number and email address are also requested.

 

After the requested information is entered and credentials are captured, users are redirected to the legitimate Dropbox page.

 

MS Word Critical Flaw to be Addressed Today Via Patch Tuesday

Please be advised that Microsoft plans to release an update for a critical Word flaw today, as part of Patch Tuesday. It is recommended that this patch is applied as soon as it becomes available. This vulnerability allows the installation of malware, in this case a banking trojan dubbed Dridex, when a target/user opens a maliciously-crafted MS Word email attachment. This vulnerability is known to affect all Windows versions of Word. The exploit has not been proven or disproven to work on Mac versions of Word.

Dridex infused Word documents typically arrive as Rich Text Format (RTF) attachments to emails purporting to be from from  “device”, “copier” “documents”, “no-reply” or “scanner”. In all known cases, the subject line of the emails reads “Scan Data”. Opening the  documents attached to these emails will install a Dridex bot on your system that is known to capture banking information. It has been observed that this exploit does not execute when the document is viewed in a Microsoft view known as “Protected View”, which is a read-only mode in which most editing functions are disabled. However, if you opt to print the document or “Enable Editing” in Protected View, the exploit will run.

A sample Dridex email is shown below:

For more information, please see:

https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day

https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

VPN Scams

New legislation allowing ISPs (Internet Service Providers) to sell browsing history has contributed to a rise in VPN (Virtual Private Network) scams as VPN is an option which affords users the ability to retain their online privacy.

For example, current and former Plex and Boxee users may receive the following VPN scam messages:

Please be reminded that NYU offers VPN service to NYU community members as a secure way in which to access NYU-Net from many remote locations.  Use of NYU VPN is required when remotely accessing certain services.  For a list of services which require VPN when accessed from off campus, please see: http://www.nyu.edu/servicelink/041202319365928. For more information on NYU VPN, please click here.

For more information on VPN scams, please see: https://motherboard.vice.com/en_us/article/phony-vpn-services-are-cashing-in-on-americas-war-on-privacy.