Category: Security

(more…)

We’re alerting our higher education technology community that support for Windows Server 2012 and 2012 R2, including security updates, are coming to an end in one year.

Extended Support for these operating systems will end on October 10, 2023.

If you haven’t thought about migrating your servers to newer versions, now is a good time to start!

Considering that these projects can take significant time to schedule and execute, the earlier you start the better off you will be. Many organizations faced challenges when Windows Server 2008 and 2008 R2 were end-of-life. It is important not to be caught in a similar position this time around.

We have also been noticing that IT security initiatives are on the rise and having out-of-service OSes is often a top item to resolve. Security auditors will mark these servers as a risk to be remediated and mitigations are often costly and service impacting. Our team recommends avoiding the hassle and starting your upgrade project now.

As always, if you have any questions or support needs around this project, Ferrilli is here to help. We have the expertise and working knowledge to help you upgrade or migrate your servers with minimal impact to end-users.​

Watch as Ferrilli’s Security, Cloud & Infrastructure team share expert advice on how to meet the requirements of the updated GLBA Safeguards Rule.

Watch as Ferrilli Senior Consultant Erik Potzmann shares expert advice on Active Directory security protections.

Check out Ferrilli Chief Client Officer Marcia A. Daniel’s latest article in the ACCT Trustee Quarterly: Diminishing the Cyber Threat: A conversation with cybersecurity legal expert Allen Sattler reveals key steps colleges must take to minimize the impact of breaches.

Thank you to Allen Sattler, Partner and Vice Chair of Data Privacy & Cybersecurity at Lewis Brisbois Bisgaard & Smith LLP, for contributing his knowledge and expertise to this timely piece on the steps colleges must take to minimize the impact of cyber attacks.

At Ferrilli, security is never secondary. If your institution has fallen victim to a cyber attack, please click here to receive 100 hours of complimentary security services.

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

We’re alerting our higher education community to act quickly and patch the latest vulnerabilities from Google and Microsoft:

• Google Chrome: An exploit for CVE-2022-1364 exists and it is strongly recommended that everyone install the latest Google Chrome update (100.0.4896.127) as soon as possible.
• Microsoft RDP: Critical Windows RPC CVE-2022-26809 flaw raises concerns due to its potential for widespread, significant cyberattacks. Therefore, all organizations need to apply Windows security updates as soon as possible.

Note: While our focus is on getting the academic systems updated, please remind your faculty, staff, and students to patch their personal devices.

More info about the vulnerabilities: 

​​​​Google Chrome

• Google officials did not release many details about the flaw, saying that information and links about the bug are being restricted until most users are updated. The emergency updates the company issued this week impacted almost 3 billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi. They will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but have not yet fixed. The vulnerability is a so-called “confusion” weakness in Chrome’s V8 JavaScript engine. This type of flaw often leads to browser crashes, but the high severity label for this specific vulnerability suggests that it could be the rarer kind that allows attackers to execute damaging code depending on the privileges associated with the application. An attacker could view, change, or delete data, according to the Center for Internet Security.

Microsoft RDP: CVSS:3.1 9.8 / 8.5

• Microsoft fixed this vulnerability as part of the April 2022 Patch Tuesday updates and rated it as ‘Critical,’ as it allows unauthorized remote code execution through a bug in the Microsoft Remote Procedure Call (RPC) communication protocol (TCP 445 and 135). If exploited, any commands will be executed at the same privilege level as the RPC server, which in many cases has elevated or SYSTEM level permissions, providing full administrative access to the exploited device. Security researchers believe the bug has the potential to be exploited in widespread attacks, like what we saw with the 2003 Blaster worm and 2017 Wannacry attacks utilizing the Eternal Blue vulnerability. Currently there are over 1.3 million devices exposing port 445 to the Internet, offering a massive pool of targets to exploit. It is important to stress that institutions should apply the patch because it can surface in several configurations of both client and server RPC services. This vulnerability is ideal for spreading laterally in a network and security experts believe we will surely see it used by ransomware gangs in the future.

What Version Should You Be on Google Chrome?
The latest fix will bring Chrome to version 100.0.4896.127 across Windows, Linux, and Mac platforms. Remind your users to close their browsers so the Chrome updates will be applied in the coming days and weeks, as Chrome automatically installs the latest patch when the browser is closed and relaunched.

If you have any questions or need assistance, please click here.

We’re following up from our Russian Cyber Activity webinar earlier this month to provide our higher education community with the latest updates and advice on the Russian cyber threat:

The U.S. Government has called the current moment “critical” in working towards enhancing its cybersecurity defenses and believes the threat of cyberattack from Russia is looming against the United States.

Government officials stated this reinforces the urgent need for all organizations, large and small, and even individuals to act now to protect themselves against malicious cyber activity.

The following information can help you be prepared:

Report anomalous cyber activity and/or cyber incidents as soon as possible!

The CISA is working closely with federal and industry partners to monitor the threat environment 24/7 and they stand ready to help organizations respond to and recover from cyberattacks.

Visit CISA.gov/Shields-Up for information on how to protect your network(s) and how to report anomalous cyber activity and/or incidents. When cyber activity/incidents are reported quickly, it can contribute to stopping further attacks.

• report@cisa.gov
• (888) 282-0870, or
• Your FBI Field Office or CISA Regional Office

What Can Be Done?

• Treat people as your first line of defense – Educate your employees on common tactics (email and websites) and how to report suspicious activity and investigate their reports promptly and thoroughly.
• Test your emergency procedures for backups and restoring services/data. Ensure you have offline backups beyond the reach of malicious actors.
• Encrypt your data so it can not be used if stolen.
• Verify your communication channels work and know the players and their roles in your Emergency Response Team.
• Ensure software and hardware patching is current and up to date.
• Enable multifactor authentication on all accounts/systems/devices connecting to your network(s).
• Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents.

Cybersecurity advice to share with co-workers, family and friends

• Pay extra attention to email: Your work email address, as well as any personal email addresses, are the most common starting places for a targeted attack.
• Protect yourself:
  • DO NOT FOLLOW LINKS contained in emails or in text messages – If you feel the communication is legitimate, navigate to the main website by typing in the primary site address and then navigate to the desired page/resource. o    Verify the email using a different contact method – Voice calling is particularly powerful in vetting outreach.
  • Use strong passwords and multi-factor authentication to reduce compromises by unwanted hackers.
  • Protect your devices and home network – keep them up to date and use antivirus software. Use the latest supported versions, apply security patches promptly, use anti-virus and scan regularly to guard against known malware threats.
  • Beware of new outreach in social media platforms (Twitter, Instagram, Snapchat, Facebook, etc.) and text messages from unknown phone numbers or groups.
• Protect others:
  • REPORT any suspected communications or activity to your Helpdesk or IT department.
  • Report suspicious outreach received at your personal email addresses by reporting them to your service provider via their published resources.
  • DO NOT FORWARD or share:
    • unvetted outreach or “recommended” content.
    • suspicious messages Delete them immediately.

Thank you and please stay safe!​

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

Higher education institutions should be more on guard than ever for cyber attacks. Due to the current political climate, we are seeing an increase in attacks, especially attacks originating from Russia.

In the past week, our security team has seen two Russian attacks on U.S. institutions; as well as two other institutions hit hard by phishing schemes.

We will be holding an emergency webinar on Thursday, March 17^th, 2022, to discuss the threat and provide action steps for protection. Stay tuned for more details. And please stay safe!

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

VMware is urging customers to patch bugs in ESXi, Workstation, Fusion and Cloud Foundation running in on-premises or co-located settings.

The ramifications of the combined vulnerabilities are serious, especially if attackers have access to workloads inside your environments.

The patches fix a total of five (5) CVEs in those products that were disclosed during the Tianfu Cup, a Chinese security event that VMware participates in.

We’re increasing awareness for our higher education community

Knowing that most academic institutions have increased their use of VMware to help with the increase of remote work and labs from home for their employees and students.

Ferrilli is increasing the awareness and recommending that institutions pay extra close attention to failed VMware patches on their systems. Double-check that all systems have been properly patched (servers, workstations, and laptops).

**Remind all your users to patch their personal devices.**

More info about the vulnerabilities

The VMware vulnerabilities include use-after-free (UAF) bugs, double-fetch, unauthorized access, and denial of service bugs. While the individual bugs don’t reach the critical level, VMware says the combined bugs should be treated as such because they can be combined to result in higher severity.

• ESXi, Workstation and Fusion contain:
  • A UAF bug (CVE-2021-22040) in XHCI USB controller that could allow a bad actor with local admin privileges on a virtual machine to execute code as he virtual machine’s VMZ process running on the host.
  • A double-fetch bug (CVE-2021-22041) that could also lead to unauthorized code execution on the virtual machine’s VMX process running on the host.
• ESXi also contains:
  • An unauthorized access vulnerability (CVE-2021-22042) due to VMX having access to settings authorization tickets. A malicious actor with privileges in the VMX process only could access settings service running as a high priority user.
  • A Time-of-check Time-of-use bug (CVE-2021-22043) that exists in the way temporary files ae handled that could be used to escalate privileges by writing arbitrary files.
  • A slow HTTP Post denial-of-service vulnerability in rhttpproxy that could be used to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests.

For more information on workarounds and patching these vulnerabilities, read VMware’s advisory and the company’s associated blog.

If you have any questions or need assistance, please click here to get help.

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

Google has released a NEW update for the Chrome browser for Windows, Mac, and Linux, to fix a high-severity, zero-day vulnerability used by threat actors in attacks.

“Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild.”

It is it strongly recommended that everyone install yesterday’s (2/15/2022) Google Chrome update as soon as possible.

We’re increasing awareness for our higher education community

Ferrilli is recommending that academic institutions pay close attention to failed patches on their systems and double-check that all systems have been patched (workstations, laptops, and servers). Please remind your faculty, staff, and students to patch their personal devices.

More info about the vulnerability

This is the first Chrome zero-day fix for this year . This vulnerability was discovered by Google’s Threat Analysis Group. While Google said they have detected attacks exploiting this zero-day, it did not share any additional info regarding these incidents or technical details about the vulnerability.

Very few details of the security flaw have been revealed but UAF vulnerabilities typically facilitate attacks such as arbitrary code execution and data corruption in unpatched software and can lead to the takeover of a victim’s machine.

The zero-day, tracked as CVE-2022-0609 is carrying a CVSSv3 score of 9.8/10.

What Version Should You Be On?

The latest stable build (98.0.4758.102) for Windows, Mac, and Linux brings with it a total of 11 security fixes, with many of the highest-severity flaws relating to use after free (UAF) vulnerabilities.

If you have any questions or need assistance, please click here to get help.

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

A zero-click attack surface for the popular video conferencing solution Zoom has yielded two security vulnerabilities that could have been exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory.

The weaknesses have been addressed by Zoom as part of their updates. Failure to patch all your systems could provide the needed pivot-point for threat actors to gain access into your network environment.

We’re increasing awareness for our higher education community:

Ferrilli is recommending that academic institutions pay close attention to failed patches on their systems and double-check that all systems have been patched (workstations, laptops, and multimedia router (MMR) servers). Also, remind your faculty, staff, and students to patch their personal devices.

More info about the vulnerabilities:

A zero-click attack against the Windows Zoom client was revealed at Pwn2Own (a security event designed to identify and flag vulnerabilities before they’re exploited by threat actors) showing that it does indeed have a fully remote attack surface. This resulted in two vulnerabilities being reported to Zoom. One was a buffer overflow that affected both Zoom clients and MMR servers, and one was an info leak that is only useful to attackers on MMR servers.

Here are the CVE numbers associated with the two flaws that were identified:

• CVE-2021-34423 (CVSS score: 9.8) – A buffer overflow vulnerability that can be leveraged to crash the service or application or execute arbitrary code.
• CVE-2021-34424 (CVSS score: 7.5) – A process memory exposure flaw that could be used to potentially gain insight into arbitrary areas of the product’s memory.

Goal of a zero-click attack:

For threat actors to stealthily gain control over the victim’s device without requiring any kind of interaction from the user (such as clicking on a link). A key trait of zero-click hacks is their ability not to leave behind traces of malicious activity, making them very difficult to detect.

If you have any questions or need assistance, please click here.

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

We’re alerting our higher education technology community that yesterday’s (1/11/2022) Microsoft Patch Tuesday released critical security updates for Exchange and Windows OS that addresses several serious security vulnerabilities.

In the updates there are fixes for 97 total vulnerabilities, 9 of these are remote code exploits (RCE), 6 of them are classed as Zero-Day, and 1 of them is Wormable.

A wormable exploit means that it could self-propagate through a network with no user interaction. This vulnerability exploits how the OS processes unauthenticated HTTP traffic and carries a severity rating of 9.8 on a scale of 10. Windows Server 2019 and 2022, plus Windows 10 and 11 are affected.

Microsoft suggests patching all affected Windows versions as soon as possible, publicly facing servers with open HTTP and HTTPS ports are the most critical. The security updates for Exchange affect 2013, 2016, and 2019 and this includes hybrid servers for Office 365.

The update has only been released for the latest Cumulative Update (CU) for Exchange Server 2013 (CU23), and the last two CUs for 2016 (CU21 and CU22) and 2019 (CU10 and CU11). This means you will need to patch to one of these CUs before being able to apply this security update.

If you have any questions or need assistance, please click here.

For your reference, click here to read the Microsoft Exchange Team posted a blog about the update and patch process.

We held a complimentary emergency webinar with our most trusted security experts on Wednesday, December 15^th, to explain the Log4j threat, address questions, and offer remediation advice.

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

We’re alerting our higher education technology community that on December 9, a remote code execution vulnerability, dubbed CVE-2021-44228, was disclosed in Apache’s Log4j.

Apache Log4j is an open-source logging utility used by almost all major Java-based applications and currently running on 3 billion devices worldwide.

Log4j has been exposed to a very high-risk vulnerability under active and vigorous exploitation. The exploitation of this vulnerability is simple and only requires the attacker to enter a piece of code into the target triggering the vulnerability, allowing the attacker to remotely control the user victim’s server.

How Do I Tell If I’m at Risk?

Chances are, you have a system(s) at risk. While advanced features of many popular Next Generation Firewalls (NGFWs) or Web Application Firewalls (WAFs) may offer some protection, you still need to patch quickly. We recommend two immediate steps to figure out your level of exposure.

Continue reading “Ferrilli Security Alert: Log4j Vulnerability Affects All Industries”

By Marcia Daniel, Chief Client Officer, Ferrilli

When I meet with institutional leaders across the higher education landscape, I am continually astounded at just how tech-savvy they have become. Provosts are asking about about degree audit software. Registrars want to discuss how best to deploy chatbots. Vice Presidents of Student Life are exploring the benefits of digital nudges. Just about everyone in higher education is a technology expert these days – except in the area that matters most.

Because when I ask them about what they’re doing to ensure data security, there’s a familiar refrain I hear all too often: “Oh, our CIO handles that.”

Continue reading “Data Security: It Takes a Village”

When COVID-19 struck in the spring of 2020, colleges and universities across the country were presented with three key challenges. They had to shift thousands of students, faculty, and employees to remote learning, instruction, and work. They had to do it quickly or risk losing an entire semester to the pandemic. And they had to do it securely or risk the creation of data vulnerabilities that hackers would likely exploit. 

Prior to the coronavirus pandemic, higher education was already one of the most targeted industries in the world when it came to cyberattacks. In 2019, Moody’s (which controls the bond ratings for most institutions in the U.S.) reported that data security was “a growing risk for higher education institutions globally” due to the fact that they “retain valuable information across expansive online networks;” that “their breadth of operations can be vast, with innumerable access points;” and that “investing in state-of-the-art defenses likely competes with myriad other priorities.” 

Since the pandemic began, cyber criminals have sought to take advantage of these trends like never before. According to a report released by Checkpoint in the summer of 2020, “the number of attacks on educational institutions has grown faster than in any other sector,” with “a 30 percent increase compared to a 6.5 percent increase across all industries in July and August [2020].” During the same time period, Microsoft Security Intelligence found that more than 60 percent of some 9 million malware encounters worldwide took place in the education sector alone. 

It was trends and statistics like these that were on the minds of leaders at the San Jose-Evergreen Community College District when ensuring that its 20,000 students could continue their studies unabated amid the coronavirus pandemic. 665 administrators, staff, and full-time faculty would have to perform their essential roles from off-campus locations – and that meant providing remote access to the technology, tools, and applications they rely on to help support the student body. 

Continue reading “How the San Jose-Evergreen Community College District Managed the Cybersecurity Threats that Accompanied the Coronavirus Pandemic”

(more…)