NYU Wordpress Theme

Locky Ransomware Spreading via JavaScript (.js) Attachments

Locky ransomware is now spreading via JavaScript (.js) attachments/executable files, which are attached to email messages in .zip files. The following are examples of messages you may receive (click images to enlarge):

Screenshot of an email message saying "Dear Customer, Please review the attached copy of your Electronic document. Thank you for your business - we appreciate it very much. Sincerely, Elizabeth Miranda Courier Service"

Screenshot of an email message with a subject of "Payment Declined PIN-738609" stating "Our finance department has processed your payment, unfortunately it has been declined. Please double check the information provided in the invoice (attached to this mail) and confirm your details. Thank you for understanding.", signed Stewart Buchanan, Sales Manager

Screenshot of email message with subject "Payment ACCEPTED M-362827" and text stating "Dear [Name taken from email address] Please check the payment confirmation attached to this email. The transaction should appear on your bank in 2 days.", signed Thank you, Stanley Frank, Financial Manager.

When the .js file is clicked, Locky will begin to install and encrypt files with certain file extensions, including unmapped network shares.  It will also rename encrypted files to random names with .locky extensions.  Ransom notes will appear in the folders of encrypted files, and a ransom note image will appear on the user’s desktop.  Other know variants of Locky use the following file types:  .doc, .docm and .xls.  The ransom message will ask for bitcoin payment in exchange for the encryption key.

If you see .locky extension files appearing on your computer, USB drives, or network shares, please contact the NYU IT Service Desk immediately at 212.998.3333, or at AskIT@nyu.edu, and disconnect your computer from the network.  To recover from this infection, we recommend that you restore back-ups from external hard-drives or USB devices.  You must wipe the hard drive of an infected machine before mounting back-up devices.   It is recommended that you check any files synched with services such as NYU Box, DropBox or Google Drive to ensure these files have not been infected.

If you are not expecting to receive an attachment, do not open it, reply to the message, or click any embedded links in the message.  You may opt to verify the authenticity of any email and attachment(s) received by contacting the sender.  Suspected phishing attempts may be reported to security@nyu.edu.

For more information, please see:

http://wp.nyu.edu/itsecurity/2016/02/19/locky-ransomware-alert/

https://www.trustwave.com/Resources/SpiderLabs-Blog/Massive-Volume-of-Ransomware-Downloaders-being-Spammed/

 

 

 

 

Symantec Endpoint Protection Update

We recommend that you update your install of Symantec Endpoint Protection (anti-virus software) to the recent version (March 2016 update, 12.1.6). This update address the security vulnerabilities detailed below. To install the updated version of Symantec, please visit: https://home.nyu.edu, and click Ask NYU IT. The Symantec update will be available in the Software section at the top left of the screen.

(click images to enlarge)

_ _ _ _ _ _ _ _ _ _ _ _ _

Security Advisories Relating to Symantec Products – Symantec Endpoint Protection Multiple Security Issues

Revisions
None

Severity

Screenshot of a table showing CVSS2 Base Score, Impact, Exploitability & CVSS2 vector.

Overview
Symantec Endpoint Protection (SEP) was susceptible to a number of security findings that could potentially result in an authorized but less privileged user gaining elevated access to the Management Console. SEP Client security mitigations can potentially be bypassed allowing arbitrary code execution on a targeted client.

Affected Products
Screenshot of a table of affected products listing Symantec Endpoint Protection Manager and Client as the Product, version 21.1, build All and Solution as Update to 12.1-RU6.MP4

Details
The management console for SEPM contained a cross-site request forgery vulnerability that was the result of an insufficient security check in SEPM. An authorized but less-privileged user could potentially include arbitrary code in authorized logging scripts. When submitted to SEPM, successful execution could possibly result in the user gaining unauthorized elevated access to the SEPM management console with application privileges.

There was a SQL injection found in SEPM that could have allowed an authorized but less-privileged SEPM operator to potentially elevate access to administrative level on the application.

The sysplant driver is loaded as part of the Application and Device Control (ADC) component on a SEP client if ADC is installed and enabled on the client. A previous security update to this driver did not sufficiently validate or protect against external input. Successfully bypassing security controls could potentially result in targeted arbitrary code execution on a client system with logged-on user privileges. Exploitation attempts of this type generally use known methods of trust exploitation requiring enticing a currently authenticated user to access a malicious link or open a malicious document in a context such as a website or in an email.

NOTE: Customers not using ADC are not impacted by the client issue, CVE-2015-8154.

Symantec Response
Symantec product engineers have addressed these issues in SEP 12.1-RU6-MP4. Customers should update to RU6-MP4 as soon as possible to address these issues.

Symantec is not aware of exploitation of or adverse customer impact from this issue.

Update Information
Symantec Endpoint Protection Manager 12.1-RU6-MP4 is available from Symantec File Connect.

Best Practices
As part of normal best practices, Symantec strongly recommends the following:

  • Restrict access to administrative or management systems to authorized privileged users.
  • Restrict remote access, if required, to trusted/authorized systems only.
  • Run under the principle of least privilege where possible to limit the impact of potential exploit.
  • Keep all operating systems and applications current with vendor patches.
  • Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.

Credit
Symantec would like to thank Anatoly Katyushin with Kaspersky Labs https://www.kaspersky.com, for finding and reporting CVE-2015-8152, CVE-2015-8153 and working closely with Symantec as they were addressed.

Symantec would like to thank enSilo Research Team, https://www.ensilo.com, for reporting CVE-2015-8154 and working closely with Symantec as it was addressed.

References
CVE: These issues are candidates for inclusion in the CVE list (http://cve.mitre.org/cve), which standardizes identifiers for security problems.

BID: Symantec SecurityFocus, http://www.securityfocus.com, has assigned Bugtraq IDs (BIDs) to these issues for inclusion in the Security Focus vulnerability database.

Screenshot of table showing CVE, BID & Description

Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows responsible disclosure guidelines .  See the Organization for Internet Safety Guidelines for Security Vulnerability Reporting and Response (PDF).

Please contact secure@symantec.com if you feel you have discovered a security issue in a Symantec product. A member of the Symantec Product Security team will contact you regarding your submission to coordinate any required response. Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product Security PGP key can be found at the location below.

Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.

Copyright (c) 2016 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Product Security. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Product Security, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

 

 

 

Recent Adware Scam

Please be advised that NYU does not sponsor unannounced surveys.  If you have any questions about the legitimacy of a communication you receive, please do not reply to the communication or click any embedded links or options.   Instead, please contact security@nyu.edu

Adware can have the following characteristics:

  • Deceptive and full of malware that will install on your device as options are clicked
  • Deceptive and fairly benign, and will present users with multiple click-thrus

Pop-ups like these may mean that your device is infected.  If you see them, please contact your local System Administrator or NYU IT at AskIT@nyu.edu or 212.998.3333.

*Click images to enlarge

Screenshot of an email purporting to be from TOC Research Group, dated 2/3/16 and addressed "Dear New York University User".  The email states that that the adressee's computer has been selected to participate in an anonymous surver re: experiences with NYU and provides the user's IP address. The email offers several "exclusive reward offers" for survey completion, worth at least $70, and asks "Do you feel like you're currently paying too much for your New York University internet connection?".  The following four multiple choice options are presented, "Yes, way too much", "Yes, I would like to pay less", "No, the price is just right", and "I'm not sure".

 

Screenshot of a web pop-up which states that that the adressee's computer has been selected to participate in an anonymous surver re: experiences with NYU and provides the user's IP address. The email offers several "exclusive reward offers" for survey completion, worth at least $70.

 

 

 

 

Recent Phishing Emails Claiming to be from File Sharing Services

We have noticed an increase in phishing messages from file sharing services.   Since the messages associated with legitimate file sharing can be brief, it may make these phishing attempts more challenging to recognize.  We’d like to share the following phishing examples.

*Please click any image to enlarge.

Example #1  (claiming to be from an NYU student)

Screenshot of an email dated 2/27/16 with a subject of "Review" stating that [blocked name] used Dropbox to share some information.

Example #2 (claiming to be from an NYU employee)

Screendhot of an email dated 2/16/16 with a subject of "Important Notice" with the following text "Hi Valid User, We are receiving messages about being hacked, protect yourself by viewing this Document."

Example #3

Screenshot of an email message dated 2/12/16 with a subject of "Vital Document" with text stating "I just attached a file for you on Google Drive. It's very important". Email attaches a PDF document entitled "DocumentScan".

Please be reminded/advised:

  • If you’re not expecting to receive a file share, please confirm the legitimacy of the message with the sender prior to opening.
  • If a shortened or tiny URL appears (e.g., http://tinyurl.com/zf7z5m) when you hover over an active link to documents in an email message, the email message is not legitimate, as file sharing services do not generate shortened URLs.
  • NYU Box is the recommended method for sharing restricted information or data whose unauthorized access or loss could seriously or adversely affect NYU, a partner, or the public.  For more information, please see:  NYU Box:  Best practices for sensitive data (permissions and security settings), http://www.nyu.edu/servicelink/KB0013199
  • Google Docs. is the recommended method for sharing data that’s public, confidential or protected.
    • For a description of data classifications or categories (the classifications/categories include: restricted, protected, confidential & public), as well as specific examples of data in each category, please see:  The Data Classification Policy

 

 

DROWN Attack (Decrypting RSA using Obsolete Weakened eNcryption)

A recently announced attack known as DROWN (Decrypting RSA using Obsolete Weakened eNcryption) exploits SSL/TLS vulnerabilities.  DROWN is an attack that allows decryption of intercepted data and can also allow man-in-the middle attacks.  

Vulnerable systems include:

  • Servers that support SSLv2 – allows for a cross-protocol attack whereby an attacker could decrypt TLS sessions between clients and hosts that support SSLv2 and export cipher suites.  This vulnerability also allows for the decryption of traffic between clients and even non-vulnerable servers, if another server supporting SSLv2 and export ciphers shares the RSA keys of the non-vulnerable server.
  • Unpatched OpenSSL servers  – This vulnerability dramatically increases the efficiency and danger of the DROWN attack by making it effective against even the stronger, non-export-grade cipher suites with very little computation time required.

 

Action Steps:

  • Disable SSlv2 protocol in all SSL/TLS servers.  Disabling all SSLv2 ciphers is also sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and 1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol, and are not patched for CVE-2015-3197, are vulnerable to DROWN even if all SSLv2 ciphers are nominally disabled, because malicious clients can force the use of SSLv2 with EXPORT ciphers.
  • Upgrade OpenSSL to the latest.  We strongly recommend eliminating all SSL support in favor of TLS.

References:

[1] https://www.openssl.org/news/secadv/20160301.txt

[2] https://www.drownattack.com/

[3] https://drownattack.com/#faq-factors

[4] http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/

[5] https://www.openssl.org/news/secadv/20160301.txt

[6] http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/

[7] https://drownattack.com/#faq-mitm

[8] https://drownattack.com/#faq-update