Advisories

The ISPO provides security advisories to the campus community, primarily for IT administrators. Advisories may relate to vulnerabilities that should be patched or to noteworthy security events.

NOTE: These advisories do not indicate that vulnerabilities have been identified on UNM information systems. Vulnerability notifications may be sent privately at the ISPO's discretion.

For more information, please review the ISPO's Vulnerability Management Program Component

June 23, 2020 – Mathway Data Breach

Summary:

On May 22, 2020, Mathway became aware that email addresses and passwords belonging to its members were part of a data breach that began in January of 2020 [1].  Mathway is a service provided by Chegg which also suffered a large scale breach in 2018.

What UNM is doing:

On June 23, 2020, a trusted third-party notified UNM Information Security & Privacy Office (ISPO) staff that UNM credentials had been found in the public domain.  In response to this finding, ISPO staff tested the compromised credentials (usernames and passwords).  On the specified date, it did not appear any valid credentials were present in the data dump; no UNM accounts were found to be impacted.

What you need to do:

Ensure passwords are not recycled or reused among various accounts/services.  Please be reminded that you should never use your UNM NetID password on non-UNM systems.

References:

[1] https://www.zdnet.com/article/25-million-user-records-leak-online-from-popular-math-app-mathway/

April 1, 2020 – Multiple issues with Zoom (Zoombombing and Zero-Day Vulnerabilities)

Summary:

On March 30, 2020, the Federal Bureau of Investigation (FBI) released an article notifying teleconference users that the incidence of session hijacking, also known as “Zoombombing" or "Zoom-bombing,” is increasing nationwide.  Adversaries can join conferences and subsequently disrupt them with hate images, threating language, pornographic content, etc.

On March 31, 2020, a group of security researchers published findings about a vulnerability in the Zoom client for Windows that can be exploited to expose user credentials.  The next day, a different researcher discovered a vulnerability in the Zoom client for macOS that, if exploited, can give a local attacker root privileges on Mac devices.  The exploitation of this vulnerability can grant the attacker access to the system’s microphone and webcam.

What UNM is doing:

UNM Information Technologies (UNM IT) has multiple support teams working to address Zoom-related issues.

  • UNM IT's Academic Technologies (AT) area would like to use this occaision to remind users to adhere to best practices when using the Zoom service.
  • UNM IT's Enterprise Managed Systems and Services (EMSS) area (formerly Workstation Management) is packaging necessary software updates for centrally-managed UNM-owned devices as they become available.

The UNM Information Security & Privacy Office (ISPO) will continue to monitor the situation and provide updates as they become available.

What you need to do:

Zoombombing

UNM IT's Academic Technologies (AT) has historically provided guidance regarding best practices when using the Zoom service.  UNM community members who use the Zoom service are strongly encouraged to periodically review the 'Best Practices for Scheduling Meetings with Students' guide contained in the Zoom Web Conferencing section of the IT - Academic Technologies area's website.

Additionally, the FBI has published guidance recommending the following action be taken:

  • Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
  • Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • Manage screensharing options. In Zoom, change screensharing to “Host Only.”
  • Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
  • Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

Zero-day Vulnerabilities:

Because the aforementioned vulnerabilities are “zero-day” vulnerabilities, no software updates (patches) currently exist that can rectify them.  Nevertheless, users should regularly monitor this site for updates.  Furthermore, users should apply updates from Zoom as they are released, in accordance with users’ patch management policies and procedures.  Additionally, IT support units at UNM must address these vulnerabilities where Zoom software is installed on UNM devices in accordance with UNM's Vulnerability Management Program, a component of the Information Security Management System (ISMS).  Finally, restrict physical access to devices running Zoom to only those users who need such access; it is much easier for an attacker to compromise a device when they have physical access to it.

References:

[1] https://techcrunch.com/2020/04/01/.zoom-doom/

[2] https://at.unm.edu/media-collaborative-apps/zoom-web-conferencing.html

March 19, 2020 - COVID-19 Cyberattack Campaigns

Summary:

Attackers have been leveraging concerns about the Novel Coronavirus (COVID-19) to steal personally identifiable information (PII) and protected health information (PHI).  The attacks, which range from malware to phishing emails, have fluctuated in both size and scope.  Examples of such attacks include (but are not limited to):
  • Impersonating a member of the healthcare community (such as a New Mexico Department of Health official) to coerce individuals to disclose information such as Social Security Numbers (SSNs) or Medicare numbers.
  • Sending links via text to smartphone users which prompt the user to download an “application” tracking COVID-19.  The link instead installs spyware on the mobile device, allowing the attacker to access the microphone and camera.
  • Emailing an actual COVID-19 tracking map that, when installed, also installs a payload that can extract information from a user’s system.

What UNM is doing:

The UNM Information Security & Privacy Office (ISPO) continues to monitor the situation. In addition, UNM is regularly updating the site UNM Coronavirus (COVID-19) Information, which is designed to provide updates to the UNM community regarding COVID-19 and the responses UNM is taking to preserve the health of the community.

What you need to do:

Always use caution when disclosing PII or PHI, and note that UNM, the New Mexico Department of Health, Presbyterian, Lovelace, or other state agencies will never ask you for your Social Security Number of Medicare number. Furthermore, only visit trusted sites, such as the Centers for Disease Control and Prevention, for status updates regarding COVID-19.

References:

UNM Coronavirus (COVID-19) Information

Centers for Disease Control and Prevention (CDC) - Coronavirus (COVID-19) Information

Forbes: Coronavirus Scam Alert: COVID-19 Map Malware Can Spy On You Through Your Android Microphone And Camer 

Krebs on Security: Live Coronavirus Map Used to Spread Malware

Proofpoint: Coronavirus Threat Landscape Update


Report an Incident

If you suspect that your NetID (i.e. LoboMail account) or a computer have been compromised and you need to know what to do, please see our FAQ

Abuse Report Form

- or - 

Help.UNM Self Service

- or -

security@unm.edu

- or -

+1 (505) 277-2497

- or -

UNM EthicsPoint


For more information, visit our Contact Information page