NJCCIC Weekly Bulletin | February 21, 2019

To view this email as a web page, go here.
THE WEEKLY BULLETIN
February 21, 2019
TLP: WHITE

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Emotet, the Threat that Keeps on Giving

Image Source: US-CERT
Throughout 2018, and now into 2019, the Emotet trojan has been a prevalent cyber threat across New Jersey. The NJCCIC has received numerous reports regarding Emotet infections, often impacting the operations of affected organizations for weeks at a time, and emails containing the Emotet trojan continue to represent the largest volume of messages blocked due to the detection of malicious attachments and links. The threat actors behind the trojan made several updates and changes in tactics and techniques in 2018 that enabled more emails to pass through security solutions and make it to end-user inboxes. New research from Menlo Security found that 80 percent of malicious Emotet attachments appear to be Word .doc files; however, they are actually XML files, an attempt to avoid detection and sandbox environments. While Emotet’s capabilities have evolved, emails related to this campaign continue to deliver messages with a payment theme and contain either an attachment or embedded URL that references an invoice. The NJCCIC strongly encourages educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails, including those from known senders. If an Emotet infection is strongly suspected but your anti-virus/anti-malware solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, and business accounts, as well as administrative and domain controller accounts accessed on infected systems, and enable multi-factor authentication where available.
Announcements
 

Cyber Symposium

Date: Wednesday, March 20, 2019 | Time: 8:30 a.m.
Location: The Event Center at iPlay America, Freehold, New Jersey
Audience: Public sector organizations including state, county and
municipal governments and authorities, K-12 and higher-education
Over the past year, the NJCCIC received numerous reports of cyber incidents, many ransomware, that significantly impacted municipal and county government organizations here in NJ, resulting in millions in ransoms being paid out and major operations disruptions. Oftentimes, poor cyber hygiene was what allowed the threat actors to succeed. We will provide attendees with practical strategies, tactics, resources, and tools to help manage cyber risk in their respective organizations. Click here for more details and registration. 

Press Release

Governor Murphy Encourages New Jersey Female High School Students to Join Innovative Cybersecurity Competition 
On February 19, Governor Philip D. Murphy encouraged young women in New Jersey’s high schools to take advantage of an opportunity to explore their aptitude for cybersecurity and computer science by trying to solve the challenges of the 2019 Girls Go CyberStart program. Previous knowledge and experience in information technology or cybersecurity are not needed to participate. A computer and internet connection are the only requirements to take part in this program, which comes at no cost for schools and students. Students use the CyberStart Game, an online series of challenges that allows students to act as cyber protection agents to solve cybersecurity-related puzzles and explore exciting, relevant topics such as cryptography and digital forensics.
Open to female high school students, the Girls Go CyberStart initiative encourages participants to explore their interests in cyber studies, learn core cybersecurity skills, and build confidence in problem solving. Students will also have the opportunity to win cash prizes for themselves and their schools, and at least 10 New Jersey high school girls will receive $500 scholarships to help pay for college. In 2018, 453 girls in 44 schools throughout New Jersey participated in Girls Go CyberStart, and the goal for 2019 is to triple those numbers.
Complete details on the Girls Go Cyberstart competition may be found at www.girlsgocyberstart.org.
Click here to read the full press release.

Industry Report

Dragos provides insights into Industrial Control System (ICS) threat group activity and the ICS threat landscape in their “Year in Review 2018” report, available here. Some takeaways are below:
  • ICS risks grew in 2018:
    • Increase in the number of intrusions into ICS networks, which enables research and reconnaissance.
    • ICS infections involved commodity malware and ransomware.
    • Attacks incorporated Living off the Land tactics to bypass security protections.
    • Several compromises of industrial control equipment manufacturers enable potential supply-chain threats to ICS networks.
  • Three new ICS-targeting threat groups were identified.
  • Dragos anticipates an increase in disruptive attacks as a result of research and reconnaissance activity.
  • No new malware with life-threatening or ICS-specific destructive capabilities.
Threat Alert
 

Phishing for Facebook Credentials

Researchers from Myki discovered a phishing campaign to steal Facebook credentials. When a user visits a compromised website, a popup prompts the user to authenticate by logging into their Facebook account. If the user enters their credentials, they are sent to the threat actor. The popup allows the user to interact with it like any other popup, dragging it or dismissing it; however, if the user drags it out of the browser window, the popup will disappear, indicating it isn’t a true popup at all and rather a part of the compromised webpage. The NJCCIC recommends verifying that a URL is valid and HTTPS is enabled, and testing for fraudulent popup windows by dragging the popup out of its current window. More details and a demo about this phishing campaign can be found on Myki’s blog post.
Vulnerability Advisories
 

Privacy Protection Bypassed for Android Apps

Lead researcher Serge Egelman from the International Computer Science Institute (ICSI) discovered users of some Android apps who wish to opt out of data collection may still have their information collected as a permanent record for advertising purposes and targeting. Google’s policy requires developers and advertisers refrain from connecting advertising IDs and other persistent identifiers; however, Egelman found that they are ignoring and violating policy and collecting data tied to the user, device, and online activity—all without the user’s consent. These policy violations raise privacy concerns and GDPR issues. Google’s response at the time of this writing said that it will constantly review the apps and take action when they are not in compliance with their policies. The NJCCIC recommends users proceed with caution before downloading and installing apps from non-reputable sources, and changing the advertising IDs to clear out web browsing data. ICSI’s findings can be found in their press release and the CNET blog post.

TLS 1.3 Vulnerable to Intercepting Encrypted Traffic

Researchers from multiple universities and groups have discovered a TLS 1.3 vulnerability that could allow a threat actor to intercept encrypted traffic and steal data. The potential attack on the latest version of the TLS protocol breaks confidentiality, and it is a variation of the original Bleichenbacher oracle attack, which performs RSA decryption and signs operations with the private key of a TLS server. The NJCCIC recommends patching systems as updates become available. More technical details on the TLS 1.3 vulnerability can be found in the research paper and the SC Media blog post.
Threat Profiles
 
Android: No new or updated variants added.
Botnet: No new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added. 
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: One updated variant: Shlayer.
Point-of-Sale: No new or updated variants were added.
Ransomware: One updated variant: GandCrab.
Trojan: One updated variant: Emotet
ICS-CERT Advisories
Throwback Thursday
Be Sure to Secure
 
Threat Analysis
 
Patches
Social Engineering Awareness
Don’t Blame Employees Who Fall For a BEC Scam!
Comment: Organizations need to dedicate appropriate resources to reduce the likelihood that employees will fall for a social engineering attack. User awareness training, security controls, and process controls reduce the likelihood of employees falling for Business Email Compromise (BEC) scams. Online phishing simulations are available at no cost to learn how to identify suspicious emails. Email security controls are designed to detect BEC scams by looking at social engineering and attacker behaviors. It is also recommended to have process controls in place, such as requiring two approvals for wire transfers.
Cyber at a Glance
Should You Delete Yourself From Social Media?
Comment: Social media can have its security and privacy concerns especially with all of the recent vulnerabilities and breaches, but there is no need to reach for the delete button for all social media accounts. Users can properly secure all accounts by adjusting the privacy settings and being mindful of what is posted and shared, as well as monitoring and tracking usage. The NJCCIC published Be Sure to Secure posts to help guide users in adjusting security and privacy settings for social media accounts, found here.
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Comment: As more and more IoT devices are being connected, there is a demand for greater security and privacy protections. This initiative by several organizations reinforces the need for minimum standards such as encryption, security updates, strong passwords, vulnerability management, and privacy practices. Manufacturers should build and implement a more secure and connected future so consumers can feel more confident and have peace of mind when purchasing IoT devices.
Mobile Banking and Buying: Best Practices
Comment: The benefits of banking on mobile devices certainly come with risks that can impact the device, app, network, and account security. Mobile devices can be vulnerable to phishing attacks, malware infections, trojans, script injections, exploit kits, cross-site scripting, man-in-the-middle attacks, network sniffing, and credential theft. Users are advised to implement mobile security tips, solutions, and tools to help stay secure. The NJCCIC published Cybersecurity Best Practices to keep individuals and their data safe, found here.
TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
 
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect
Twitter
Instagram
Facebook
LinkedIn

Share
Forward
Tweet
Share
Share

We respect your right to privacy - click here to view our policy.