Security

A phishing email with the above subject line points to a convincing fake of mail.rwth-aachen.de.

Please do not click, we are monitoring this.

Last night, a phishing email was sent out with today's or yesterday's date in the subject line.

Please do not enter any login information via the link in this email.

The pattern is always the same:

a) it creates pressure to do something IMMEDIATELY.
b) the sender is fake.

These are typical characteristics of a phishing email.

A new phishing email has just arrived, subject: "Aktion erforderlich" (date of today)

Some records have been added to the local RWTH response policy zone with "passthru" policy - so just logging but not blocking DNS requestst to known bad domains.

During this period, the routing of the previous XWiN routers (Nexus 7700) will be switched to the new XWiN routers (Catalyst 9600). These routers are essential for RWTH's network connection. This changeover also requires the migration of the DFN connection, which is switched redundantly to Frankfurt and Hannover, and the RWTH firewall to the new systems.
There will be complete or partial outages of the external connection during the maintenance window. All RWTH services (e.g. VPN, email, RWTHonline, RWTHmoodle) will not be available during this period. The accessibility of services within the RWTH network will be temporarily unavailable due to limited DNS functionality.

Der Uplink nach Frankfurt wurde erfolgreich auf das neue System geschwenkt.

Umbau des Uplinks nach Hannover beginnt.

Uplink nach Hannover auf das neue System umgezogen.

BGP v4/v6 nach Frankfurt und Hannover sind nun über die neue Routern funktional.

Es stehen noch ein paar kleinere Nacharbeiten an.

Wartung ist abgeschlossen. Der Datenverkehr läuft nun vollständig über die neuen Router!

Problematik mit der Anbindung zur Physik identifiziert, Lösung erfolgt morgen früh.

The DFN timestamp service is temporarily unavailable at the moment. As a result, the digital signature cannot be used as usual.
We are already working on a solution to the problem.

DFN Zeitstempeldienst funktioniert wieder

We are currently observing a new wave of phishing attacks. This time, the focus is on CEO Fraud:
https:
polizei.nrw/en/article/ceo-fraud-high-risk-of-fraud-for-companies
Usually the name of the correct supervisor is shown as the sender name. The actual sender email address, however, is most often very generic (e.g. office12345@gmail.com or similar). It is therefore strongly recommended to check the actual sender email address.
We advise caution. If you receive one of those emails, please do not reply and never send any gift cards or money. Report the email (as an attachment) to servicedesk@itc.rwth-aachen.de and also to spam@access.ironport.com in Cc.
You can find more information about e-mail phishing here:
https:
help.itc.rwth-aachen.de/en/service/1jefzdccuvuch/article/44343c9765a44f1cad23f0c4cd75f856/#Phishing-Mails

As part of a modernization of the vulnerability management solutions used, the license of the old appliance has expired as planned. The reports displayed on [0] therefore do not reflect the current status quo. Information about a new portal, which displays the data of the new scanner, will soon be provided via the usual channels (e.g. e-mail distribution list for the admin round).
[0]
https:
noc-portal.itc.rwth-aachen.de/sec-scan-report/scan_results

Due to DNS disruption, the name servers of various providers are currently not returning an IP address for hosts under *.rwth-aachen.de.
As a workaround, you can store alternative DNS servers in your connection settings, e.g. the Level3-Nameserver (4.2.2.2 and 4.2.2.1) or Comodo (8.26.56.26 und 8.20.247.20). It may also be possible to reach the RWTH VPN server, in which case please use VPN.

Instructions for configuring an alternative DNS server under Windows can be found via the following links:
https:
www.ionos.de/digitalguide/server/konfiguration/windows-11-dns-aendern/
https:
www.netzwelt.de/galerie/25894-dns-einstellungen-windows-10-11-aendern.html
You can also use VPN as an alternative. If you cannot reach the VPN server, you can adjust the host file under Windows according to the following instructions. This will allow you to reach the server vpn.rwth-aachen.de. To do this, the following entry must be added:
134.130.5.231 vpn.rwth-aachen.de
https:
www.windows-faq.de/2022/10/04/windows-11-hosts-datei-bearbeiten/

The hosts of RWTH Aachen University can now be reached again from outside the RWTH network.

Individual users may have experienced problems even after the fault was rectified on 25 August at 9 pm. On 26.8. at 9 a.m. all follow-up work was completed, so there should be no further problems.

wegen einer Wartung des Systems noc-portal werden einige unserer Webdienste zum Steuern der Internet Basisdienste kurzzeitig im Wartungszeitraum nicht zur Verfügung stehen.
Unter anderem sind betroffen:
* DNS-Admin
* DHCP- Admin
* RADIUS-Admin
* Interface-Admin
* Firewall-Admin & -Formular
* WLAN Gastaccounts (anlegen)

The new Outlook app for Windows 10 and 11 and the Outlook apps on mobile devices (Android and iOS/macOS) must not be used for information security and data protection reasons, as they transmit unwanted data to Microsoft.
License-based Outlook programs (from Microsoft Office) and the "Outlook on the Web" app (OWA) are not affected. These may continue to be used. There are currently no security concerns here, as these applications communicate directly with the RWTH Aachen University mail servers and no data is transferred to the Microsoft cloud.
Further information can be found at:
https:
help.itc.rwth-aachen.de/service/1jefzdccuvuch/article/a0fbb2a445e84927ad982e1259942e22/

The message will be deactivated. We continue to warn against the use of the new, free Outlook app:
https:
help.itc.rwth-aachen.de/en/service/1jefzdccuvuch/article/a0fbb2a445e84927ad982e1259942e22/

We are currently observing a new wave of phishing attacks. This time, the following subject is particularly noticeable:
Current subject: "Payment Advice - Ref: [HSBC107741] / RFQ Priority Payment / Customer Ref: [PI10774QT44]" or similar.
We advise caution. If you receive one of those emails, please do not click on the link under any circumstances and report them to servicedesk@itc.rwth-aachen.de and also to spam@access.ironport.com in Cc.
You can find more information about e-mail phishing here:
https:
help.itc.rwth-aachen.de/en/service/1jefzdccuvuch/article/ab86b235c4f5426facd675d623a0365b/
https:
help.itc.rwth-aachen.de/en/service/1jefzdccuvuch/8e226a36638741ddacac573faa95a0e3/faq/#f2b3552a3e6f49d9be25a1ed9ad2ebe7

We are currently seeing another wave of phishing attacks using the following email subjects: "Paskyra
pasenusi" and "Kontingentinformationen".
If you receive such an e-mail, please do not click on the link and report it to servicedesk@itc.rwth-aachen.de.

The wave continues:

The wave continues:
current Subject: "E-Mail-Kontingent voll"

We are no longer observing phishing emails with these subjects.

We are currently seeing a wave of phishing attacks of various kinds.
E-mails with the subject "??? Voice Mail (00:19secs)" are particularly noticeable.
If you receive this e-mail, please do not click on the link and report it to servicedesk@itc.rwth-aachen.de.

Phishing attacks continue to occur more frequently. Phishing e-mails with the subject "WICHTIG: E-Mail-Benachrichtigung der Universität Würzburg" are particularly noticeable at the moment. This email may also be sent in a modified version and/or in English.

We are ending the warning message as the total number of phishing cases has decreased. However, phishing emails are still being sent. Therefore, please keep an eye out for suspicious emails and do not click on any links they contain.

Wir sehen gerade eine hohe Anzahl verschlüsselter Anhänge hereinkommen.
Muster des Dateinamens: "Zahl"-BST-SH.zip
Wir gehen von Malware aus

Ein weiteres Muster taucht auf: DOC"Zahl"-"längere Zahl".zip

Heute ist das Muster TCR"Zahl".zip, Zahl ist vierstellig

Wir sehen seit ca. 13:00 E-Mails mit Anhängen in Form verschlüsselter ZIP Files.
Die Filenamen haben das Muster "in_lange Zahl".
Wir gehen von einer Malware Attacke aus.