Security Alerts & Warnings

This page lists current warnings regarding suspicious email messages and other cybersecurity hazards at the University of Virginia. For guidance on how to secure yourself against these hazards, be sure to visit our tip of the month.
Regarding Suspicious Email Alerts
Messages similar to the suspicious emails listed below may be related to phishing scams, schemes to commit identity theft, or other attempts to compromise users’ machines or personal information.
- If you receive an email similar to any of the suspicious emails on this page, DO NOT respond—delete it immediately!
- Do not click any links in the email, and do not “unsubscribe” or acknowledge the email in any way.
- If you receive an email that appears “phishy” and are unsure if it’s legitimate, and it is not listed below, please report it to us by forwarding it to [email protected].
Security Alerts and Suspicious Items Currently Affecting UVA:
[Posted: Mar 31, 2022 4:30 PM]
Action Needed: Critical Vulnerability in Spring Java framework
Threat: CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
UPDATE 4/8/2022: Trend Micro Threat Research today confirmed that this Spring4Shell vulnerability has been exploited by the Mirai botnet.
From the Spring advisory: “The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.” [emphasis added]
Although the announcement lists specific currently-known requirements for whether a specific installation is vulnerable, it goes on to say ” the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.” Continue to monitor the situation no matter what specific Spring configuration you may use.LSPs need to do the following immediately:
- identity whether they support any server systems running the Spring Framework for Java
- mitigate the issue as described in the Spring advisory
Permanent mitigation:
-
Spring Framework 5.3.18 and 5.2.20, which contain the fixes, have been released
- Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 have been released.
Temporary mitigation:
-
The Spring advisory contains a multistep workaround for those not able to install the patched versions, but warns that the workaround may leave some loopholes.
More information:
https://www.bleepingcomputer.com/news/security/spring-patches-leaked-spring4shell-zero-day-rce-vulnerability/
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://success.trendmicro.com/dcx/s/solution/000290730?language=en_US
https://www.marketscreener.com/quote/stock/TREND-MICRO-6492622/news/CVE-2022-22965-Analyzing-the-Exploitation-of-Spring4Shell-Vulnerability-in-Weaponizing-and-Executin-40000428/
[Posted: Mar 28, 2022 9:30 AM]
Another Zero-Day flaw in the Chrome web browser for Windows, Macintosh, and Linux computers and Microsoft's Chromium-based Edge browser.
A zero-day flaw has been found in the Chrome web browser used on Windows, Macintosh, and Linux computers. The flaw (CVE-2022-1096) is a high severity flaw on the CVSS vulnerability-rating scale. It is a type confusion weakness in the Chrome V8 JavaScript engine reported by an anonymous security researcher.
Google has released a fix to address this zero-day vulnerability (version 99.0.4844.84). Shortly after Google released Chrome 99.0.4844.84, Microsoft announced that it has updated its Chromium-based Edge browser to version 99.0.1150.55, to resolve CVE-2022-1096.
You can checked for new updates in Chrome by going into Chrome menu > Help > About Google Chrome. Most Chrome and Edge browser will auto-updated AND the update requires the browser to be restarted. Considering the disclosed vulnerability, you should update your Chrome browser to the latest version (at least 99.0.4844.84) or Microsoft Edge browser to the latest version (at least 99.0.1150.55) as soon as possible. These web browser will also auto-check for new updates and automatically install them after the next re-start or launch.
Double-check your browser is up-to-date
Chrome and Edge browsers will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.
In Chrome, click on Settings then About Chrome
If an update is available, Chrome will show that here and then start the download process. When it's completed, it will ask to relaunch the browser to complete the update.
If the browser is up-to-date, it will say "Google Chrome is up to date" and list the version number. Make sure it's at least 99.0.4844.84
Additional Details
With this update, Google addressed the second Chrome zero-day since the start of 2022, the other one (tracked as CVE-2022-0609) patched last month.
(References: https://www.bleepingcomputer.com/news/security/emergency-google-chrome-update-fixes-zero-day-used-in-attacks; https://www.securityweek.com/google-issues-emergency-fix-chrome-zero-day; https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html )
Please see the Chrome Security Page and the Chrome Releases webpages for more information.
[Posted: Mar 20, 2022 4:50 PM]
From: User, Typical S (mst3k <mst3k [at] virginia.edu>
Sent: Sunday, March 20, 2022 1:37 PM
Subject: EMERGENCY
Your mailbox storage has reached 98% on the email server. Visit OutlookStorage Access Page<hXXps://f190fc3a.sibforms.com/serve/MUIEAJrKWr7IFcHqJYxHk_e9JINRgJPmaCXsKVacyv82UwrCVicQYzDLLIO1C6AGq3vsxGtgsTm1oVM6zzVXcGlMnk0sZcrK3Kma387tk7XPBOFQ35kLJPAZCV9zj-wfo7EKpC63JV16LWzqz1_cCBUTGGW-tmvbo3m4JcpKDkbTnIlXDwAZBlX46vKP5-gp7i94mzOReftBFVbz> to adjust your Mailbox storage.
Note: To access your Outlook account for upgrade a notification call will come through your phone, kindly answer the call and then press 1 on your phone to continue.
Warm Regards,
Webmail Administrator
[Posted: Mar 8, 2022 4:00 PM]
Zero-Day flaws in the Firefox web browser for Windows, Macintosh, and Linux computers
Two zero-day flaws have been found in the Mozilla Firefox web browser used on Windows, Macintosh, and Linux computers. The flaws (CVE-2022-26485 and CVE-2022-26486) have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations (XSLT) parameter processing and the WebGPU inter-process communication (IPC) Framework. Both are critical severity flaws on the CVSS vulnerability-rating scale.
Mozilla acknowledged that "We have had reports of attacks in the wild" weaponizing the two vulnerabilities.
In light of active exploitation of the flaws, if you have a Firefox browser, it is recommended to upgrade as soon as possible to these versions: Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, or Thunderbird 91.6.2.
Most Firefox browsers will auto-updated and the update requires the browser to be restarted.
Double-check your Firefox Browser is up-to-date
Firefox will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.
In Firefox, click on Settings then General and scroll down to Firefox Updates
If the browser is up-to-date, it will say "Firefox is up to date" and list the version number. Make sure it's at least Firefox 97.0.2, Firefox ESR 91.6.1, or Firefox for Android 97.3.0
Additional Details
One vulnerability (CVE-2022-26485) - Removing an XSLT parameter during processing could lead to an exploitable use-after-free situation. (Use-after-free bugs – which could be exploited to corrupt valid data and execute arbitrary code on compromised systems.)
The other vulnerability (CVE-2022-26486) - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the two Firefox zero-day vulnerabilities, along with nine other bugs, to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply the fixes by March 21, 2022.
(References: https://thehackernews.com/2022/03/2-new-mozilla-firefox-0-day-bugs-under.html, https://www.bitdefender.com/blog/hotforsecurity/mozilla-firefox-97-0-2-update-addresses-two-actively-exploited-zero-day-flaw, cert.civis.net/en/index.php?action=alert¶m=CVE-2022-26485 and cert.civis.net/en/index.php?action=alert¶m=CVE-2022-26486).
Please see the Mozilla Security Advisory webpage for more information.
[Posted: Mar 7, 2022 1:53 PM]
Sent: Sunday, March 6, 2022 3:35:21 PM
To: UVA User <[email protected]>
Subject: Payroll Notifications for [email protected] on 07 Mar 2022
|
||||||
Copyright © 2022. | THE UNIVERSITY OF VIRGINIA | All Rights Reserved |
[Posted: Feb 24, 2022 8:52 PM]
From: Package Info <noreply [at] productshipping-hub9.co>
Subject: Service Update for 24th Feb #GEESQ-24-14295109
Date: February 24, 2022 at 3:11:38 PM EST
To: "mst3k [at] virginia.edu" <mst3k [at] virginia.edu
Your services has been renewed
This emails confirms the renewal of your services with G-Squad. We are glad to inform you that your plan with us has been renewed for $395.49. Please review the summary of your renewal:
Renewal ID
GEESQ-24-14295109
Renewal date
24-Feb-2022 09:15:55 EST
Registered Email – confirmed
[email protected] <mailto:[email protected]
Description Users Qty Amount
Geek Secure Premium
04 01 395.49 USD
Subtotal 395.49 USD
Total 395.49 USD
Payment 395.49 USD
Method used
Credit/Debit Card
Issues with this Email?
You have 24Hrs. from the date of the renewal to cancel your plan.
Help-Desk: +1 (xxx) 300-0118
Please do not reply to this email. To get in touch, reach Help-Desk
Not sure why you received this email? Learn more
unsubscribe
[Posted: Feb 24, 2022 9:00 AM]
From: virginia.edu Mail Admin <NOREPLY [at] virginia.edu>
Sent: Wednesday, February 23, 2022 7:27 PM
To: User, Typical S (mst3k) <mst3k [at] virginia.edu>
Subject: virginia.edu Email Security Alert!!!
|
||||||||||||
|
Vision : To be a leading world-class manufacturer of preferred sugar and associated products.
Mission : Sustainable production of Sugarcane, manufacture and market of quality sugar and associated products for the delight of Customers .
Help save paper and consider our environment - do you need to print this e-mail?
SonySugar is committed to keeping the World Green by Keeping it on the Screen.
[Posted: Feb 18, 2022 10:41 AM]
From: "Garland, Maran K (mkg9d)" <mkg9d [at] virginia.edu>
Date: Friday, February 18, 2022 at 10:16 AM
To: "User, Typical (mst3k)" <mst3k [at] virginia.edu>
Subject: Personal Assistant Position
Dear Student Faculty and Staff,
There is an open position a business executive is currently out of the states for conference and business purposes he is in need of a very honest person to assist him during this period.
Duties:
Monitor Calls and reply to emails.
Receive and make payment to business clients.
Flight booking.
Payment : $400
Location: USA
Applicants must be 18 and above.
CLICK HERE<hxxp://harp-primrose-4hrt.squarespace.com/> To submit an application.
Maran K. Garland
434.964.7150
[Posted: Feb 18, 2022 10:39 AM]
From: "Lewis, Tanika (tl9jh)" <tl9jh [at] virginia.edu>
Date: 18 February 2022 at 14:26:04 GMT
To: Typical User <mst3k [at] virginia.edu>
Subject: UVA Employment
Work remotely at your convenience from home or school this semester. Students and staff of UNIVERSITY OF VIRGINIA are qualified to apply, and payment is $400 weekly! Kindly CLICK HERE<hxxps://1kea.wufoo.com/forms/z1qo1hjt0y2mdd9/> to submit an application.
Thanks.
[Posted: Jan 26, 2022 4:45 PM]
A critical vulnerability (CVE-2021-4034) has been identified that requires the immediate attention of most Linux users. Please prioritize this issue.
Information about this vulnerability, who it affects, how to search for it, and mitigation strategies if you find it, are on our webpage: Critical vulnerability in most default Linux installations
We want to make sure that finding and fixing this vulnerability is high priority for all Linux administrators. Linux users who are not administrators should contact their administartor to make sure it is being fixed.
Thank you for helping to keep everyone’s data and information at UVA secure.
[Posted: Jan 18, 2022 5:15 PM]
Multiple people at UVA have reported that they have received a text message that looks something like the one below.
This is "smishing" - it's like "phishing" but over SMS text so it's called "smishing"
So treat it like a phishing email - Don't click on the link.
Notice the weird writing, such as putting parenthesis around the "3" and not making "virus" plural.
The link is a odd as well, not a well-known link shortener, and if you hovered on it, it doesn't go where it states.
So ignore this text!
[Posted: Dec 29, 2021 8:41 AM]
From: virginia.edu:12/29/2021 <info [at] rkvalve.com>
Sent: Wednesday, December 29, 2021 5:59:55 AM
To: User, Typical S <mst3k [at] virginia.edu>
Subject: virginia.edu_Notification:(Wednesday, December 29, 2021)
virginia.edu WEBMAIL
Hello mst3k,
Your mst3k [at] virginia.edu password is set to Expire today,
Wednesday, December 29, 2021
You can change your password or continue using same password below
Keep Same Password <hxxp://xn.54nl7.everesthimalayansd.com/.#.aHR0cDovL3JheWFubGFuLmNvbS93cC1hZG1pbi9pbWFnZXMvc3l1LyNhbGc2bkB2aXJnaW5pYS5lZHU=>
virginia.edu Support
[Posted: Dec 13, 2021 4:15 PM]
If you and/or your folks are not already working on finding/remediating the Apache log4j Java vulnerability (CVE-2021-44228), please prioritize this issue. It is a critical zero-day exploit.
When this vulnerability is exploited, the bad guy can run commands on your computers or servers, steal data, and/or use your computers to laterally pivot to other computers or servers.
Information about this vulnerability, who it affects, how to search for it, and mitigation strategies if you find it are on our webpage: Action Needed: Critical Vulnerability in Widespread Java Logging Library
We want to make sure that finding and fixing this vulnerability is high priority for everyone.
Thank you for helping to keep everyone’s data and information at UVA secure.
[Posted: Nov 18, 2021 4:07 PM]
From: Virginia -053100 <kazash [at] gvsu.edu>
Sent: Thursday, November 18, 2021 3:36 PM
To: Typical User mst3k [at] virginia.edu>
Subject: Covid Test#56470
Importance: High
Attached copy of your test result.
Thanks.
[Posted: Nov 13, 2021 7:32 PM]
From: "John William Betts, III" <jwb286 [at] cornell.edu>
Date: November 13, 2021 at 1:05:15 PM EST
Subject: University Payroll Services invited you to view the files "Regarding 2021 payroll schedule "on Payroll Services.
University Payroll Services invited you to view the files "Regarding your 2021 payroll schedule "on Payroll Services.
View file<hxxps://nortegasconcepcion.com/.odrth/st8923/blackbord.php>
Enjoy!
University Payroll Services
[Posted: Nov 5, 2021 3:04 PM]
From: IT HelpDesk <no-reply [at] virginia.edu>
Date: Friday, November 5, 2021 at 2:58 PM
To: Typical User <mst3k [at] virginia.edu>
Subject: virginia.edu Urgent Action Required!
Hi mst3k,
Due to new terms of our user agreement, we inform you that we made recent updates in our website to ensure safety while using our services. Follow the link below to update your mailbox and follow the steps to check your email.
Update Account
Should you have any questions, do not hesitate to contact me.
Thanks,
Helpdesk Team
[Posted: Nov 1, 2021 3:14 PM]
Sent: Monday, November 1, 2021 3:00 PM
To: Recipients
Subject: Security alert
To stop De-activation Click Here and Log In
IT Help Desk.
[Posted: Oct 1, 2021 4:50 PM]
More Zero-Day flaws in the Chrome web browser for Windows, Macintosh, and Linux computers
More zero-day flaws have been found in the Chrome web browser used on Windows, Macintosh, and Linux computers. The flaws (CVE-2021-37975 and CVE-2021-37976) are a high and medium severity flaw (respectively) on the CVSS vulnerability-rating scale. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the system or obtain sensitive information.
Google has released an emergency Chrome fix to address these two zero-day vulnerabilities (version 94.0.4606.71). Most Chrome browser will auto-updated and the update requires the browser to be restarted.
Considering the disclosed vulnerabilities, you should update your Chrome browser to the latest version (at least 94.0.4606.71) as soon as possible. This update addresses these two security flaws.
Double-check your Chrome Browser is up-to-date
Chrome will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.
In Chrome, click on Settings then About Chrome
If an update is available, Chrome will show that here and then start the download process. When it's completed, it will ask to relaunch the browser to complete the update.
If the browser is up-to-date, it will say "Google Chrome is up to date" and list the version number. Make sure it's at least 89.0.4389.128
Additional Details
One vulnerability (CVE-2021-37975) could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in V8. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
The other vulnerability (CVE-2021-37976) could allow a remote attacker to obtain sensitive information, caused by an information leak in core. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
(References: https://www.bleepingcomputer.com/news/security/google-pushes-emergency-chrome-update-to-fix-two-zero-days/, https://cert.civis.net/en/index.php?action=alert¶m=CVE-2021-37975 and https://cert.civis.net/en/index.php?action=alert¶m=CVE-2021-37976 ).
Please see the Chrome Security Page and the Chrome Releases webpages for more information.
[Posted: Sep 27, 2021 10:30 AM]
Text Message starting a Gift Card Scam
Multiple people at UVA have reported that they have received a text message that looks like this:
This is the beginning of a gift card scam!
Do NOT reply to this text message.
If you're concerned that it is legitimate request from your "<UVA leader>" (e.g., your dean, department chair) then email or call that person using the contact information you already have.
Please report "smishing" (SMS phishing) to us by emailing [email protected]
Learn more about gift card scams and how to avoid them by reading our past Security Tips at "Don't Get Gift Card Scammed" and "Gift Card Scams"
[Posted: Sep 25, 2021 3:25 PM]
Many hundreds of email messages are coming in with this type of format:
From: Department Chair <deptchair.virginia.edu @ gmail.com<mailto:deptchair.virginia.edu @ gmail.com>>
Subject: Send me your available text number that I can reach you at
Date: September 25, 2021 at 2:40:33 PM EDT
To: typicaluser @ virginia.edu<mailto:typicaluser @ virginia.edu>
--
Department Chair
Dean and professor
School of Scam Science
Even if they seem to come from your chair, department head or supervisor, they are a scam - DELETE them.
Your supervisor does not need to ask for your cell phone number, nor do they need you to buy gift cards for them - the latter violates UVA policy.
Pages
Report an Information
Security Incident
Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.