NYU Wordpress Theme

Ransomware Reminder

With the return of newer strains of the Locky malware, ransomware remains a top threat for all computer users. Ransomware is malicious software that usually arrives via email with subjects such as “please print” or “document”. When the user clicks the attachment, a script runs to download additional software which encrypts the user’s hard drive, as well as any attached drives.

Even if the malware has different names or uses different attachments, the steps you take to protect the data entrusted to you are the same. Take this opportunity to review the resources we have available, starting with our  Connect article on Ransomware scams here, as well the alerts on ransomware in the NYU IT Security News & Alerts Blog below. If you have questions, please feel free to send email to security@nyu.edu

 

Resources

New Ransomware Alert “Petya” https://wp.nyu.edu/itsecurity/2017/06/28/new-ransomware-alert-petya/

WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0, and Wanna Decryptor) Malware/Ransomware https://wp.nyu.edu/itsecurity/2017/05/16/update-5162017-re-wannacry-also-known-as-wannacrypt-wanacrypt0r-2-0-and-wanna-decryptor-malwareransomware/

New Ransomware exploits MS vulnerability, spreading quickly https://wp.nyu.edu/itsecurity/2017/05/12/new-ransomware-exploits-ms-vulnerability-spreading-quickly/

Locky/Osiris Ransomware Alert https://wp.nyu.edu/itsecurity/2016/12/07/lockyosiris-ransomware-alert/

Locky Ransomware Spreading via JavaScript (.js) Attachments https://wp.nyu.edu/itsecurity/2016/03/29/locky-ransomware-spreading-via-javascript-js-attachments/

Locky Ransomware Alert https://wp.nyu.edu/itsecurity/2016/02/19/locky-ransomware-alert/

The Return of Locky https://www.itgovernance.co.uk/blog/the-return-of-locky-a-closer-look-at-2017s-largest-malware-campaign/

 

Important VMware update

VMware has issued a critical security alert for

  • VMware ESXi (ESXi)
  • VMware vCenter Server
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

regarding a number of issues. The most important is an out-of-bounds write vulnerability in VMware’s products allows guests to break out of their isolation. This means a malicious actor who has compromised a virtual host could escape the constraints of the virtual machine and execute malicious code on the machine the VM is running on. Anyone running these applications should check VMware’s site (below) and apply the appropriate patches as soon as possible.

 

References:

https://www.vmware.com/security/advisories/VMSA-2017-0015.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4924

WordPress 4.8.2 Security & Maintenance Release

Please be advised that WordPress 4.8.2 is now available and we strongly recommend that you update all sites asap as this is a security release for all previous versions. The security issues addressed by the update affect version 4.8.1 and all earlier versions.

Please note that if you’re using wp.nyu.edu, the update will be handled by our vendor. Otherwise, WordPress can be updated via Dashboard, Updates, Update Now. Questions?  Please call the NYU IT Service Desk.

For more information on the security issues addressed by this update, please see: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/

CCleaner Compromise

Please be advised that CCleaner, a Windows utility used to remove cookies, wipe browsing histories, and clean temporary internet files has been compromised. Specifically, the affected versions are v5.33.6162 and CCleaner Cloud v1.07.3191 z9 (32 bit versions). The vendor, Avast, has stated that no other Piriform or CCleaner products have been affected. However, given that CCleaner was digitally signed, other software from Avast may be compromised.

The issue, which was identified by Cisco Talos researchers, involved the compromise of download servers used by the vendor to distribute software. The servers were leveraged by malicious actors to deliver malware. Once in place, the malware would determine if a user had admin privileges and would then seek to steal information such as the name of the device, installed software and Windows updates, running processes and the MAC addresses of network adapters.

Recommendations:

  • Users of version 5.33 should roll-back their device to a backup that was created prior to the installation of version 5.33 and update to version 5.34. Be advised that the free edition of CCleaner does not feature automated updates and requires users to manually download updates.
  • Alternately, users should wipe their device, deploy a new image and install another anti-virus software.

For additional information, please see:

Apache Struts Vulnerability Update

As an update to our September 7th blog post on the Apache struts vulnerability, please be advised that Equifax has stated in their September 13th Progress Update for Consumers regarding their recent massive cybersecurity breach, “[t]he vulnerability was Apache Struts CVE-2017-5638”.

It is critical to ensure that all Apache instances/platforms are secure. Please be reminded of the following recommendations:

Fix: It is recommended that you upgrade to Struts 2.5.13 or Struts 2.3.34. Downloads can be found on the Apache Struts Releases webpage.

Alternatives to upgrading: No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only as outlined here: https://struts.apache.org/docs/s2-052.html

If you use Red Hat (for Linux), you can find information here: https://access.redhat.com/security/cve/cve-2017-9805

FTC Issues Alert on Equifax Phishing Scams

The Federal Trade Commission (FTC) released an alert warning consumers to be wary of calls or emails purporting to be from Equifax agents. As with other phishing scams, the phishers are pretending to be Equifax representatives asking for “verification” of your information. Legitimate Equifax employees will not be contacting people to ask for this information.  For up-to-date information on the breach, you can check the site Equifax has set up: https://www.equifaxsecurity2017.com/

For NYU-related spam or fraud, please contact NYU IT Office of Information Security at security@nyu.edu. For commercial fraudulent calls and emails, use the FTC Complaint Assistant <https://www.ftccomplaintassistant.gov/#crnt&panel1-1>

Resources:

https://www.consumer.ftc.gov/blog/2017/09/equifax-isnt-calling

https://www.equifaxsecurity2017.com/

US-CERT Tips on Avoiding Social Engineering and Phishing Attacks <https://www.us-cert.gov/ncas/tips/ST04-014>

Preventing and Responding to Identity Theft <https://www.us-cert.gov/ncas/tips/ST05-019>

 

MongoDB Servers – Ongoing Extortion Attempts

Please be advised that there has been a resurgence of attacks on vulnerable MongoDB servers. The attacks involve malicious actors seeking out MongoDB installations that are poorly implemented and accessible to the internet without a set administrator password. After attackers gain access, they export or delete the data and replace it with a ransom note. The following is an example of ransom note text:

“We have your data. Your database is backed up to our servers. If you want to restore it, then send 0.15 BTC [$650] and text me to email, just send your IP-address and payment info. Messages without payment info will be ignored.”

Please be reminded that ransom payment does not guarantee the restoration of data. In these attacks specifically, there have been reports of ransom payment, but no reports of data restoration (see, https://krebsonsecurity.com/2017/01/extortionists-wipe-thousands-of-databases-victims-who-pay-up-get-stiffed/)

Recommendations:

  • Users/admins should not rely on server default settings and should instead follow the recommendations on the MongoDB Security Checklist.
  • Make sure to perform database backups on a regular basis.
  • Users/admins should perform regular checks on their server’s services, and ensure that all applications are patched/updated and unnecessary services have been shut off.
  • View the “We’re Always Striving to Make Deployment Easier” section of the vendor blog post dated 9/8/17 for a robust list of available resources.

For additional information please see:

 

Apache Struts Vulnerability

A critical vulnerability has been identified in Apache Struts 2, an open source framework used to develop web applications. The vulnerability allows users to execute malicious code by plugging in maliciously modified data into search boxes or other features hosted on the site. Specifically, the affected software is Struts 2.1.2 – Struts 2.3.33, and Struts 2.5 – Struts 2.5.12.

Fix: It is recommended that you upgrade to Struts 2.5.13 or Struts 2.3.34. Downloads can be found here.

Alternatives to upgrading: No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only as outlined here: https://struts.apache.org/docs/s2-052.html

If you use Red Hat (for Linux), you can find information here: https://access.redhat.com/security/cve/cve-2017-9805