Crypto-Malware Attacks

Beware of suspicious email attachments

Ransomware attacks have been reported from faculty and staff over the past few days.  This particular ransomware is spread through emails that have an infected attachment, but navigating to infected websites may also be a source of infection.  Once a user has clicked on an infected attachment, the ransomware will encrypt all files on your computer and rename the file extensions to “.lockey”.  The ransomware may also encrypt any network drives you may have mapped (J and K Drives, etc.).  If you notice you have been infected by the ransomware, disconnect the computer from the network, leave it turned on and contact the UTA Help Desk at 817-272-2208.

All faculty, staff, and students are urged to

  • Avoid clicking on any suspicious attachments in emails
  • Never click on links in emails that you’re not expecting. Signs that an email or website is not legitimate:
    • Sender’s address or website address does not match the organization listed in the content of the message.
    • Grammar in the message or website is poor.
    • Format of the email or website is poor or inconsistent with what you’ve seen from the organization.
    • Hovering your mouse over the links reveals web addresses inconsistent with the content of the message.
  • Ensure your computer has anti-malware software configured and set to automatically run updates
  • Keep your computer operating system and applications (Web Browsers,  MS Office applications, Adobe Acrobat, etc.) patched and up-to-date
  • Ensure you have properly backed up your files.
    • UTA Faculty and Staff can use CrashPlan to automatically backup files on their computers.  Contact your department’s desktop support associate or Help Desk at 817-272-2208 for installation assistance.
    • Other methods include copying files to Network drives, use encrypted external drives (encrypted to prevent unauthorized access), faculty and staff may use approved cloud storage like UTA box (https://uta.app.box.com). Contact the help desk for assistance in setting your box account up or go to http://www.uta.edu/oit/cs/software/box/up for more information.
  • Send suspicious emails with attachments to phish@uta.edu as an attachment.  This allows the Office of Information Technology and the Office of Information Security to evaluate the threat.

See the Information Security website for additional information and tips http://www.uta.edu/security/

New Phone Scam

The Information Security Office wants to alert students, faculty, and staff of a type of phone scam called Vishing (voice phishing) which uses fake caller-ID data to give the appearance that calls come from a trusted organization (such as UT Arlington). The caller tells people they owe money to the University and a warrant has been issued for their arrest. Next, the caller solicits immediate payment for the alleged debts.

University officials will not contact you in this manner or threaten arrest for non-payment of debts. Verifying UT Arlington debts, including citations, can be done by checking MyMav or visiting the Bursar directly.  Be aware that this is a type of social engineering wherein someone uses influence, deception, and persuasion to get information that would otherwise be unavailable to them (which is also known as fraud).

Caller ID is far from proof positive of a caller’s identity or authentication. Don’t trust incoming calls based on Caller ID. Make 100% sure you know to whom you are speaking. If any incoming calls from supposedly legitimate companies ask for any personal information of any kind… it is a scam. It is fraud. Period.

If you receive an unexpected call like this from someone claiming to be from UTA DO NOT provide your credit card information.  If you fall victim to the call, contact UT Arlington’s Police Department at 817-272-3381.  For information on preventing social engineering and theft, please contact the ISO at security@uta.edu or call us at 817-272-5487.

For more information about Identity Theft, go to:

http://www.uta.edu/security/identity_theft/

For more information about Social Engineering, go to:

http://www.uta.edu/security/socialengineering/

Potential Increase in Malware Delivered by PDF and Office Attachments

The Information Security Office wants to make you aware that a number of vulnerabilities affecting Microsoft Office and Adobe Acrobat were disclosed this week. Furthermore, we have been made aware that savvy criminals are launching phishing campaigns to deliver malware (such as viruses, Trojans, worms, etc.) by sending specially crafted documents (like pdf, PowerPoint) attached to crafted email designed to bait recipients into opening the documents. If the document is opened, there is a potential for the computer to be infected and may begin downloading other malware.

The Office of Information Technology is aware of these vulnerabilities and is in the process of mitigating them by doing the following:

1. Updating the malware signatures on the email systems that deliver email to @uta.edu and @mavs.uta.edu addresses to block known attachments that might be infected.
2. Updating Microsoft Endpoint Protection (Windows) and McAfee Antivirus (Macintosh) to block known malware that might exploit this vulnerability.
3. Updating Microsoft Office and Adobe Acrobat products on computers that have the standard OIT image.
4. Patching vulnerable servers under their care that might be vulnerable if malware entered our network.

Additionally, the Information Security Office has implemented blocks on the Intrusion Prevention System for known communication that might exploit these vulnerabilities.

As is the nature with all anti-malware software or network protections, and while anti-malware vendors are constantly adjusting and improving detection capabilities, they are often playing catch-up with the latest techniques used by criminals to evade threat detection technology. As such I encourage you to alert your staff to be vigilant and to follow these general tips to avoid infection:

  • Do not open email attachments from unknown or untrusted sources
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources, especially email.
  • Ensure that computers and servers are protected:
    • Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
    • Make sure all AV products are up-to-date with their signatures.
    • Ensure that there is a properly configured firewall enabled on the computer or server.

If you are not sure whether your UTA computer is fully protected, please contact the OIT help desk or your Desktop Support Associate.

New Windows Vulnerability

The Microsoft Security Advisory (found here) describes a new, un-patched vulnerability in all currently supported versions of Windows except Server 2003. Successful exploitation of this vulnerability would allow an attacker to gain the same rights on the machine as the current user.

Exploitation of this vulnerability requires the user to open a specially crafted Microsoft Office document. Researchers are seeing targeting attacks utilizing this attack.

Prevention: standard behavior rules apply:

  • Don’t open attachments from unknown sources
  • Don’t click on suspicious links in email

New SSLv3 Vulnerability

Also known as “Poodle”, this vulnerability could allow an attacker to steal web site login information or payment data.

“A vulnerability exists within the SSL version 3.0 protocol… allowing an attacker to hijack and decrypt session cookies that are utilized between a user’s web browser and the web site. This could lead to attackers obtaining enough information to temporarily impersonate web site visitor account logins and/or online payment systems.”

REFERENCES:

Google:

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

WIRED:

http://www.wired.com/2014/10/poodle-explained/

SANS:

https://isc.sans.edu/forums/diary/OpenSSL+SSLv3+POODLE+Vulnerability+Official+Release/18827