[CyberSecurity] Fwd: Security Notice: Ransomware Campaign

OneNet Security cybersecurity at lists.onenet.net
Sat May 13 10:17:47 CDT 2017 

See below what OMES shared.

Thanks,
Gaitha
---------- Forwarded message ---------
From: Office of Management and Enterprise Services <
servicedesk at info.omes.ok.gov>
Date: Fri, May 12, 2017 at 11:15 PM
Subject: Security Notice: Ransomware Campaign
To: <gaitham at norman.k12.ok.us>


[image: Bookmark and Share]
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&100&&&https://content.govdelivery.com/accounts/OKOMES/bulletins/19a4bcb?reqfrom=share>
| Subscribe
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&101&&&https://public.govdelivery.com/accounts/OKOMES/subscriber/new>

*DATE(S) ISSUED: *12 May 2017

*SUBJECT: *Ransomware Campaign

*ORIGINAL* *OVERVIEW**: *According to numerous open-source reports, a
widespread ransomware campaign is impacting organizations in as many as 16
countries. The latest version of this ransomware variant, known as
WannaCry, WCry, or Wanna Decryptor, was discovered this morning by an
independent security researcher and has spread rapidly over the course of
several hours, with initial reports beginning around 4:00 AM EDT. Initial
reports indicate that the hacker or hacking group behind this campaign are
gaining access to enterprise servers either through Remote Desktop Protocol
(RDP) compromise or through the exploitation of a critical Windows SMB
vulnerability for which Microsoft released a patch on March 14, 2017.

*THREAT INTELLIGENCE: *Vulnerability is currently being exploited in 16
countries.

*SYSTEMS AFFECTED:*

   - Windows XP
   - Windows Vista
   - Windows 7
   - Windows 8
   - Windows 10
   - Windows Server 2003
   - Windows Server 2008
   - Windows Server 2012


*RISK:**Government:*

   - Large and medium government entities: *High*
   - Small government entities: *High*

Home Users: High

*TECHNICAL SUMMARY: *This exploit is a self-replicating payload that allows
the ransomware to spread virally from vulnerable machine to machine without
requiring users to open emails, click on links, or take any other sort of
action.

*RECOMMENDATIONS:*

   - Organizations close ports 22, 23, 3389, TCP 139 & 145/UDP 137 & 138,
   and to ensure the aforementioned SMB patch (MS17-010) was applied.
   - Additionally, we recommend all organizations implement a robust data
   backup process that safeguards any data considered valuable or critical to
   the organization. Data backups must be stored offline—disconnected from the
   network—and tested regularly to confirm their integrity.
   - Updated antivirus definitions
   - Run all software as a non-privileged user (one without administrative
   privileges) to diminish the effects of a successful attack.
   - Remind users not to visit un-trusted websites or follow links provided
   by unknown or un-trusted sources.
   - Inform and educate users regarding the threats posed by hypertext
   links contained in emails or attachments, especially those from un-trusted
   sources.
   - Apply the Principle of Least Privilege to all systems and services.




*REFERENCES:*
*Microsoft:*
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&102&&&https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>


*CVE:*http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&103&&&http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&104&&&http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&105&&&http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&106&&&http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&107&&&http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&108&&&http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148>


*May 12 – UPDATED REFERENCES:*
*Open-Source News:*http://www.wired.co.uk/article/wanna-decryptor-ransomware
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&109&&&http://www.wired.co.uk/article/wanna-decryptor-ransomware>
https://www.theregister.co.uk/2017/05/12/nhs_hospital_shut_down_due_to_cyber_attack/
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&110&&&https://www.theregister.co.uk/2017/05/12/nhs_hospital_shut_down_due_to_cyber_attack/>

If you have questions or concerns, please contact the OMES Service Desk
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&111&&&https://www.ok.gov/cio/Customer_Portal/Service_Desk/>
.

OMES Service Desk
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&112&&&https://www.ok.gov/cio/Customer_Portal/Service_Desk/>
405-521-HELP
866-521-2444 (toll free)
ServiceDesk at omes.ok.gov
Service Desk Customer Portal
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&113&&&http://servicedesk.ok.gov>
*Contact us anytime. We are available 24 hours a day, seven days a week.*
Having trouble viewing this email? View it as a Web page
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&114&&&https://content.govdelivery.com/accounts/OKOMES/bulletins/19a4bcb>
.

------------------------------

Update your subscriptions, modify your password or email address, or stop
subscriptions at any time on your Subscriber Preferences Page
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&115&&&https://public.govdelivery.com/accounts/OKOMES/subscriber/new?preferences=true>.
You will need to use your email address to log in. If you have questions or
problems with the subscription service, please contact
subscriberhelp.govdelivery.com
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&116&&&https://subscriberhelp.govdelivery.com/>.
If you have questions or problems related to the IT accessibility of this
message, please contact the OMES accessibility compliance representative at
accessibility at omes.ok.gov.

This service is provided to you at no charge by the Office of Management
and Enterprise Services
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&117&&&http://www.ok.gov/OSF/>
.

------------------------------
This email was sent to gaitham at norman.k12.ok.us using GovDelivery, on
behalf of: Oklahoma Office of Management and Enterprise Services · 2300 N.
Lincoln Blvd. Room 122 · Oklahoma City, OK 73105 · (405) 521-2141 [image:
Powered by GovDelivery]
<http://links.govdelivery.com:80/track?type=click&enid=ZWFzPTEmbXNpZD0mYXVpZD0mbWFpbGluZ2lkPTIwMTcwNTEzLjczMzI4ODIxJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE3MDUxMy43MzMyODgyMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE3OTYwODEwJmVtYWlsaWQ9Z2FpdGhhbUBub3JtYW4uazEyLm9rLnVzJnVzZXJpZD1nYWl0aGFtQG5vcm1hbi5rMTIub2sudXMmdGFyZ2V0aWQ9JmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&118&&&http://www.govdelivery.com/portals/powered-by>
-- 

Thanks,
Gaitha

Gaitha Milligan
Norman Public Schools
Technology Services
Instructional Services Center (ISC)
4100 N Flood Ave
Norman, OK  73069
phone (405) 366-5810
fax (405) 573-5805
email:  gaitham at norman.k12.ok.us

-- 
*This email, including any attachments, is intended only for the use of the 
individual to which it is addressed and may contain confidential 
information that is legally privileged and exempt from disclosure under 
applicable law. If the reader of this message is not the intended 
recipient, you are notified that any review, use, disclosure, distribution 
or copying of this communication is strictly prohibited. If you have 
received this email in error, please notify me immediately.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.onenet.net/pipermail/cybersecurity/attachments/20170513/22fb149c/attachment-0001.html>

More information about the CyberSecurity mailing list