Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Vishing Scams
The NJCCIC often receives reports of vishing (or voice-based phishing) scams, a form of social engineering, conducted by impersonating trustworthy people or entities over the phone in an attempt to convince a target to divulge personal or financial information or take an action, such as allowing remote access to their device. These criminals will often conduct preliminary reconnaissance on their targets before attempting to make contact in order to craft the most believable scenario possible. They may impersonate an individual within an organization or an external entity, such as an internal help desk employee or external technical support specialist. Incoming calls may show up as unrecognized or spoofed phone numbers which appear as though they are coming from a known contact. The NJCCIC highly recommends users refrain from answering unexpected calls from unknown or suspicious numbers. If these calls are answered, do not respond to any requests for sensitive information and hang up immediately. If suspicious inquiries are made from representatives of a trustworthy entity, call them back using a known legitimate phone number to verify the authenticity of a request. We advise users to review the NJCCIC publication Tired of Receiving Scam Calls? Don’t Just Sit There. Do Something About It for additional information and tips about phone scams. The NJCCIC encourages those targeted by phone scams to report the incident to the NJCCIC via the Cyber Incident Report Form, the FTC Complaint Assistant, their local police department, and the FBI’s Internet Crime Compliant Center (IC3) website.
Announcements
National Cybersecurity Awareness Month
The National Cybersecurity Awareness Month 2019 theme is “OWN IT. SECURE IT. PROTECT IT.” This theme emphasizes three roles each individual plays in online safety and enhancing cybersecurity at home and at work.
“OWN IT: Understand Your Digital Profile.” Many individuals have several accounts on various social media platforms and use a variety of apps on their devices that can present opportunities for malicious actors to compromise sensitive personal information.
“SECURE IT: Secure Your Digital Profile.” The web is a vast, information-dense space filled with digital footprints that make it easy for cybercriminals to obtain personal information about potential victims.
“PROTECT IT: Maintain Your Digital Profile.” Understanding and modifying security settings, creating strong passwords, and implementing multi-factor authentication are effective ways to secure your online accounts and protect your data. All of these measures are a part of good cyber hygiene.
Cybersecurity is a shared responsibility. Cybercriminals do not discriminate and can target home users, small businesses, and large corporations at any time. Although National Cybersecurity Awareness Month is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity every October, it is important to be cyber smart and continue cybersecurity best practices all year.
2019 SHA-2 Code Signing Support Requirement for Windows
Systems running the legacy Microsoft operating systems (OS) Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2, are now required to have SHA-2 code signing support installed on their devices in order to be able to install updates released in or after July 2019. Previously, Windows OS updates were signed with both SHA-1 and SHA-2 hash algorithms. Due to the weaknesses in SHA-1, Windows updates will now exclusively use SHA-2 and began releasing support for SHA-2 signing in March 2019. Windows Server Update Services (WSUS) 3.0 SP2 will receive SHA-2 support to securely deliver SHA-2 signed updates. The NJCCIC highly encourages all users of impacted systems apply the necessary servicing stack and SHA-2 updates detailed in the Windows Support post in order to be able to receive future OS updates.
FTC Announces Charity Fraud Awareness Week
The Federal Trade commission and the National Association of State Charities Officials (NASCO) announced the International Charity Fraud Awareness Week (ICFAW) beginning October 21, 2019. The ICFAW was created through international coordinated efforts to educate donors and help charities prevent cyber threats. The FTC provides further tips at FTC.gov/Charity, and useful tools at FTC.gov/Cybersecurity.
FBI Publishes Article on E-Skimming Defenses
The Federal Bureau of Investigation (FBI) published an article detailing methods to defend against e-skimming threats. E-skimming occurs when a threat actor injects malicious code in a website in order to capture payment card data or personally identifiable information (PII).
The NJCCIC encourages users to review the FBI article and employ the following recommendations to protect against e-skimming:
Update and patch all systems.
Change default login credentials on all systems.
Educate employees about safe cyber practices.
Segregate and segment network systems to help limit the impact of a cyber incident.
Users can report incidents to the NJCCIC via the Incident Report form or to the FBI's Internet Crime Complaint Center via www.ic3.gov.
Threat Alerts
Billtrust Suffers Ransomware Incident
Billtrust, the cloud services provider for business-to-business payments, was the target of a ransomware attack last Thursday, October 17, 2019. The NJ-based firm has not disclosed the ransomware variant or if payment was made. At the time of this writing, reports indicate that most systems have been restored and there is no evidence that data has been compromised. The NJCCIC highly recommends organizations employ cybersecurity best practices and apply the measures detailed in the NJCCIC Ransomware Mitigation Guide, including establishing a comprehensive data backup plan that includes keeping multiple backups stored offline in a separate and secure location, and tested regularly to confirm their integrity.
NSA/NCSC Publish Advisory on Turla APT Activity
The US’s National Security Agency (NSA) and UK’s National Cyber Security Centre (NCSC) released a joint Cybersecurity Advisory detailing the activities of the Russian government-associated advanced persistent threat (APT) Turla group, also known as Uroburos, Waterbug, or VENOMOUS BEAR. The advisory provides an update to previous NCSC reports of the group’s use of Iranian APT tools, such as Neuron and Nautilus, in their cyber operations against military establishments, government departments, universities, and scientific organizations, mainly in the Middle East. The NJCCIC recommends organizations that may be considered targets for Turla operations review the NSA/NCSC advisory for more information on this activity, deploy a defense-in-depth cybersecurity strategy that includes following the Principle of Least Privilege, establishing a comprehensive data backup plan, and keeping anti-virus/anti-malware programs updated and running.
Threat Actors Target Avast Anti-Virus Using Insecure VPN
Threat actors breached the network of cybersecurity company Avast in a sophisticated cyber operation, referred to as “Abiss,” that likely attempted to poison the supply chain and target its anti-virus software, CCleaner. The intruder made several attempts to gain access since May 14, 2019, using compromised credentials for a temporary VPN profile that was not protected with multi-factor authentication (MFA). Logs verified that the attacker achieved privilege escalation and had multiple sets of user credentials. In response to concerns that the attacker may have tampered with previous updates, CCleaner automatically updated users’ software on builds released after the initial intrusion attempt, closed the temporary VPN profile, and disabled and reset all internal user credentials. The NJCCIC recommends users of CCleaner ensure they are using the most current version 5.63, and enable MFA on their account. Additional details can be found in the Avast blog post and the Bleeping Computer article.
Vulnerability Advisory
Critical Four-Year-Old Vulnerability Found in Linux
Image Source: Threat Post
Nico Waisman, an engineer at GitHub, discovered a vulnerability, identified as CVE-2019-17666, in the Realtek driver (rtlwifi) of Linux devices, within a feature called the Notice of Absence (NoA) protocol used to autonomously power down a system’s radio frequency to conserve energy. The critical flaw affects how the rtlwifi driver handles the NoA packets and is subject to a buffer overflow which could allow various attacks, such as remote code execution or forcing a system crash. Linux operating systems using versions through 5.3.6 are affected when Wi-Fi is enabled. Though Linux has developed a patch, it is currently under revision and has not been released at the time of this writing. Researchers assess the flaw remained undetected for approximately four years. The NJCCIC recommends Linux users update systems as patches are made available. Additional details can be found in the Threat Post article.
Breach Notification
Autoclerk
Researchers at vpnMentor discovered an open Elasticsearch database belonging to Autoclerk, a reservations management system. The database contained 179GB of data on hundreds of thousands of past and future booking reservations, and included details such as guests’ full names, dates of birth, home addresses, phone numbers, dates and costs of travel, some check-in times, and room numbers. Within this collection is information on the travel arrangements of some US government and military personnel, potentially putting their operations and activities at risk.
New Variant of Remcos RAT Observed in the Wild Comment: Phishing emails continue to be the most widely-used method to infect a network with malware. Threat actors often attempt to deliver trojans as they can collect sensitive information, such as account credentials, and be used to install additional malware. Many of the phishing emails deployed in these campaigns reference some type of financial transaction or invoice in an effort to convince the user to open an attachment or click on a link.
Cyber at a Glance
Stalker Apps: Retina-X Settles Charges Comment: Spyware is often used to monitor children and employees and can capture and share detailed information about a user’s smartphone. The call history, text messages, photos, GPS locations, and browser history collected through the apps’ monitoring services should be kept safe and secure. When devices have weak security protections, cybercriminals can also use the data for nefarious purposes to track a user’s movements and activities.
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
We respect your right to privacy - click here to view our policy.
