NYU IT Security News and Alerts

NYU IT Security News and Alerts

Scammers Use Recent Disasters to Spread Malware

Please be advised that scammers use reports of recent disasters, such as the recent Boeing 737 Max crash to spread malware. With respect to this recent crash, spam messages appear to be coming from a purported private intelligence analyst, “info@isgec.com”, who is claiming to share information found on the dark web about other airlines that will soon be impacted by similar crashes. The email requests that recipients forward the email to loved ones. The email attaches a JAR file, which if opened, is believed to install the Houdini H-worm remote access trojan (“H-Worm RAT”), which can provide remote control of a device to a malicious actor, and Adwind, which is an information stealing trojan.


  • Refrain from forwarding unsolicited emails to others
  • Do not open unexpected attachments
  • Do not click embedded links in unexpected email messages
  • When in doubt, confirm the legitimacy of a message with the sender via a trusted means of communication, such as a known phone number

For more information, please see:

Windows Server Vulnerability in WDS

There is a remote code execution vulnerability with a critical severity rating on Windows Servers (since 2008 SP2).  Microsoft disclosed the twelve vulnerabilities last November and supplied 62 patches. Servers which have not been upgraded are open to attack and should be patched asap. Specifically, CVE-2018-8476 impacts how Windows Deployment Services (“WDS”) Trivial File Transfer Protocol (“TFTP”)  Server handles objects in memory. The bug can be remotely exploited by an unauthenticated actor via a specially crafted TFTP message to gain access to a system or service, such as Active Directory, DHCP, DNS . . .etc. and there are no available workarounds.

For more information, please see: https://www.helpnetsecurity.com/2019/03/07/windows-servers-compromise/

NYU Box: Reduce Unintended Disclosure via Link Sharing

Please be advised/reminded when sharing folders or files via NYU Box, the Box “Share” option, “Get Shared Link” (shown below), which appears to the right of listed folders/files is by default restricted to “People in this folder” (click “Get Shared Link” to see this option).

Screenshot showing the "Get Shared Link" option circled in red. The other option displaying is "Invite Collaborators"

This selection can be changed via the drop-down arrow to the right, to “People with the link” or “People in your company” (as shown below).

Screenshot showing the above-described NYU Box dialog

Please be advised/reminded that if you select, “People with the link” as your share setting you are making the data contained in the folder/file publicly accessible to not only those provided with the link, but anyone who discovers the link. Public folders/documents can be scraped and indexed by search engines, making them easily found. Therefore, it is recommended that if you choose “People with the link” as your share option for any file/folder you additionally visit “Settings” via the gear icon on the top right of the dialog (as shown below), and select either the “Require password” or “Disable Shared Link on” option.

Screenshot of NYU Box dialog showing the "People with the link" share setting and the "Settings" icon on the top right

Screenshot of NYU Box dialog "Shared Link Settings" showing the following options "Custom URL", "Password Protect', "Link Expiration" & "Allow Download", which is auto-selected by default. A red arrow points to "Password Protect" and "Link Expiration".


For additional information, please see:

Update Google Chrome Now

Users are advised to update their Google Chrome browser asap on all devices to the latest version, 72.0.3626.121. The security issue patched by this update is is a zero-day vulnerability, rated as “high severity” and “Google is aware of reports that an exploit for CVE-2019-5786 exists in the wild.”  Please note that all previous versions of Google Chrome are vulnerable to attacks exploiting CVE-2019-5786.  

The security issue is a use-after-free-flaw or a memory mismanagement bug in the browser FileReader API designed to allow the browser to access and read locally stored files, which could potentially allow an attacker to execute arbitrary code and take over a device, or trigger a denial of service. Possible exploit consequences include data deletion and the installation of malware.

To manually update Google Chrome on a Mac:  

  • Open Google Chrome
  • Click Chrome, About Google Chrome

Screenshot showing the Chrome Menu available when "Chrome" is clicked on the application menu bar

  • You will see the current version of Google Chrome running.  Click Relaunch to apply any available update.Screenshot showing the display of Google Chrome version information on the left side and the "Relaunch" button on the right side
  • Following a relaunch, you will see the following, informing you that Google Chrome is up to date.

Screenshot with text "Google Chrome is up to date" with the version number, 72.0.3626.121, beneath this text

For more information see:

National Consumer Protection Week (3/3-3/9)

Screenshot of a partial image of a coin jar with text on the right side reading "National Consumer Protection week March 3 - 9

National Consumer Protection Week begins on March 3rd! For information on identity theft, common scams and recommendations geared to consumers, check out the Federal Trade Commission’s (“FTC”) list of planned events. 

Additional Resources:

“Blabby” Apps Sharing Data With Facebook

On February 22nd, The Wall Street Journal (“WSJ”) reported that 11 iOS and Android apps were purportedly sharing sensitive data with Facebook in apparent violation of Facebook’s own policies.The WSJ further reported that tests showed that the Facebook collects data from numerous apps within seconds of data entry by the user. This appears to be the case even when a user has not logged into Facebook and even if a user does not have a Facebook account. Following the initial WSJ report, the WSJ reported that certain apps ceased sending data to Facebook.

Governor Cuomo has called on two state agencies, the New York Department of State and the Department of Financial Services to investigate the issue of apps sharing data without explicit user consent. Further, Governor Cuomo has also asked federal regulators to “step up and help us put an end to this practice and protect the rights of consumers”. Reuter’s reports that “New York’s financial services department does not traditionally supervise social media companies directly, but has waded into digital privacy in the financial sector and could have oversight of some app providers that send user data to Facebook”.

For more information, please see: 

Facebook Location Services Update for Android Users

Facebook has updated the location controls for Android devices to give users an additional option, offering similar options to those available on iOs devices. Prior to this update, if you shared Facebook location information on an Android device, your location information would be shared even when not using the app. Android users will now have the following 3 choices with respect to Location Services in the Facebook app:

  • Never: Your app can’t access your precise location
  • While Using: Your app can access your precise location while you’re using the app
  • Always: Your app can access your precise location even when you’re not using the app

Facebook has advised users that it is not changing user specified choices, nor does this update allow them to collect any new information. Users who have not enabled Location Services do not need to do anything, but Facebook requests that Android users who have enabled Location Services review their location settings to confirm their setting preference is correctly reflected.
Apparently the next major Android update, Android Q, is going to allow users location control settings similar to iOs “only while the app is in use”.


Triout Android Spyware Reprise

Android malware, dubbed Triout has re-emerged posing as the trusted online privacy application, Psiphon, to trick users into downloading it. The legitimate “com.psiphon3” package is available in Google’s app store, Google Play and is advertised as a privacy tool that enables access to the open internet. The application has over 50 million installs and over 1 million reviews. The malicious version is bundled with Triout and is not available via Google Play.

Triout acts as spyware that collects device data and can record phone calls, log incoming text messages, record videos, access/take photos, and access location information. It also comes bundled with three adware components, Google Ads, Inmobi Ads and Mopub Ads. Both the legitimate and malicious Psiphon application have a similar look and equivalent functionalities, but the malicious version uses v91 of the original application when distributing Triout spyware.  The current version of the legitimate application is v241.


  • Download apps from official marketplaces only.
  • Keep your device OS (operating system) and applications up to date.


Executive Impersonation Phishing Campaign Alert

There are reports of a widespread business email compromise (BEC) phishing campaign across multiple industries which involves impersonation of a senior executive and targets other senior executives within an organization. The spoofed email states that a planned board meeting needs to be rescheduled and requests participation in a Doodle poll to identify a new date for the meeting. The poll requests entry of personal information via an Office 365 credential theft site. Additional known facts include:

  • The subject line of these emails has consistently appeared as: New Message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update)
  • The Doodle poll links to an Office 365 credential theft site, with a primary domain ending in web.core.windows.net.

The following is a sample of the phishing message:

screenshot of sample phsihing message with text "You have a new message: Please review new dates for availability - we have expanded the choices." Below the text is a "Participate now" button.

Image courtesy of GreatHorn

On mobile devices, the phishing message may appear as follows:

Screenshot showing phishing message above on a mobile device. Appears from "Note to self" to "You".

Image courtesy of GreatHorn


Cry Tekk, Ransomware + Phishing Alert

A new ransomware variant dubbed Cry Tekk uses a phishing tactic in it’s ransom note, which allows users to bypass bitcoin payment and pay the ransom of $40 via a “Buy Now” option. The “Buy Now” option appears in a PayPal window and when users click it they are taken to purported PayPal dialog, which is a phishing page designed to steal payment information as follows:

Screenshoot of a spoofed PayPal dialog requesting a credit card confirmation for more security

Image courtesy of MalwareHunterTeam

Further, the next dialog requests the victim’s personally identifiable information (PII) as a PayPal confirmation as follows:

Screenshot of a spoofed PayPal dialog requesting a confirmation of personal information including name, DOB, address and phone number

Image courtesy of MalwareHunterTeam

Finally, the victim will receive a fake confirmation alerting them that their PayPal account has been fully restored, although the need for Paypal account restoration was not at issue. At this point, malicious actors have stolen both payment card and PII and the victim is directed to the legitimate PayPal login page, where s/he can pay the requested ransom.

There are few details available at this time about how Cry Tekk ransomware is delivered, but please be alerted to this “threat within a threat” scheme as victims anxious to receive a decryption key may not be scrutinizing payment options and the URLs associated with the payment pages to their own detriment.

Please be reminded of the following:

  • Ransom payment does not guarantee the receipt of a decryption key.
  • The appearance of a ransom message on your device does not necessarily mean you’ve been infected with ransomware. The message may be a lie in an attempt to extort payment. The telltale sign of ransomware is encryption of files and replacement of file extensions. 
  • If you suspect your device has been infected with ransomware (e.g., you notice some of the file extensions of your documents have changed), immediately disconnect from the network and any other connected systems, such as cloud accounts and mounted systems, such as flash drives.
  • Alert your local IT Admin and the NYU IT Service Desk of the issue.
  • The best way to recover from ransomware is via a wipe of the device at issue and a restoration from back-ups. Before restoring from back-ups, confirm that ransomware did not spread to any mounted devices or connected systems.