From cybersecurity at lists.onenet.net Thu May 4 08:28:40 2017 From: cybersecurity at lists.onenet.net (OneNet Security) Date: Thu, 4 May 2017 13:28:40 +0000 Subject: [CyberSecurity] Beware Google phishing attacks!! Message-ID: PLEASE BE AWARE OF THIS PHISHING CAMPAIGN. Here is how it works. The email body states "[name] has invited you to view the following document:" and includes a link to "Open in Docs". The link opens to a legitimate Google login page. * Once the recipients enter their credentials or select an account, a permissions box for a fraudulent application hosted at hxxps://googledocs[.]g-docs[.]win requests access to the user's address book and email. * Once the victim clicks "Allow" this provides the attacker access to their email account and address book but not their calendar. The attacker can then send phishing emails to other targets from the compromised account. So you see, if you opened and clicked and then clicked Allow, these attacks could ensue under your name and you should change your google password immediately. Thank you all so much for your good reports and staying smart and aware. Barbara McCrary Chief Information Security Officer MCSE, MCSE:Security, +Messaging, CompTia:Security+ bmccrary at osrhe.edu Protecting data is a shared responsibility! INSTALL antivirus and antispyware software. USE strong passwords. KNOW who you are dealing with online. STORE confidential and sensitive data on encrypted devices only. SHUT DOWN home computers or disconnect from the Internet when not in use. Oklahoma State Regents for Higher Education 655 Research Parkway Suite 200 Oklahoma City, OK 73104 405 225.9316 office 405 234.4321 cell 405 234.4588 fax Note: This communication and attachments, if any, are intended solely for the use of the addressee hereof. In addition, this information and attachments, if any, may contain information that is confidential, privileged and exempt from disclosure under applicable law, including, but not limited to, the Privacy Act of 1974. If you are not the intended recipient of this information, you are prohibited from reading, disclosing, reproducing, distributing, disseminating, or otherwise using this information. If you have received this message in error, please promptly notify the sender and immediately, delete this communication from your system. ___________________________________________________ Chris Kosciuk Information Security Oklahoma State Regents for Higher Education / OneNet 655 Research Parkway Suite 200 Oklahoma City, OK 73104 405 225.9440 office ckosciuk at osrhe.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: From cybersecurity at lists.onenet.net Thu May 4 15:34:14 2017 From: cybersecurity at lists.onenet.net (OneNet Security) Date: Thu, 4 May 2017 20:34:14 +0000 Subject: [CyberSecurity] Corrected remediation info - Beware Google phishing attacks!! Message-ID: All, Ian Koetter with OU has provided the following information which is the correct action any compromised user should take to revoke permissions. Thanks Ian! It is said that Google has remediated the application in their web services already, but: Changing your password has little effect in this case because you granted permissions for access to your contacts list. Google account passwords were not compromised. To remediate, you will need to go to https://myaccount.google.com/u/0/permissions?pli=1 and remove the "google docs" application API permissions, if it still exists. https://isc.sans.edu/diary/22372 If you have users whose were caught by this phishing campaign and compromised, please provide the above information to them, so they can correctly remediate the compromise. Best, Barbara McCrary -------------- next part -------------- An HTML attachment was scrubbed... URL: From cybersecurity at lists.onenet.net Fri May 12 16:38:14 2017 From: cybersecurity at lists.onenet.net (OneNet Security) Date: Fri, 12 May 2017 16:38:14 -0500 Subject: [CyberSecurity] Cyber Awareness - Ransomware Spreading Globally Message-ID: A ransomware campaign is currently spreading globally. Please review the US-CERT advisory and alert users on the increase in cyber threats. Recommendations: -Close ports *22, 23, 3389, TCP 139 & 145/UDP 137 & 138* -Verify Microsoft patch is applied *(**MS17-010 ).* -Have good/tested data backups (preferably not connected to the network). Thanks, CK *Chris Kosciuk* *Information Security* Oklahoma State Regents for Higher Education / OneNet 655 Research Parkway Suite 200 Oklahoma City, OK 73104 405 225.9440 <(405)%20225-9440> office *ckosciuk at osrhe.edu * >>>>>>>>>>>>>>>>>>>>>>>>>>> US-CERT has received multiple reports of WannaCry ransomware infections in several countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored. Ransomware spreads easily when it encounters unpatched or outdated software. The WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). For information on how to mitigate this vulnerability, review the US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010 . Users and administrators are encouraged to review the US-CERT Alert TA16-091A to learn how to best protect against ransomware. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3) . https://www.us-cert.gov/ncas/current-activity/2017/05/12/ Multiple-Ransomware-Infections-Reported -------------- next part -------------- An HTML attachment was scrubbed... URL: From cybersecurity at lists.onenet.net Sat May 13 10:17:47 2017 From: cybersecurity at lists.onenet.net (OneNet Security) Date: Sat, 13 May 2017 15:17:47 +0000 Subject: [CyberSecurity] Fwd: Security Notice: Ransomware Campaign In-Reply-To: <17960810.1500@info.omes.ok.gov> References: <17960810.1500@info.omes.ok.gov> Message-ID: See below what OMES shared. Thanks, Gaitha ---------- Forwarded message --------- From: Office of Management and Enterprise Services < servicedesk at info.omes.ok.gov> Date: Fri, May 12, 2017 at 11:15 PM Subject: Security Notice: Ransomware Campaign To: [image: Bookmark and Share] | Subscribe *DATE(S) ISSUED: *12 May 2017 *SUBJECT: *Ransomware Campaign *ORIGINAL* *OVERVIEW**: *According to numerous open-source reports, a widespread ransomware campaign is impacting organizations in as many as 16 countries. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered this morning by an independent security researcher and has spread rapidly over the course of several hours, with initial reports beginning around 4:00 AM EDT. Initial reports indicate that the hacker or hacking group behind this campaign are gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability for which Microsoft released a patch on March 14, 2017. *THREAT INTELLIGENCE: *Vulnerability is currently being exploited in 16 countries. *SYSTEMS AFFECTED:* - Windows XP - Windows Vista - Windows 7 - Windows 8 - Windows 10 - Windows Server 2003 - Windows Server 2008 - Windows Server 2012 *RISK:**Government:* - Large and medium government entities: *High* - Small government entities: *High* Home Users: High *TECHNICAL SUMMARY: *This exploit is a self-replicating payload that allows the ransomware to spread virally from vulnerable machine to machine without requiring users to open emails, click on links, or take any other sort of action. *RECOMMENDATIONS:* - Organizations close ports 22, 23, 3389, TCP 139 & 145/UDP 137 & 138, and to ensure the aforementioned SMB patch (MS17-010) was applied. - Additionally, we recommend all organizations implement a robust data backup process that safeguards any data considered valuable or critical to the organization. Data backups must be stored offline—disconnected from the network—and tested regularly to confirm their integrity. - Updated antivirus definitions - Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. - Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. - Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from un-trusted sources. - Apply the Principle of Least Privilege to all systems and services. *REFERENCES:* *Microsoft:* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx *CVE:*http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148 *May 12 – UPDATED REFERENCES:* *Open-Source News:*http://www.wired.co.uk/article/wanna-decryptor-ransomware https://www.theregister.co.uk/2017/05/12/nhs_hospital_shut_down_due_to_cyber_attack/ If you have questions or concerns, please contact the OMES Service Desk . OMES Service Desk 405-521-HELP 866-521-2444 (toll free) ServiceDesk at omes.ok.gov Service Desk Customer Portal *Contact us anytime. We are available 24 hours a day, seven days a week.* Having trouble viewing this email? View it as a Web page . ------------------------------ Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page . You will need to use your email address to log in. If you have questions or problems with the subscription service, please contact subscriberhelp.govdelivery.com . If you have questions or problems related to the IT accessibility of this message, please contact the OMES accessibility compliance representative at accessibility at omes.ok.gov. This service is provided to you at no charge by the Office of Management and Enterprise Services . ------------------------------ This email was sent to gaitham at norman.k12.ok.us using GovDelivery, on behalf of: Oklahoma Office of Management and Enterprise Services · 2300 N. Lincoln Blvd. Room 122 · Oklahoma City, OK 73105 · (405) 521-2141 [image: Powered by GovDelivery] -- Thanks, Gaitha Gaitha Milligan Norman Public Schools Technology Services Instructional Services Center (ISC) 4100 N Flood Ave Norman, OK 73069 phone (405) 366-5810 fax (405) 573-5805 email: gaitham at norman.k12.ok.us -- *This email, including any attachments, is intended only for the use of the individual to which it is addressed and may contain confidential information that is legally privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any review, use, disclosure, distribution or copying of this communication is strictly prohibited. If you have received this email in error, please notify me immediately.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From cybersecurity at lists.onenet.net Mon May 15 10:41:09 2017 From: cybersecurity at lists.onenet.net (OneNet Security) Date: Mon, 15 May 2017 15:41:09 +0000 Subject: [CyberSecurity] Cybersecurity Update: Global Ransomware Campaign (WannaCry) Message-ID: DATE: 5/15/2017 SUBJECT: Cybersecurity Update: Global Ransomware Campaign (WannaCry) OVERVIEW: A global ransomware campaign has affected many organizations initially by exploiting a vulnerability in the SMBv1 protocol. This ransomware variant is known as WannaCry or Wann Decryptor. Organizations should remain vigilant in implementing best practices and recommendations regardless of perceived slowdowns in the spread of this ransomware variant. OneNet UPDATE: OneNet is continuing to monitor traffic and is available for outreach assistance as needed. BEST PRACTICE SECURITY RECOMMENDATIONS: * Organizations should close ports 22, 23, 3389, TCP 139 & 145/UDP 137 & 138. * Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing (MS17-010). o Microsoft release patches for Windows systems no longer receiving mainstream support that mitigate the SMB vulnerabilities. * Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing. * Implement Principle of Least Privilege across all systems and services. * Ensure endpoint security/antivirus definitions are updated. If endpoint security/antivirus is not in place, this should be one your immediate priorities along with patching. * Maintain Cyberawareness across the organization and remind user not to visit untrusted websites and open emails from un-trusted or unknown senders. * Have good/tested data backups (preferably not connected to the network). REFERENCES: http://blog.talosintelligence.com/2017/05/wannacry.html https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx ENDPOINT SECURITY: https://www.symantec.com/products/endpoint-hybrid-cloud-security/endpoint/endpoint-protection https://www.malwarebytes.com/ http://www.cisco.com/c/en/us/products/security/fireamp-endpoints/index.html https://www.paloaltonetworks.com/resources/datasheets/endpoint-protection.html April Goode MBA SPP Director of OneNet Strategic Planning and Communications [OneNetBluBlk_rgb] Learn how OneNet powers weather prediction at the National Weather Center. Oklahoma State Regents for Higher Education 655 Research Parkway Suite 200 Oklahoma City, OK 73104 P 405.225.9251 F 405.225.9250 Toll-free 888.5.ONENET april at onenet.net -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 13484 bytes Desc: image001.png URL: From cybersecurity at lists.onenet.net Mon May 22 12:18:30 2017 From: cybersecurity at lists.onenet.net (OneNet Security) Date: Mon, 22 May 2017 17:18:30 +0000 Subject: [CyberSecurity] Scam of the Week: Massive DocuSign Phishing Attacks Message-ID: All, DocuSign has admitted they were the victim of a data breach that has led to massive phishing attacks which used exfiltrated DocuSign information. They discovered the data breach when on May 9, 15, and 17 DocuSign, customers were being targeted with phishing campaigns. "Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing. Here are some of the subject lines: Completed: [domain name] - "Wire transfer for recipient-name Document Ready for Signature" Completed [domain name/email address] - "Accounting Invoice [Number] Document Ready for Signature" Subject: "Legal acknowledgement for [recipient username] Document is Ready for Signature" It is recommended that you filter or delete any emails with these specific subject lines. The campaigns all have Word docs as attachments, and use social engineering to trick users into activating Word's macro feature which will download and install malware on the user's workstation. But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click." Let's stay safe out there. Barbara McCrary Chief Information Security Officer MCSE, MCSE:Security, +Messaging, CompTia:Security+ bmccrary at osrhe.edu Protecting data is a shared responsibility! INSTALL antivirus and antispyware software. USE strong passwords. KNOW who you are dealing with online. STORE confidential and sensitive data on encrypted devices only. SHUT DOWN home computers or disconnect from the Internet when not in use. Oklahoma State Regents for Higher Education 655 Research Parkway Suite 200 Oklahoma City, OK 73104 405 225.9316 office 405 234.4321 cell 405 234.4588 fax Note: This communication and attachments, if any, are intended solely for the use of the addressee hereof. In addition, this information and attachments, if any, may contain information that is confidential, privileged and exempt from disclosure under applicable law, including, but not limited to, the Privacy Act of 1974. If you are not the intended recipient of this information, you are prohibited from reading, disclosing, reproducing, distributing, disseminating, or otherwise using this information. If you have received this message in error, please promptly notify the sender and immediately, delete this communication from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: