NYU IT Security News and Alerts

NYU IT Security News and Alerts

Ransomware Reminder

With the return of newer strains of the Locky malware, ransomware remains a top threat for all computer users. Ransomware is malicious software that usually arrives via email with subjects such as “please print” or “document”. When the user clicks the attachment, a script runs to download additional software which encrypts the user’s hard drive, as well as any attached drives.

Even if the malware has different names or uses different attachments, the steps you take to protect the data entrusted to you are the same. Take this opportunity to review the resources we have available, starting with our  Connect article on Ransomware scams here, as well the alerts on ransomware in the NYU IT Security News & Alerts Blog below. If you have questions, please feel free to send email to security@nyu.edu

 

Resources

New Ransomware Alert “Petya” https://wp.nyu.edu/itsecurity/2017/06/28/new-ransomware-alert-petya/

WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0, and Wanna Decryptor) Malware/Ransomware https://wp.nyu.edu/itsecurity/2017/05/16/update-5162017-re-wannacry-also-known-as-wannacrypt-wanacrypt0r-2-0-and-wanna-decryptor-malwareransomware/

New Ransomware exploits MS vulnerability, spreading quickly https://wp.nyu.edu/itsecurity/2017/05/12/new-ransomware-exploits-ms-vulnerability-spreading-quickly/

Locky/Osiris Ransomware Alert https://wp.nyu.edu/itsecurity/2016/12/07/lockyosiris-ransomware-alert/

Locky Ransomware Spreading via JavaScript (.js) Attachments https://wp.nyu.edu/itsecurity/2016/03/29/locky-ransomware-spreading-via-javascript-js-attachments/

Locky Ransomware Alert https://wp.nyu.edu/itsecurity/2016/02/19/locky-ransomware-alert/

The Return of Locky https://www.itgovernance.co.uk/blog/the-return-of-locky-a-closer-look-at-2017s-largest-malware-campaign/

 

Important VMware update

VMware has issued a critical security alert for

  • VMware ESXi (ESXi)
  • VMware vCenter Server
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

regarding a number of issues. The most important is an out-of-bounds write vulnerability in VMware’s products allows guests to break out of their isolation. This means a malicious actor who has compromised a virtual host could escape the constraints of the virtual machine and execute malicious code on the machine the VM is running on. Anyone running these applications should check VMware’s site (below) and apply the appropriate patches as soon as possible.

 

References:

https://www.vmware.com/security/advisories/VMSA-2017-0015.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4924

WordPress 4.8.2 Security & Maintenance Release

Please be advised that WordPress 4.8.2 is now available and we strongly recommend that you update all sites asap as this is a security release for all previous versions. The security issues addressed by the update affect version 4.8.1 and all earlier versions.

Please note that if you’re using wikis.nyu.edu, the update will be handled by our vendor. Otherwise, WordPress can be updated via Dashboard, Updates, Update Now. Questions?  Please call the NYU IT Service Desk.

For more information on the security issues addressed by this update, please see: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/

CCleaner Compromise

Please be advised that CCleaner, a Windows utility used to remove cookies, wipe browsing histories, and clean temporary internet files has been compromised. Specifically, the affected versions are v5.33.6162 and CCleaner Cloud v1.07.3191 z9 (32 bit versions). The vendor, Avast, has stated that no other Piriform or CCleaner products have been affected. However, given that CCleaner was digitally signed, other software from Avast may be compromised.

The issue, which was identified by Cisco Talos researchers, involved the compromise of download servers used by the vendor to distribute software. The servers were leveraged by malicious actors to deliver malware. Once in place, the malware would determine if a user had admin privileges and would then seek to steal information such as the name of the device, installed software and Windows updates, running processes and the MAC addresses of network adapters.

Recommendations:

  • Users of version 5.33 should roll-back their device to a backup that was created prior to the installation of version 5.33 and update to version 5.34. Be advised that the free edition of CCleaner does not feature automated updates and requires users to manually download updates.
  • Alternately, users should wipe their device, deploy a new image and install another anti-virus software.

For additional information, please see:

Apache Struts Vulnerability Update

As an update to our September 7th blog post on the Apache struts vulnerability, please be advised that Equifax has stated in their September 13th Progress Update for Consumers regarding their recent massive cybersecurity breach, “[t]he vulnerability was Apache Struts CVE-2017-5638”.

It is critical to ensure that all Apache instances/platforms are secure. Please be reminded of the following recommendations:

Fix: It is recommended that you upgrade to Struts 2.5.13 or Struts 2.3.34. Downloads can be found here.

Alternatives to upgrading: No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only as outlined here: https://struts.apache.org/docs/s2-052.html

If you use Red Hat (for Linux), you can find information here: https://access.redhat.com/security/cve/cve-2017-9805

FTC Issues Alert on Equifax Phishing Scams

The Federal Trade Commission (FTC) released an alert warning consumers to be wary of calls or emails purporting to be from Equifax agents. As with other phishing scams, the phishers are pretending to be Equifax representatives asking for “verification” of your information. Legitimate Equifax employees will not be contacting people to ask for this information.  For up-to-date information on the breach, you can check the site Equifax has set up: https://www.equifaxsecurity2017.com/

For NYU-related spam or fraud, please contact NYU IT Office of Information Security at security@nyu.edu. For commercial fraudulent calls and emails, use the FTC Complaint Assistant <https://www.ftccomplaintassistant.gov/#crnt&panel1-1>

Resources:

https://www.consumer.ftc.gov/blog/2017/09/equifax-isnt-calling

https://www.equifaxsecurity2017.com/

US-CERT Tips on Avoiding Social Engineering and Phishing Attacks <https://www.us-cert.gov/ncas/tips/ST04-014>

Preventing and Responding to Identity Theft <https://www.us-cert.gov/ncas/tips/ST05-019>

 

MongoDB Servers – Ongoing Extortion Attempts

Please be advised that there has been a resurgence of attacks on vulnerable MongoDB servers. The attacks involve malicious actors seeking out MongoDB installations that are poorly implemented and accessible to the internet without a set administrator password. After attackers gain access, they export or delete the data and replace it with a ransom note. The following is an example of ransom note text:

“We have your data. Your database is backed up to our servers. If you want to restore it, then send 0.15 BTC [$650] and text me to email, just send your IP-address and payment info. Messages without payment info will be ignored.”

Please be reminded that ransom payment does not guarantee the restoration of data. In these attacks specifically, there have been reports of ransom payment, but no reports of data restoration (see, https://krebsonsecurity.com/2017/01/extortionists-wipe-thousands-of-databases-victims-who-pay-up-get-stiffed/)

Recommendations:

  • Users/admins should not rely on server default settings and should instead follow the recommendations on the MongoDB Security Checklist.
  • Make sure to perform database backups on a regular basis.
  • Users/admins should perform regular checks on their server’s services, and ensure that all applications are patched/updated and unnecessary services have been shut off.
  • View the “We’re Always Striving to Make Deployment Easier” section of the vendor blog post dated 9/8/17 for a robust list of available resources.

For additional information please see:

 

Apache Struts Vulnerability

A critical vulnerability has been identified in Apache Struts 2, an open source framework used to develop web applications. The vulnerability allows users to execute malicious code by plugging in maliciously modified data into search boxes or other features hosted on the site. Specifically, the affected software is Struts 2.1.2 – Struts 2.3.33, and Struts 2.5 – Struts 2.5.12.

Fix: It is recommended that you upgrade to Struts 2.5.13 or Struts 2.3.34. Downloads can be found here.

Alternatives to upgrading: No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only as outlined here: https://struts.apache.org/docs/s2-052.html

If you use Red Hat (for Linux), you can find information here: https://access.redhat.com/security/cve/cve-2017-9805

Kaspersky Lab Software Warning

Recent media stories, such as those noted below, have reported on suspected ties between Moscow-based cybersecurity company Kaspersky and Russian Intelligence, citing potential data security implications for users of Kaspersky’s products, including their popular anti-virus software.

In response to these suspicions, Rob Joyce, the nation’s cybersecurity coordinator, has issued a public warning regarding the use of software from Kaspersky Lab. In addition, both the House and Senate Armed Services Committees have approved legislation that, should it become law, would ban the U.S. military from owning or using any Kaspersky products.

While security risks claims involving Kaspersky are under assessment, we want to make sure that NYU community members who use their products are aware of the potential risks and take precautions if you are interested in doing so. NYU full- and part-time students, faculty, and staff at all NYU locations, including Shanghai and Abu Dhabi, can download antivirus software (Symantec Endpoint Protection) on Global Home’s Antivirus and Malware Protection card. For personal/private use, and other members of the NYU community, NYU’s Office of Information Security recommends Malwarebytes.

We will update this information as new developments become available, and will be in touch if any critical threats require your attention.

I am personally available for questions, comments or concerns at 212-998-1373, or cto@nyu.edu. For questions regarding any technical issues, you can also contact the NYU IT Service Desk 24/7.

Resources:

Rich Mikelinich MS, CISA, CISSP, CCSK
Chief Technology Officer
NYU – Information Technology
726 Broadway, Room 248
New York, NY 10003

Office: 212-998-1373
Mobile: 203-623-4732
Email: cto@nyu.edu
Skype: projectized

Safely Installing Flash Updates

Browser pop-ups alerting you that you need to update Adobe Flash have become common and are an unreliable way to update Flash. Updating via browser pop-ups is not recommended as you will likely install adware in the process. The tell-tale signs of adware installation are changes to your home or search page. If you receive a browser pop-up with an Adobe Flash update, it is recommended that you close the browser tab or the browser.

Installing Adobe Flash Updates on a Windows Machine

Please note that Adobe Flash updates on Windows machines, starting with Windows 8, are handled through the operating system as Windows updates.

Installing Adobe Flash Updates on a Mac OS

Go to:

Click Adobe Flash Player (located at the bottom left of the “System Preferences” window):

Next, click the Updates tab.

Please note that the NPAPI plug-in is for Safari and the PPAPI plug-in is for Chrome.  It’s okay not to have both installed, but check via the Check Now button for updates on what is installed.

If no updates are available, you will receive the following message:

If an update is available, click Yes, and follow the prompts to download and install, which involve double-clicking and following the prompts from your browser downloads.

For more information, please see:

  • https://forums.adobe.com/thread/2179308
  • https://www.macobserver.com/tips/quick-tip/macos-installing-flash-updates-safe-way/