A new ransomware spam campaign has been detected.  Cerber Ransomware is a file-encrypting virus distributed via spam email.  Cerber is designed to rename and encrypt file extensions on your machine, forcing you to purchase a decryption key from the perpetrators of this ransomware.

The Cerber Ransomware will appear as a spam email containing an RTF file attachment.  The spam email will have forged header information and may have a request to “Please check your invoice attached.”  The RTF attachment contains the Cerber Ransomware virus.  Victims of Cerber must open the RTF attachment in order to be infected with ransomware.

Please see below for an example of the Cerber Ransomware Spam Email.

How This Impacts You

Please alert all employees to not open any RTF file attachments from email.

Tier1Net has recently blocked RTF files through McAfee Email Security, so any Cerber Ransomware Spam Emails sent after 2:00pm on April 28, 2016 will be blocked for all clients enrolled in McAfee Email Security.

If you already received a Cerber Ransomware Spam Email, please do not open the RTF attachment.  Please delete the spam email permanently from your machine.  You cannot be infected with the virus if you do not open the attachment.

If anyone believes they have been infected by Cerber Ransomware, please contact Tier1Net immediately.

 

Steps Tier1Net is Taking

Tier1Net has recently blocked RTF files through McAfee Email Security which will deny delivery of any Cerber Ransomware Spam Emails.

Tier1Net encourages all clients to be vigilant as always about suspicious emails with attachments. Never open any file attachments without confirming authenticity with the sender first.

 

If you have any questions about the Cerber ransomware campaign, please call our office at (781)935-8050.

Apple has recently discontinued support for Quicktime for Windows.  Starting mid April, Apple will no longer be releasing critical security updates for this software.

Unsupported software is vulnerable to outside threats and poses a significant security risk as illustrated by the discovery of two critical vulnerabilities affecting Quicktime for Windows which will not be patched by Apple.

To address these critical vulnerabilities Tier1Net will be proactively uninstalling Quicktime for Windows on all PCs within our clients’ networks in accordance with cybersecurity best practices.

Affected clients have already been notified of this pending action.

To learn more about Apple’s discontinued support for Quicktime for Windows, please click here https://www.us-cert.gov/ncas/alerts/TA16-105A.

If you have any questions, please contact our office at (781)935-8050.

“Locky” Ransomware Campaign Targets SMBs

There is a largescale spam campaign currently targeting small and medium sized businesses, known as Locky. Locky is a ransomware campaign, designed to rename and encrypt file extensions on your machine, forcing you to purchase a decryption key from the perpetrators of this ransomware.

The current Locky ransomware campaign is a spam email with the subject: “FW: INVOICE COPY” which may appear to come from a fake email address at your company. The spam email will include a Zip File as an attachment, which includes the ransomware executable script.

Victims of Locky must open the Zip attachment, download the enclosed file, and agree to run the script in order to be infected with ransomware.

How This Impacts You

Tier1Net customers enrolled in McAfee Email Security are protected from this threat, as McAfee Email Security by default blocks all incoming Zip Files.

Please note that McAfee Email Security Clients may receive a Delivery Notification Email stating that the delivery of “FW:INVOICE COPY” was successfully denied. No further action is required.

If you are not enrolled in McAfee Email Security, please be vigilant as always about suspicious emails with attachments. Never open any Zip files without confirming authenticity with the sender first.

Steps Tier1Net is Taking

Tier1Net is working with McAfee to ensure that all executable scripts are being blocked, as well as Zip attachments.

If you have any questions about the Locky ransomware campaign, please call our office at (781)935-8050.

For more information, please visit:

https://myonlinesecurity.co.uk/fw-invoice-copy-pretending-to-come-from-a-random-or-unknown-name-at-your-own-email-address-js-malware-leads-to-locky-ransomware/

On Tuesday, February 16th, Google posted a blog outlining a vulnerability in glibc (the GNU C library) which is used in many products and leaves those products vulnerable to remote exploitation. The vulnerability, identified as CVE-2015-7547, is similar to Heartbleed and Shellshock in terms of the scope of affected systems, but is not as serious as it is significantly more difficult to exploit.

Successful exploitation of the vulnerability relies on the potential victim communicating with a hostile/malicious DNS server or to be subject to a man-in-the-middle attack. Nevertheless, the vulnerability is considered to be critical by the industry since it can lead to remote exploitation of the client system.

This vulnerability is being seen across the industry and Dell SonicWALL is working quickly to provide a hot-fix and patch to ensure continued protection with Dell SonicWALL SRA/SMA Series.

For Tier1net customers using Dell SonicWALL SSLVPN SRA Appliances:

•  All SRA firmware versions prior to 8.1.0.1-11sv for SRA 4600/1600/Virtual Appliance and 8.0.0.4-25sv for SRA 4200/1200 are affected.
•  Action: Tier1net will open trouble tickets for all impacted customers and install the Dell SonicWALL patch to resolve this vulnerability

If you also have Dell SonicWALL firewalls deployed, please note: The Dell SonicWALL threat research team successfully published an Intrusion Prevention Service (IPS) signature on Tuesday, February 16th that automatically updated all customer systems running IPS worldwide, protecting networks behind our firewalls within 12 hours of identification. Dell SonicWALL firewalls are not susceptible to the glibc buffer overflow vulnerability.

Full details about the vulnerability and protection can be found in this SonicAlert article.

Read How Dell SonicWALL Guards Against the Glibc Vulnerability blog by Ken Dang from SonicWALL.

 

 

Dell recently notified Tier1net of a security vulnerability within its Dell Foundation Services that run on Dell PCs and laptops.  This could allow for a man in the middle attack to decrypt sensitive data transmitted from a PC or laptop running the Dell Foundation Services software.

As part of Tier1Net’s standard pre-configuration process, the Dell Foundation Services are removed by default so Tier1net customer’s risk of exposure should be minimal.  For the few client machines which have still have the software installed, Tier1Net will be running a tool to remove the vulnerability.

Dell has issued a statement apologizing for the oversight and will not be installing this certificate on any future machines.

For more on Dell’s statement, read below:

“Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system.  The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process. We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.”

Read more here: http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate

Microsoft recently deployed a security patch which has unexpected side effects for Outlook users.  Patch KB3097877, first deployed on Tuesday November 10, 2015, inadvertently causes Microsoft Outlook to crash upon launch or when opening/responding to email.   This symptom has been observed in Outloook 2010 and 2013, on machines running Windows 7, Windows 8, and Windows 8.1.

Tier1Net has already updated its automated patch management policy to scan for, and remove, Patch KB3097877 on all systems.

If you are experiencing any Outlook issues now however, please call our office immediately and we will expedite the patch removal on your workstation.

If you would prefer to remove the patch yourself, please following these instructions:

  1. Click Start and navigate to Control Panel > Uninstall a Program.
  2. Select “Installed Updates” and enter KB3097877 in the Search Field.
  3. If the update is found, select it and click Uninstall.
  4. Reboot the PC when prompted.

For further reading, please see below:

http://www.infoworld.com/article/3004441/microsoft-windows/microsoft-surreptitiously-reissues-botched-patch-kb-3097877-for-windows-7.html

http://www.theregister.co.uk/2015/11/11/patch_tuesday_downloads_buggy_ms_patch/

http://www.winbeta.org/news/microsofts-recent-windows-10-security-patches-are-causing-some-users-headaches

 

 

A zero day vulnerability has been discovered in Adobe’s Flash Player which, if exploited, could lead to code execution and potentially allow an attacker to take control of an affected system.

This morning Adobe released a patch for this vulnerability.
To ensure that your workstations and servers are protected from this vulnerability, Tier1net will be deploying the security patch to your network via its Managed Workplace automated patching tools.

For more information on this vulnerability, please visit: https://helpx.adobe.com/security/products/flash-player/apsa15-05.html

Google Chrome has discontinued its remaining support for Java, as of September 2015.

Tier1Net clients who are still using Google Chrome to remotely access their PCs via an SSLVPN bookmark may find they are unable to connect. 

Users experiencing issues with Google Chrome, related to remote connections or other Java based applications, are now recommended to take the following actions:

1. Switch to a Java supported web browser, such as Internet Explorer 11 or Mozilla Firefox

2. Contact Tier1net to determine if your organization’s SSLVPN appliance is compatible with Google Chrome

 

For more information, please read:

http://www.tier1net.com/google-chrome-ceases-support-for-java/

http://blog.chromium.org/2014/11/the-final-countdown-for-npapi.html

Attention McAfee Email Protection Clients:

McAfee has released the following service alert:

“A network issue in North America has impacted Web Protection and Email Protection traffic  for some customers.  We are in the process of enacting our emergency failover processes to try and restore service as soon as possible.

Web Protection customers may experience issues connecting to the proxy service and Email Protection customers may see delays in both inbound and outbound mail processing.

There may also be ancillary services that see degraded performance as well such as Quarantine release, ClickProtect, Control Console access, Message Continuity Unspool, and Archiving ingest.”

For more information, please see https://support.mcafeesaas.com/mcafee/_cs/BusinessDisplay.aspx?sSessionID=&did=1

Tier1Net has received increased reports of legitimate emails being delayed with the senders receiving a temporary failure message of  “451 Exceeding Connection Limit: RBLDNSD.”

Tier1Net has traced the issue to a new Spam Flood Prevention policy recently enabled by McAfee.  This new policy was designed to reduce the impact of certain spam campaigns characterized by unusual spikes in traffic over short periods of time, by withholding delivery until traffic returns to a normal threshold.

However, Tier1Net has observed a high volume of “false positive” delays, wherein McAfee identifies legitimate senders as spam campaigns.

As a result, Tier1Net has disabled the McAfee Spam Flood Prevention feature for all of its McAfee Email Protection customers.

For more information, please visit https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=16814425079KXWEWWRBBBBIZKVKUXMZPPKRORQWW&aid=271042