Warning! Global WannaCry Ransomeware Attack – What You Can Do To Prevent Infection

As has been reported in the media, there currently is a global ransomware attack (called WannaCry or WannaCryptor) that has affected computers worldwide. UT Arlington is currently not affected and both IT and Security teams are actively working this weekend to minimize the impact of an attack.

What you should know:

  • This malware affects all unpatched Microsoft Windows versions (from Windows 98 through Windows 10. Microsoft released patches for this in March through normal windows update.
  • Macintosh and Linux operating systems are not affected at this time.
  • The malware is initially delivered as an attachment or a link to a compressed .zip file. Unsuspecting victims who open the file on an unpatched computer are infected and the malware begins to encrypt files on the computer.
  • In addition to encrypting files, the malware looks for other computers on the network to infect, spreading itself within a vulnerable organization.

What has UTA IT Security has done so far:

  • An initial patch for the vulnerability was released in March and was installed on OIT managed Windows computers in the ARDC and on campus. Additional patches were released over the weekend.
  • Our Intrusion Prevention System has been updated to prevent direct attacks from the internet.
  • Our email system has been configured to quarantine compressed .zip files (that are manually inspected and released by OIT).
  • OIT has implemented protections on the file server to protect against encrypted files being placed on it.
  • OIT has verified that backups are running on the file servers (K: and J: drives) in the event of infection.
  • OIT has made available CrashPlan to back up data on computers.

What you should do:

  • Do not click on suspicious links or attachments received in your personal or UTA email. To learn about Ransomware: http://www.uta.edu/security/ransomware/
  • If your UTA computer managed by OIT, and it has not been turned on in a while, turn it on and reboot it when prompted.
  • If you are running an old version of Windows that is no longer supported (such as Windows 98 through Windows 8, Windows Server 20018, 2013, etc), Microsoft has released a patch that is available: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
  • Make sure that your home computers operating system and antivirus is up-to-date.
  • Do not open shared documents (e.g. Box, Dropbox, google drive, etc.) that you are not expecting.

If your UTA computer becomes infected, disconnect it from the network immediately. Please send email to helpdesk@uta.edu to report the infection.

Advisory: Malware Delivered by Email

Please beware that several individuals at UT Arlington have reported receiving email messages containing an attached “.zip” files that contains hidden malware (malicious software).

The malware appears to be a ransomware (cryptolocker variant) – it will encrypt files on the infected computer as well as network drives. The email subject line is not consistent and may have one of the following subject lines:

  • Commission
  • Please find attached invoice no: <<random number>>

Your Actions:

  • If you receive a suspicious or unexpected email similar to the description above, do not open the attachment.  Instead, we ask you to send the email as an attachment to spam@uta.edu for analysis.
  • If you are expecting legitimate email with attached zip file, you will need to manually release it from quarantine. The email system should notify you of emails being placed in quarantine, or you can login to https://quarantine.uta.edu/ to check quarantined mail.  Please do not restore and open any suspicious or unexpected attachments you may find within the quarantine.
  • If you received the message and opened the attachment, please contact OIT help desk for assistance.

To learn about Ransomware:
http://www.uta.edu/security/ransomware/

To learn about Phishing:
http://www.uta.edu/security/phishing/

Example 1 of the message:

From: document@uta.edu [mailto:document@uta.edu]
Sent: Monday, August 29, 2016 5:58 AM
To: <<recepient>>
Subject: Please find attached invoice no: 6862055379

Attached is a Print Manager form.

Format = Portable Document Format File (PDF) ________________________________

Disclaimer

This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.

End of Example 1

Example 2 of the message:

From: <<random name and email address>>>
Sent: Monday, August 29, 2016 4:12 AM
To: <<recepient>>
Subject: Commission

Good morning <<name of recepient>>

Here is the excel file of the commission you earned last month. Please analyze the attachment to confirm the amount.

Regards,

<<Random Name>>

End of Example 2

 

Holiday Season Cyber Scams and Malware Campaigns

As we approach the holidays, the Information Security Office (ISO) would like to remind the UT Arlington community to be aware of seasonal scams, phishing and malicious software (malware) distribution campaigns.

Every year, cyber criminals take advantage of the increase in online purchases and electronic seasonal greeting cards to trick victims into believing they’ve received packages or personal messages. They often use multiple methods to attract victims, such as posing as legitimate websites and/or using fraudulent emails that are crafted to look legitimate; they steal the logos, email or web templates of legitimate businesses *e.g. FedEx, DHL UPS, Amazon.com, etc.) in an effort to entice victims into clicking links or opening attachments.

These phishing and malware campaigns may come in the form of :

  • Fake shipping/courier notifications.
  • Electronic greeting cards or links to holiday screensavers or other forms of media.
  • Request for charitable contributions that may appear to be for legitimate causes but originate from illegitimated sources claiming to be charities.
  • Credit card or gift card applications or enticing discounts in online shopping advertisements that lead to websites you’re unfamiliar with.

In addition, be aware of social engineers who may call you on your personal or work phone using a themed pretext (holiday offers, package pickup, etc.).

Don’t be a victim!  The ISO advises caution when you encounter these types of email messages or websites by:

  • Looking for tell-tale signs that a website or email is not legitimate:

………….– The senders address or website address does not match the organization listed in the content of the message.
………… – The grammar in the message or website is poor.
………… – Format of the email or website is poor or inconsistent with what you’re used to seeing from the organization.
………… – Hovering over the links with your mouse reveals web address inconsistent with the content of the message.

  • Never clicking on links in emails that you’re not expecting.
  • Never opening attachments in emails that you’re not expecting.
  • Never providing your personal information in an email or on a website unless you are completely sure.

The United States Computer Emergency Readiness Team encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:

Potential Increase in Malware Delivered by PDF and Office Attachments

The Information Security Office wants to make you aware that a number of vulnerabilities affecting Microsoft Office and Adobe Acrobat were disclosed this week. Furthermore, we have been made aware that savvy criminals are launching phishing campaigns to deliver malware (such as viruses, Trojans, worms, etc.) by sending specially crafted documents (like pdf, PowerPoint) attached to crafted email designed to bait recipients into opening the documents. If the document is opened, there is a potential for the computer to be infected and may begin downloading other malware.

The Office of Information Technology is aware of these vulnerabilities and is in the process of mitigating them by doing the following:

1. Updating the malware signatures on the email systems that deliver email to @uta.edu and @mavs.uta.edu addresses to block known attachments that might be infected.
2. Updating Microsoft Endpoint Protection (Windows) and McAfee Antivirus (Macintosh) to block known malware that might exploit this vulnerability.
3. Updating Microsoft Office and Adobe Acrobat products on computers that have the standard OIT image.
4. Patching vulnerable servers under their care that might be vulnerable if malware entered our network.

Additionally, the Information Security Office has implemented blocks on the Intrusion Prevention System for known communication that might exploit these vulnerabilities.

As is the nature with all anti-malware software or network protections, and while anti-malware vendors are constantly adjusting and improving detection capabilities, they are often playing catch-up with the latest techniques used by criminals to evade threat detection technology. As such I encourage you to alert your staff to be vigilant and to follow these general tips to avoid infection:

  • Do not open email attachments from unknown or untrusted sources
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources, especially email.
  • Ensure that computers and servers are protected:
    • Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
    • Make sure all AV products are up-to-date with their signatures.
    • Ensure that there is a properly configured firewall enabled on the computer or server.

If you are not sure whether your UTA computer is fully protected, please contact the OIT help desk or your Desktop Support Associate.

“BadUSB” Exploit

There is a new exploit that has hit the internet called BadUSB that poses a Security threat based on USB devices.  Instructions and applications to create infected USB devices are available on the internet.  The exploit allows installation into the USB’s firmware where it is run automatically when plugged into a computer system.  The firmware is the set of “instructions” used by the usb device to start up and be read by your computer.  Current anti-malware software does not read this area of devices and is unable to protect from this exploit.  If the anti-malware may be able to recognize the malware activity once it starts and be able to protect the computer and data; Keep your anti-malware up-to-date.

Since this exploit requires a user to  insert a USB that has been created to allow this exploit, Be careful of free USB drives, USB drives found, USB devices from unknown or suspicious sources and Always Lock Your Computer when you leave your desk.

Additional information on BadUSB can be found at http://mashable.com/2014/10/03/how-can-you-avoid-badusb/ or https://srlabs.de/badusb/