NJCCIC Weekly Bulletin | May 9, 2019

To view this email as a web page, go here.
May 9, 2019

Garden State Cyber Threat Highlights

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Microsoft Phishing Campaigns Continue

The NJCCIC continues to receive reports of phishing attempts to steal credentials for Microsoft OneDrive and SharePoint services. Both phishing campaigns employ emails containing URLs that direct unsuspecting users to fraudulent websites that appears to look like the legitimate Microsoft login webpage. When the user logs in, their credentials may be sent to an external site controlled by the threat actor, saved in a text file for later retrieval by the threat actor, or emailed to an email address controlled by the threat actor. Then the user is frequently redirected to the legitimate Microsoft login webpage, which displays that their login failed to process and will need to log in again. Alternatively, a PDF or other document may be opened and displayed to the user in order to avoid arousing suspicions. Threat actors target file-sharing sites since they are commonly used for business purposes and may provide access to sensitive information. The NJCCIC highly recommends users avoid clicking on links contained in unsolicited or otherwise suspicious emails. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. If you have fallen victim to this ruse, we recommend that you change passwords for all accounts that use the same login credentials and enable multi factor authentication going forward.


Cyber FastTrack

NJ college students – don’t miss this opportunity to prove your cybersecurity talent
and win a scholarship for advanced cybersecurity training. 
Registration for the Cyber FastTrack cybersecurity competition closes Friday, May 10th so hurry to register today and take your first steps towards joining an industry with a 100% employment rate. No experience required!
Successful Cyber FastTrack students could receive:
  • Scholarships to dive deeper into the industry 
  • Internship opportunities with top employers and leaders in cybersecurity 
  • $500 towards college tuition 
  • Real-life cybersecurity experience and training for your resume
SECON is where the Cybersecurity, Risk and Audit fields merge to demonstrate the disruptive ways in which professionals and businesses manage, detect, and mitigate risk. It is the premier New Jersey event on the industry calendar where C-Level Executives, renowned speakers, innovators, and disruptors come together to drive change in the future of cybersecurity. For further details, please visit the SECON website.

Threat Alert

Confluence Vulnerabilities Exploited to Deliver Miner and Rootkit

Image Source: Trend Micro
A Widget Connector vulnerability found in the Atlassian Confluence Server is actively being exploited. Several attacks have been detected using CVE-2019-3396 over a short length of time. The threat actor is distributing Kerberods malware, a combination of a Monero crypto-miner and a rootkit, to obfuscate its activity. The malware is designed to hunt and kill other cryptocurrency miners that may already be present on the compromised device in order to use more resources for itself. For more details and indicators of compromise (IoC’s), please review TrendMicro’s blog. The NJCCIC recommends users patch systems immediately and continue monitoring to detect any threats.

Breach Notification
Ladders, a popular employment website, has reportedly exposed more than 13.7 million user records due to a cloud misconfiguration. Some of the information leaked included users’ names, postal and email addresses, phone numbers, and detailed employment histories. The data was stored in an Elasticsearch database hosted by Amazon Web Server (AWS), and was not protected by password authentication. Ladders CEO, Marc Cenedella, confirmed the breach. The database was taken offline within an hour of notification. The NJCCIC recommends Ladders users verify their account information and exercise caution when opening Ladders-related emails, as the breached data could be used in social engineering and phishing attempts.

Threat Profiles
Android: No new or updated variants were added.
Botnet: No new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added. 
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
 One new variant: MegaCortex. Two updated variants: GandCrab, Sodinokibi.
Trojan: One updated variant: Retefe.

ICS-CERT Advisories
Throwback Thursday
Be Sure to Secure
Threat Analysis

Social Engineering Awareness
What Will Phishers Do Once Push-Based MFA Becomes Widely Used?
Comment: Threat actors are utilizing sophisticated tactics against users in hopes that they fall for scams, divulge sensitive information, or infect their computer systems with malware. User awareness training, phishing simulations, and multi-factor authentication (MFA) are highly recommended against phishing attacks. Once threat actors become frustrated with MFA, they will target API-based SaaS applications, such as Slack, Github, Office365, and Dropbox. Therefore, cloud-enabled services should be tracked, examined, and monitored.

Cyber at a Glance
DoS Attack Blamed for US Grid Disruptions
Comment: The energy sector is the most impacted by DoS vulnerabilities in industrial control systems (ICS). Facilities may be targeted through internet-connected human-machine interfaces (HMIs) since critical infrastructure operations do not have the same controls as IT systems. The disruption of critical infrastructure warrants timely system patches and improved detection, protection, and monitoring.

The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction. 


Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.



We respect your right to privacy - click here to view our policy.