Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Microsoft Phishing Campaign
The NJCCIC recently detected a phishing campaign attempting to steal users’ credentials for various Microsoft websites. These unsolicited emails contain subject lines often referencing someone sending the user a copy in the format “(name) sent you a copy." These emails contain links that, when clicked, lead the user to a phishing site hosted on Google’s AppSpot hosting platform. If the user enters their credentials into this page and hits submit, they are redirected to the legitimate Microsoft website and their credentials are sent to the threat actor. To the user, it only appears as though their initial login failed. This is a tactic often used by threat actors to attempt to obtain user credentials to various sensitive accounts. The NJCCIC advises users to avoid clicking on links in unsolicited emails and, instead, manually type the account URL in the address bar of your browser to navigate to the site. Additionally, it is highly recommended to enable multi-factor authentication where available to reduce your risk of account compromise via credential theft.
Announcements
New PCI Software Security Standards
Image Source: PCI SSC
The PCI Security Standards Council (PCI SSC) published new software security standards due to launch later this year and will replace PA-DSS, which will retire in 2022. The PCI Secure Software Standard and PCI Secure SLC Standard provide and integrate new security requirements and assessment procedures to support and keep up with software development best practices and the changing security needs of the payment card industry. Both standards address key security principles in relation to confidentiality and integrity for payment transactions and data. To learn more about the new standards and transitioning from PA-DSS, click here.
Data Privacy Day
It's Time to Get #PrivacyAware!
Monday, January 28th, is Data Privacy Day! Millions of people are unaware of and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy Day aims to inspire dialogue and empower individuals and companies to take action. This year, Data Privacy Day will spotlight the value of personal information. Whether you’re a business collecting, using, and storing personal data or an individual looking to better manage your privacy and understand how your information is used, collected, or shared, remember, your personal information is like money: value it, protect it. To learn more about Data Privacy Day, click here.
Google’s New Policy Change is Restricting Android App Access
Google is reviewing and removing non-default Android apps from the Play store that request access to phone (including call logs) or texting features on the Android phone. The approval of an app involves a declaration form, Google’s evaluation and decision, and possible recommendations for alternative access requiring user intervention. Of course, there are exceptions to the rule, especially if the app requires permissions for core functionality. The new policy change addresses privacy implications involving sensitive data. For more details, please review Sophos’ post and review Google’s new policy change here.
This is Security
This series, written by NJCCIC Director Mike Geraghty based on his extensive experience in information security, will provide practical strategies and tactics to help strengthen your organization's cybersecurity posture.
Applying Standards
Solving Cybersecurity Problems Through the Application of Standards
In November 1999, Bruce Schneier famously wrote that “complexity is the worst enemy of security” in his essay titled, A Plea for Simplicity – you can’t secure what you don’t understand. As information technology has proliferated throughout society over the past 20 years, Schneier’s complexity principle is even more relevant today than it was in the relatively simpler times of 1999. Schneier’s principle is an adaptation of the linear algebra concept of an undetermined system, which is defined as a system that has more variables than equations. In such cases, the number of solutions can be infinite. When this concept is applied to information systems, the same holds true. If there are more unknowns than knowns, you will never be able to secure the system. Continue Reading…
Threat Alerts
STOP Ransomware and its Variants on the Rise
Image Source: Bleeping Computer
Another variant of the previously reportedDjvu/STOP ransomware was spotted using a .rumba extension on encrypted files. The malware has been heavily distributed as of late across various websites, bundled in cracked software downloads such as Photoshop, Cubase, KMSPico, anti-virus software, and more. Security Researcher Michael Gillespie created a decryptor that supports several IDs distributed by the ransomware. The NJCCIC recommends users download software only from trusted sources, since distributors can discretely bundle malware and adware into downloads. For mitigation techniques against ransomware, download our two-page guide here, and for more information on the variant, review Bleeping Computer’s post. If you are targeted by ransomware, please report the incident to your local police department and to the NJCCIC via the Cyber Incident Report Form on our website.
New Malware Campaign Utilizes Google Drive as C2 Server
Advanced Persistent Threat (APT) group DarkHydrus released a new version of their backdoor trojan, RogueRobin, in a campaign against the Middle East. The infection initiates via a Microsoft Excel document containing an embedded, malicious macro. The macro drops a .txt file in the temporary directory which is executed by a legitimate application, regsvr32.exe, to run and install the RogueRobin backdoor. The malware is highly notable for its use of Google Drive as its command-and-control (C2) server and employs several stealth methods to check for sandbox or virtualization environments, low memory, processor count, and other analysis tools. Additionally, RogueRobin uses DNS tunneling or communication through the Google Drive API to talk to its C2 server. It is expected that threat actors will increasingly incorporate legitimate services like Google Drive into their malware operations to help avoid detection. The NJCCIC highly discourages all users from enabling macros in documents that come in unexpected or unsolicited emails; and recommends exercising caution when choosing to enable macros in documents that come with emails from known senders; and keeping anti-virus/anti-malware, hardware, and software up-to-date. More information is detailed in a post from Palo Alto Network’s Unit 42.
Vulnerability Advisories
Android Patch for Twitter Privacy Bug
Twitter recently announced and released a patch for a bug that affected the privacy settings of Android Twitter users for over four years, since November 3, 2014. The “Protect your Tweets” setting may have been disabled if certain changes were made to the account settings. This bug resulted in protected tweets being made public. Users on iOS and the web were not affected. Twitter has turned this option back on for users if it was disabled. The NJCCIC advises users to review the “Protect your Tweets” option under Twitter’s “Privacy and Safety” settings. For more information, please review Twitter’s statement here.
Vulnerabilities Found in Wi-Fi Chipset Firmware of Popular Devices
Embedi researcher Denis Selianin discovered vulnerabilities affecting the Wi-Fi chipset firmware on popular devices such a laptops, smartphones, gaming devices, routers, and internet-of-things (IoT) devices. One of the vulnerabilities could grant threat actors the ability to execute malicious code without any user interaction during the scanning of available networks. This function launches automatically every five minutes even if a device is not connected to any network. There is no fix at the time of writing, but patches are forthcoming. The NJCCIC recommends patching systems as soon as updates become available. More details on the vulnerabilities can be found on Ionut Ilascu’s blog post here and Embedi’s website.
Web Browser Extension APIs Vulnerable to Attacks
Image Source: ZDNet
French researcher Dolière Francis Somé tested and discovered vulnerabilities in browser extension APIs for Chrome, Firefox, and Opera. He found that a threat actor can use the extensions to hijack a user’s active login session and access user data, or trigger the download of malicious files into storage. He contacted the browser vendors and most of the vulnerable extensions have been removed; however, some are still pending removal or a fix. The NJCCIC recommends installing extensions only if needed and inspecting requested permissions. More details on the vulnerable extensions and a tool to test extensions can be found in the ZDNet blog post here and in Somé’s research paper here.
Temporary Patches for Windows Zero-days
Temporary patches (also called micropatches) have been released by third-party Acros Security for three Windows zero-day vulnerabilities disclosed since December 2018: Windows ReadFile zero-day, Windows WER zero-day (aka AngryPolarBug), and Windows VCF (Contacts) zero-day. Users must first install the 0patch (zero patch) client to install the temporary patches. The NJCCIC recommends patching systems as updates become available, but exercising caution when choosing to download software from third-parties. More details on the Windows zero-days and the installation of the temporary patches can be found on the ZDNet blog post here.
Breach Notifications
MEGA Cloud Storage Service
A collection of email addresses and plain text passwords from multiple sources were exposed on the MEGA cloud storage service. There is the potential misuse of the plain text passwords in which credential stuffing attacks may take place. According to OWASP, credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. These potential attacks reinforce the importance of utilizing unique/strong passwords, updating passwords, and avoiding password reuse across multiple accounts. The NJCCIC advises users to periodically change passwords; use strong, unique passwords for each account; and enable multi-factor authentication when possible. For more information, please review Troy Hunt’s blog post here.
Online Casino Groups
Over 108 million casino bets were leaked online in yet another data incident, affecting customers of websites like kahunacasino[.]com, azur-casino[.]com, easybet[.]com, and viproomcasino[.]net. User data was stored in an exposed, passwordless ElasticSearch server discovered by Justin Paine of Cloudflare. Real names, home addresses, phone numbers, email addresses, birthdates, usernames, account balances, IP addresses, browser type, last login information, played games, partial credit information, and operating system details were all revealed in the leak. All this information could be used in future phishing attempts, and other social engineering schemes, against online casino customers. Security experts are still waiting for a response from affected sites; however, the exposed server has since gone offline and is now inaccessible. It is uncertain how long the data was available online or if anyone accessed it. For more information on the data leak, review the ZDNet blog post.
Oklahoma Department of Securities
A server containing about three terabytes of sensitive government data, including information regarding FBI investigations, was left exposed by the Oklahoma Department of Securities (ODS). The database was found by cybersecurity firm UpGuard using an open source search engine on December 7, 2018. ODS was notified and removed the exposed server from public access the same day. The database had been publicly accessible since at least November 30, 2018. The records contained information dating back to 1986 and from as recently as 2016, and included personal data, system credentials, and email inbox backups. The ODS released a statement confirming the breach, indicating it occurred during the installation of a firewall, and will notify those whose information was revealed. For more information on the breach, please review the UpGuard post here.
Voicemail Phishing Campaign Tricks You Into Verifying Password Comment: Threat actors are phishing for answers and have come up with another clever way to reel in and trick users. This phishing attack utilizes EML attachments to resemble a received voicemail and prompts users to log in to retrieve it. Users will need to enter their password twice to confirm, but it will always state that the wrong password has been entered. At this point, their credentials have been captured and compromised by the threat actor. Therefore, it is important for users to verify the sender, links, and attachments in emails before taking any action. If users fall victim to the bait, we highly recommend immediately changing the password for the affected account.
Cyber at a Glance
Hackers Take Control of Giant Construction Cranes Comment: Construction sites may not be your first thought when it comes to cybersecurity issues, but they are vulnerable playgrounds for hackers. They can be easily manipulated with the proper tools and motivation. Once hackers gain access into a network, the devastating consequences can include theft, extortion, sabotage, and injury.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
We respect your right to privacy - click here to view our policy.
