NJCCIC Weekly Bulletin | January 10, 2019

To view this email as a web page, go here.
January 10, 2019

Garden State Cyber Threat Highlights

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Extortion Campaigns Continue to Target NJ Residents

The NJCCIC continues to receive incident reports from New Jersey residents targeted with emails meant to extort them out of hundreds or thousands of dollars. Extortion scams have been around for years; however, new techniques serve to convince victims of their legitimacy. Recent extortion email variations claim to have hacked the recipient’s device and recorded them visiting adult content websites. The perpetrator then demands a ransom payment in the form of bitcoin be sent within a set timeframe or they will release the video to their contacts. Several variations on this scam have circulated since the summer of 2018. A search on one of the bitcoin addresses included in an extortion email revealed that payments had been made to this account. It is important to note that there are no indications that these threats are credible. The NJCCIC recommends users educate themselves and others on this and similar scams to prevent further victimization. Cyber incidents may be reported to the NJCCIC via our incident reporting page.

LinkedIn Account Phishing Campaign

The NJCCIC has detected a phishing campaign targeting New Jersey State employees and crafted to obtain their LinkedIn account credentials. The campaign sends emails designed to look like legitimate correspondence from the LinkedIn social media platform and contain URLs that lead to malicious sites masquerading as the LinkedIn login page. If a victim enters their credentials into the fields displayed on the website, the information will be transmitted to the threat actors behind the campaign and will likely be used to compromise the associated social media account, as well as any account that shares the same credentials. It will also put victims’ LinkedIn contacts and connections at risk of phishing and other social engineering schemes as these actors often use compromised accounts to impersonate others and target new victims. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. We also recommend closely examining the URL field of your web browser before attempting to sign into any account to ensure you are visiting a legitimate website.

This is Security
This series, written by NJCCIC Director Mike Geraghty based on his extensive experience in information security, will provide practical strategies and tactics to help strengthen your organization's cybersecurity posture.

Network Segmentation

Crunchy on the Outside, Soft and Chewy on the Inside
Modern approaches to cybersecurity are often heralded as revolutionary, brilliant ideas. But in reality, these modern approaches are simply the adaptations of effective security strategies and tactics from other industries or disciplines. Security is security.
For years, best practices in naval architecture have required compartmentation in ships, such that a breach of one compartment limits water infiltration from spreading into other compartments and the resultant loss of buoyancy of the vessel. Henry Ford implemented firewalls in the first automobiles to prevent the fires or other mechanical malfunctions in the engine compartment from impacting the safety of those in the passenger compartment. Quarantining the sick from the healthy has always been a strategy for preventing the spread of diseases. These widely accepted and effective security strategies have been implemented throughout almost all aspects of society; they’re considered common sense, yet their application in IT has been slow to catch on. The number of serious cyber incidents reported to the NJCCIC and disclosed in the media almost daily are evidence of this. Continue reading…

Threat Alerts

Eighty-Five Android Apps Abundant with Adware

Image Source: Trend Micro
Trend Micro detected at least eighty-five fraudulent gaming, TV, and remote control apps in the Google Play store containing adware. The apps garnered over nine million downloads, including five million downloads for the popular “Easy Universal TV Remote” alone. All of the apps display a similar pattern of behavior when opened: a full screen ad is displayed and, after exiting, the app’s menu appears and displays several buttons. Clicking any button only opens up another full screen ad and eventually causes the app to display a loading screen. Nothing ever loads, and the app closes itself and disappears from the device’s home screen. It continues to run in the background, displaying more ads every fifteen to thirty minutes or each time the device is unlocked. The malicious apps have since been removed from the Play store, and can be uninstalled manually through Android’s uninstall feature. The NJCCIC highly recommends Android users uninstall any of the infected apps listed by Trend Micro, and run a trusted security solution on their mobile device to detect malware. Additionally, users are advised to be mindful of the apps they download by evaluating ratings and reviews, and only granting necessary permissions. More information on the malicious apps can be found in Trend Micro’s report.

Malvertising Campaign Delivers Vidar Information Stealer
and GandCrab Ransomware

Threat actors behind a malvertising (malicious advertising) campaign are infecting victims with the Vidar information stealer and the GandCrab ransomware. The threat actors exploit vulnerabilities in Microsoft Internet Explorer and Adobe Flash Player using the Fallout exploit kit to deliver the Vidar malware. Vidar collects data on the victim including passwords, screenshots, credit card details, browser histories, and message data. Vidar has been observed delivering the GandCrab ransomware variant to victims after the initial infection. The NJCCIC recommends reviewing the Malwarebytes report on this campaign for additional information and indicators of compromise (IOCs), and taking proactive measures to protect your system from these malware variants including, but not limited to: running an up-to-date anti-virus/anti-malware program on all devices, enabling multi-factor authentication whenever available, and having a comprehensive data backup plan.

New Phishing Tactic Uses Fake Fonts to Evade Detection

Image Source: Proofpoint
Threat actors are obfuscating the source code of phishing websites through the use of custom fonts and a character substitution cipher, making the code appear as clear text. These websites are fraudulent login pages for various accounts, meant to steal the credentials of victims who attempt to log in. Additionally, the actors use imagery in SVG (scalable vector graphics) format, which allows the images to be rendered through code and helps to further evade detection. According to Proofpoint, threat actors used this technique in a credential compromise campaign against a major US retail bank. The NJCCIC recommends reviewing the Proofpoint analysis and educating end users on phishing tactics and schemes, reminding them to avoid clicking on links in emails to visit websites requiring the input of account credentials and, instead, manually type the URL of the website into the address bar of their browser.

CryptoMix Tries Out New Lure to Obtain Ransoms

Image Source: Coveware
Security firm Coveware uncovered a new CryptoMix ransomware campaign implementing a weak tactic in an attempt to persuade users to pay a bitcoin ransom. This latest campaign introduces a ransom note instructing victims to email the ransomware distributors, who pose as a charity organization that will donate your ransom to a child in need. Children mentioned in the emails are, in fact, real children; however, as expected, none of the payments reach those in need. The ransom note also falsely warns users that if they run security software, it will further damage their system. The NJCCIC recommends affected users visit the NJCCIC threat profile for available decryption tools for CryptoMix and refrain from paying the demanded ransom. For more information on the latest campaign, view ZDNet’s post and for further ransomware mitigation strategies, visit our threat profile page.

MFA Foiled by Reverse Proxy Tool “Modlishka”

Image Source: ZDNet
Polish researcher Piotr Duszyński developed a reverse proxy tool named Modlishka that can capture user credentials and multi-factor authentication (MFA) tokens in a simple, automated manner, making it highly accessible to those with little skill. Modlishka sits between the client computer and the client’s target destination, for example, Google. The client believes they are connecting directly to Google to log in, when, in fact, Modlishka’s fake domain presents the user with legitimate Google content and intercepts any information entered into the login page, including their MFA code. If present at the time of interception, the threat actor can use the obtained MFA token to log in to the user’s account before it expires, giving the threat actor complete access to the account and potential access to other accounts that utilize the same credentials. Users may even be directed back to the legitimate website after logging in to avoid any suspicion. To protect yourself against these attacks, the NJCCIC advises users to avoid clicking on links in emails to visit sites requiring the input of account credentials and, instead, manually type web addresses into your browser and inspecting URLs for legitimacy. For more details on Modlishka, visit the GitHub webpage and review the ZDNet blog post.

Vulnerability Advisory

Windows and Windows Server Vulnerabilities Could Allow
Full Control of Affected Systems

The US-CERT (United States-Computer Emergency Readiness Team) issued an advisory regarding two vulnerabilities found in Microsoft Windows and Windows Server. Successful exploitation of either vulnerability could allow a remote threat actor to take control of an affected system. CVE-2018-8611 is a Windows kernel elevation of privilege flaw affecting all supported Windows client and server versions, while CVE-2018-8626 is a Windows DNS (Domain Name System) server heap overflow flaw affecting Windows servers configured as DNS servers. Microsoft patched both vulnerabilities, among others, in the January Patch Tuesday update. The NJCCIC recommends Windows users apply the most recent update.

Breach Notifications
Update: Marriott
On January 3, Marriott International provided an update on the breach originally disclosed on November 30. During the four-year intrusion, threat actors stole data on approximately 383 million customers, down from the original estimate of 500 million. In addition, of the 25.5 million passport numbers accessed, 5.25 were stored in clear text, allowing threat actors to more easily steal customers’ identities. Customers can contact Marriott to determine if their passport number was included in the unencrypted set. Marriott previously stated they would compensate customers for passport replacements if they could prove fraud had occurred. About 8.6 million encrypted payment cards were also exposed; however, only 354,000 were unexpired as of September 2018. Customers can take advantage of free web monitoring services offered by Marriott by visiting https://info.starwoodhotels.com/.
Kitchen and houseware manufacturer, OXO International, disclosed that customer contact and payment information from their e-commerce site may have been accessed multiple times over a two year period. OXO discovered their servers were compromised from June 9, 2017 - November 28, 2017, June 8, 2018 - June 9, 2018, and July 20, 2018 - October 16, 2018, but believe that attempts to steal data may have been unsuccessful. OXO has since fixed the vulnerabilities present in their servers, and sent out notification emails to affected customers containing a member ID for a year of free credit-monitoring services from Kroll. Bleeping Computer attributes at least one of the attacks to MageCart: several hacker groups who inject malicious scripts onto legitimate webpages in order to steal payment information.

Threat Profiles
Android: No new or updated variants were added.
Botnet: No new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added. 
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
Ransomware: Two updated variants: Aurora, CryptoMix.
Trojan: No new or updated variants were added.

ICS-CERT Advisories
Throwback Thursday 
Be Sure to Secure
Threat Analysis
Extortion: Profit-Motivated Cyber Tactics on the Rise
Patch Alerts

Adobe | Cisco | CleanMyMac X | Juniper | Microsoft | Skype

Social Engineering Awareness
Look Out for Red Flags in Online Puppy Purchasing Scams
Comment: The arrival of the New Year may inspire your family to adopt a new, furry member; however, even an innocent, online offer for a new dog or cat could be a trick. Scammers are playing directly off of victims’ emotions, messaging prospective buyers with adorable photos and promises that the pet will soon be theirs. An initial wire transfer payment is requested, but the scammer will continue to make excuses as to why the pet’s arrival is delayed, citing a need for more money that will later be reimbursed; however, the pet never arrives and the money is never reimbursed. Remember, when purchasing or adopting a pet, be sure to see the pet in person first, never wire money to untrusted parties, and research average prices so you know when a deal seems too good to be true.

Cyber at a Glance
Check Point Research: A Year in Exploration
Comment: The year-end wrap up by Check Point highlights the variety of cyber threats we face, as well as the speed in which new threats surface. From cryptocurrency-mining to mobile malware to nation-state attacks, it’s more important than ever to stay abreast of trends and emerging threats in order to effectively defend against them and prevent falling victim.
WordPress-Related Vulnerabilities Tripled in 2018
Comment: Wordpress, the most widely used content management system (CMS), saw a 300 percent increase in vulnerabilities from 2017 to 2018. Nearly all of the vulnerabilities – 98% of them – are caused by weaknesses in plugins. This is largely due to the fact that plugins can be submitted by anyone and are not subject to automated security analysis. Choose your plugins carefully, as each one is a potential vector for infection; only install plugins from reputable sources and keep plugins updated to ensure they are patched against known vulnerabilities.


Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.



We respect your right to privacy - click here to view our policy.