Campus Phishing Alert July 17, 2017

An e-mail sent today claimed that your account was recently signed in from an unknown location. The e-mail had a subject of “Account Verification” and looked like the example below.

Screenshot of the phishing emailIT@Sam has blocked the website contained in the message as well as the delivery of additional e-mails to prevent the disclosure of additional login credentials.

If you still have an e-mail in your inbox with the subject of “Account Verification,” please delete the e-mail. No further action is required.

If you have already visited the site and entered your username and password, please

  • change your password as soon as possible at https://samweb.shsu.edu, by clicking on the IT@Sam menu, then on Account Password Change; and
  • contact the Service Desk (this will help us determine the magnitude of the Phishing incident).

Please contact the Service Desk at (936) 294-1950 should you have any questions, concerns, or trouble resetting your password.

Windows 10 Roll Out Begins This Evening

Workstations are scheduled for a remote upgrade to Windows 10 this evening, after 6 p.m. Save your data from your C drive to either OneDrive or your S drive now! Otherwise, your data will be lost when your computer is re-imaged.

Please log off, but do not power off, your workstation each day before you leave.

The roll out schedule is available online. Please note that the deployment dates for the Bobby K. Marks Administration Building and the Estill Classroom buildings have been moved to Wednesday, June 7 through Friday, June 9.

For additional information, visit the Windows 10 website. And the Windows 10 Preparedness Checklist.

Direct any questions or concerns to the IT@Sam servicedesk@shsu.edu.

System Maintenance 5/16 – 5/19

Throughout the week, IT@Sam will be performing maintenance on the following systems. Each system may see a short downtime during the 6 p.m. – midnight time frame. If you have any questions or concerns, please contact the Service Desk at servicedesk@shsu.edu or 936-294-1950.

Tuesday, May 16, 2017

  • TK20
  • Video Surveillance
  • McAfee ePO and Antivirus
  • UPD CRIMES
  • VPI Call Recording
  • WebEOC
  • WinAuto
  • Door Access
  • EDI Smart
  • ERP Utility
  • FileMaker
  • IdentityFinder
  • CMS
  • Mailman Mailing Lists
  • NewsKing
  • NuPark
  • OCLC ILLiad
  • Oracle Cloud
  • Orion
  • AxisTV
  • Sage Academic
  • SpeedTest

Wednesday, May 17, 2017

  • SamWeb
  • Titanium Scheduling
  • WAVE
  • Duo Self-Service
  • Fitness Gram
  • Cognos X
  • Library EZProxy
  • OPERA
  • PHP Websites
  • Academic Shell Server
  • Academic SQL Server
  • Accuplacer
  • Alertus
  • Arbitrator
  • ArcGIS
  • Raven’s Nest Golf POS
  • Rec Sports Fusion
  • Recruiter
  • Sage Research

Thursday, May 18, 2017

  • Exchange 2013
  • Personal Websites
  • BDM
  • Unicorn
  • Evisions
  • CORAL
  • Linux Databases
  • Lync
  • Micros Simphony POS
  • Motio
  • PerfectForms
  • Banner Job Submission
  • CBORD
  • Picasso
  • SHSU CMS Websites
  • Star-Rez

Friday, May 19, 2017

  • S and T Drives
  • Ellucian Mobile
  • eProcurement
  • Flash Streaming
  • Single Sign On Services
  • Banner External Web Apps
  • Banner INB
  • Remote
  • SQL Server 2012 DB Farm
  • Academic ArcGIS
  • Printing Services
  • CRIMES Replication
  • CRIMES Software
  • DegreeWorks
  • Oracle Database Cluster
  • Physics HPCC A Cluster
  • Archon
  • Cherwell
  • Physics JBON Cluster
  • Pinnacle
  • PPL Clock-In
  • ProPharm
  • Raiser’s Edge
  • Banner SSB

A Message Regarding Ransomware

Below is a message from Steven Frey, SHSU’s Information Security Officer. This is a good time to remind you to exercise good judgement when opening email or browsing the Internet. When in doubt of a message’s or site’s authenticity, please contact the Service Desk at (936) 294-1950 or by email at servicedesk@shsu.edu.

News headlines are referencing a global ransomware attack.  Ransomware is a type of malware that is usually delivered via an email attachment or link to a malicious website.  When this malware is unintentionally activated by a user, it begins to encrypt all the files that the user has access to and then informs the user that they have to pay a ransom in bitcoin (an online currency) to decrypt the files.  Until this is done, the only recourse the user has is to restore the files from a backup if there is one available, or if not, the user unfortunately pays the ransom.  Often times, even when the ransom is paid, the hacker does not decrypt the files.  This is why it is imperative that users backup their data, like IT@Sam does with the SHSU servers.  Previous ransomware attacks against the university that made it past security controls were thwarted by IT restoring files to a previous version, usually from the day before.

A key difference with these ransomware attacks (yes, there are multiple variants from different hacking groups) is that they are not just encrypting files that the user have access to, rather they are exploiting a vulnerability in Microsoft Windows to encrypt all files hosted on every server or workstation that is vulnerable.  Microsoft released a patch for this vulnerability in March 2017.  At that time, IT@Sam patched systems that were know to be vulnerable.

However, on April 14th, 2017, a group of hackers known as The Shadow Brokers released a set of hacking tools that were stolen from the NSA.  These hacking tools contained an exploit for the Microsoft vulnerability, meaning that with a push of a button, anyone could attack vulnerable servers and workstations, even if the user doesn’t have permissions to the files.  IT@Sam decided to take immediate action on all servers to ensure they would not be vulnerable.  This critical updated occurred during working hours and did disrupt a few services on campus last month, but they were quickly rectified.

These current ransomware attacks are using these hacking tools to encrypt all files they can where Microsoft has not been patched.  Many organizations have not yet applied patches and are being negatively impacted.  SHSU takes its security posture seriously, and makes it a point to be better safe than sorry.  IT Security has rescanned the entire campus network, and no servers are reporting as vulnerable to this attack. A handful of workstations are vulnerable and are under investigation.

It is important to practice caution when opening attachments in emails or clicking on links as these are the methods used to begin these attacks.  IT Security has taken the threat intelligence it has at this time to block known email subjects from entering SHSU’s email system and the campus Intrusion Prevention System (IPS) has rules in place to detect and block the malware that is currently known at this time.  However, these can change rather rapidly which is why the IPS system gets updates automatically from the vendor to stay up to date.  No security is 100%, but we will continue to monitor the situation as more information is released and take the appropriate actions to swiftly protect the students, faculty and staff of the SHSU community.

Steven Frey
Information Security Officer, IT Security