As an update to our May 15th blog post, regarding the severe security flaw, now known as BlueKeep (CVE-2019-0708), which is a Remote Desktop Services Remote Code Execution Vulnerability, please be advised of the following supplemental security recommendations from the NSA:
- Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection. Note: NYU IT has confirmed that the RDP protocol at port 3389 is blocked for incoming / ingress RDP traffic.
- Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
Microsoft has asked users of the following Windows versions to urgently apply an update which is available today to protect against a potential widespread exploit:
- Windows XP — users of Windows XP will need to manually download the update from Microsoft’s update catalog
- Windows 7
- Windows Server 2003
- Windows Server 2008R2
- Windows Server 2008
Patches can be found on Microsoft’s Customer Guidance for CVE-2019-0708 web page.
Please note that Windows versions 10, 8.1 and 8, as well as Windows Server 2019, Windows Server 2016, Windows Server 2012R2 and Windows Server 2012 are not impacted by this vulnerability.
Although Microsoft has not yet observed attacks, they have described this vulnerability as “wormable” meaning that malware exploiting this vulnerability has the ability to propagate from vulnerable system to vulnerable system in a similar fashion to the WannaCry ransomware attack in 2017, which also targeted older Windows versions. Notably, the patch to prevent WannaCry was released by Microsoft before the attacks began, but it nevertheless remains an active exploit.
The vulnerability, identified as CVE-2019-0708, is a Remote Desktop Services (“RDS”) (formerly known as Terminal Services) remote execution vulnerability which requires no user interaction and would allow an unauthenticated malicious actor to execute arbitrary code on an affected system via Remote Desktop Protocol (“RDP”). An update will mitigate the vulnerability by correcting how RDS handles connection requests.
Confluence critical vulnerabilities detailed in CVE-2019-3396, are WebDAV and Widget Connector vulnerabilities. The following are two attacks related to these vulnerabilities that are being actively exploited:
- the infection of servers with GrandCrab ransomware. Please be advised that there are currently no tools available to decrypt files affected by GandCrab version 5.2 (which is being used in this attack).
- the distribution of Kerberods malware, which is a combination of a Monero crypto-miner and a rootkit to obfuscate activity.
Atlassian recommends upgrading to the latest version (6.15.1), and has also provided recommendations for versions that cannot be upgraded. For more information, see the Confluence Security Advisory – 3019-03-20.
Researchers from Dark Wolfe Consulting, a cybersecurity consulting firm and the Digital Citizens Alliance (“DCA”), which is a consumer focused group dedicated to making the internet safer have analyzed six pirated streaming devices using the Kodi platform and found that they are rigged with malware and open doors for malware entry.
Kodi devices are sometimes called “Kodi boxes” or “jailbroken Fire TV Sticks” and look like legitimate streaming devices, and are cheap in comparison to Apple TV or Roku. The price users pay upfront gives them access to illegally provided content. Researchers equate the use of one of these devices to letting a “Trojan horse in through the front door” for the following reasons:
- these devices allow hackers to bypass the security of home network router firewalls.
- normal security features and precautions are either not available or not in use to accommodate the illegal streaming of content.
- users often have to turn over full admin access, which includes access to the device’s memory, location history and other security features.
- malware can be used to snare devices into a botnet for use in cyber attacks or cryptocurrency mining.
- sensitive information stored on devices, such as credit cards, passwords and photos are vulnerable to exploit.
Please be advised that Amazon has staff monitoring queries made to Amazon Alexa-enabled Echo smart speakers in an attempt to improve product accuracy. Apparently, while the monitored recordings do not provide full names, they do connect to an account name, a user’s first name and the device serial number. According to Bloomberg, employees working in Costa Rica, India and Romania parse as many as 1,000 audio clips per shift. The recordings are transcribed, annotated and fed back into the software to help correct gaps in Alexa’s understanding of human speech and voice commands.
According to Amazon, unless Echo detects the default or custom wake word or is activated by the press of the button, no audio is stored. However, Alexa sometimes records absent a prompt, and reviewers are required to transcribe these recordings as well.
It is recommended that users review their Alexa privacy settings. To disable the use of voice recordings for the development of new features, go to the Alexa app and go to Alexa account=>Alexa privacy=>Manage how your data improves Alexa. Please note that Amazon has stated that users who opt-out may still have their recordings analyzed by hand in the review process.
Due to a vulnerability detailed in CVE-2019-0232, users and admins are advised to update the following Apache Tomcat versions. The update addresses a remote code execution vulnerability on Windows, whereby a remote attacker could take control of an affected system. Specific mitigation steps can be found below.
- Apache Tomcat 9.0.0.M1 to 9.0.17
- Apache Tomcat 8.5.0 to 8.5.39
- Apache Tomcat 7.0.0 to 7.0.93
Users of affected versions should apply one of the following mitigations:
– Ensure the CGI Servlet initialisation parameter enableCmdLineArguments is set to false
– Upgrade to Apache Tomcat 9.0.18 or later
– Upgrade to Apache Tomcat 8.5.40 or later
– Upgrade to Apache Tomcat 7.0.93 or later
The Office of Information Security (“OIS”) has been made aware of a phishing campaign dubbed “Silent Librarian” that is targeting the NYU community. This phishing campaign is designed to steal login credentials, and has been targeting universities, companies and government agencies around the world. Silent Librarian has targeted more than 300 universities in 22 countries, and the cost to universities alone is estimated to be around 3.4 billion.
The following is an example of a Silent Librarian phishing message.
Please note that these phishing messages often arrive from spoofed sender email addresses, and appear to be signed by actual Library personnel. The subject lines of these messages have remained consistent over time and tend to be “Library Account”, “Library Notifications”, or “Library Services” with the name of the university sometimes appended to the subject. The phishing ‘tells’ in this email message are the incorrect library address, and the embedded link, which takes users to a spoofed login prompt. Although the embedded link contains familiar elements, please be reminded to look for “https://shibboleth.nyu.edu” in the typed link, link preview and in your browser’s address bar once you’ve clicked a link.
Further, because links can be spoofed (the destination URL is not the same as the typed URL), the following are recommended best practices:
- Never click embedded links or open attachments in unexpected email.
- When in doubt of the legitimacy of an email message, contact the sender using a trusted means of communication, such as the sender’s NYU Directory phone number.
If you have fallen for this phishing campaign, please change your NetId password asap via: https://start.nyu.edu/.
A patch has been released for Apache HTTP servers, which addresses a critical vulnerability with a Common Vulnerability Scoring System (“CVSS”) score of 8.8, and is identified as “Carpe Diem”, CVE-2019-0211. The flaw affects Apache HTTP Server versions 2.4.17 to 2.4.38, and could provide an attacker with root admin control on Unix-based systems. Windows servers are not affected, however recent Linux distributions are impacted. It is recommended that you update to version 2.4.39 asap.
For more information, please see:
There has been a reported breach of Facebook data that was acquired by third-party apps. The leaky apps include:
- “Cultura Colectiva”, a Latin American social networking collective with a database exceeding 500 million entries. Exposed data includes Facebook ID’s, likes, friends and more.
- “At the Pool”, which is an app that has not been in use since 2014. Exposed data includes names, email addresses, Facebook IDs and 22,000 plaintext user passwords.
Recommendations (courtesy of NakedSecurity):
- Review your Facebook apps and permissions. To do so, go to https://www.facebook.com/settings and choose Apps and Websites from the menu on the left. Using the list of apps and websites, remove those you no longer wish to use and re-review the permissions settings for those you wish to keep.
- Review your Facebook privacy settings via the Privacy menu on the Settings screen where you can access the Privacy Settings and Tools page.
- Strengthen your login with 2FA via the Security and Login page.
For more information, please see:
A widespread automated phone scam dubbed “Wangiri”, which is Japanese for “one ring and drop”, is using automated dialing machines to repeatedly dial phone numbers one time before hanging up. Incoming calls may appear to come from a variety of phone numbers, including “unknown caller”, “no caller id”, or spoofed domestic or international phone numbers. Calls may even appear with three digit area codes that appear to be domestic, but are associated with pay-per-call international phone numbers. The goal is to get the recipients/victims to call back and remain on the call as long as possible, while the call is routed to a premium rate service which can charge a connection fee and then bill victims for significant per minute charges.
As it is not possible to block calls that are received from an “unknown caller” or “no caller id”, it is recommended that you do not answer unexpected calls, calls that you suspect may be spoofed, or return calls coming from unexpected or unknown phone numbers. If you return a call to an unknown number and hear an odd message, it is recommended that you immediately hang up. Further, if you do not frequently make international calls, you may want to consider asking your service provider to block all outgoing international calls.
Please see the following NJCCIC blog post for carrier specific call blocking options: Tired of Receiving Scam Calls? Don’t Just Sit There. Do Something About It. Additionally, if you have been a victim of an international phone scam, you can file a complaint with the Federal Trade Commission (“FTC”) at www.ftccomplaintassistant.gov.