NJCCIC Weekly Bulletin | January 31, 2019

To view this email as a web page, go here.
January 31, 2019

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Threat Actors Attempt to Deliver Malware via ISO Attachments

Image Source: Emsisoft
The NJCCIC identified phishing emails containing malicious .iso file attachments attempting to be sent to State employee emails. The content of these emails references tracking information from a popular package delivery service. Threat actors choose ISO files to distribute malware as they are traditionally very large files, leading some email gateways to improperly scan them. Emsisoft details this tactic in a November 2018 blog post. The NJCCIC highly recommends users avoid opening attachments delivered with unexpected or unsolicited emails, exercise caution when opening attachments from known senders, and ensure anti-virus/anti-malware solutions are running and up-to-date.


Save the Date

Date: Wednesday, March 20, 2019 | Time: 8:30 a.m. Registration
Location: The Event Center at iPlay America, Freehold, New Jersey
Audience: Public sector organizations including state, county and
municipal governments and authorities, K-12 and higher-education
Over the past year, the NJCCIC received numerous reports of cyber incidents, many ransomware, that significantly impacted municipal and county government organizations here in NJ, resulting in millions in ransoms being paid out and major operations disruptions. Oftentimes, poor cyber hygiene was what allowed the threat actors to succeed. We will provide attendees with practical strategies, tactics, resources, and tools to help manage cyber risk in their respective organizations. Event registration coming soon. 

Warning of Cyber Attacks Disrupting
US Critical Infrastructure and Military

The Office of the Director of National Intelligence (ODNI) outlined and warned of cyber attacks against the US and its allies in their annual Worldwide Threat Assessment. In the report, China and Russia pose the greatest cyber espionage, influence, and attack threats to US critical infrastructure and military to gain political, economic, and military advantages. Other areas of concern include, but are not limited to: energy, technology, and elections. The full ODNI threat assessment can be found here.

HPE Partners with Girl Scouts on Cybersecurity Game and Curriculum

Image Source: HPE
Hewlett Packard Enterprise (HPE) and the Girl Scouts are partnering together to bring cybersecurity awareness to young girls through a new cybersecurity game and curriculum. Romero Games designed the new interactive game called Cyber Squad. The curriculum covers personal information and digital footprint, online safety, privacy and security, and cyberbullying. Girls will receive a Girl Scout patch upon completion of both the game and curriculum. This initiative further engages and supports girls in the fields of science, technology, engineering, and mathematics (STEM). HPE provides additional information about this initiative here.

Tax Identity Theft Awareness Week​

This week is Tax Identity Theft Awareness Week. This campaign aims to inform the public of ways they can protect themselves from tax-related identity theft and scams. This type of identity theft occurs when an individual uses someone else’s Social Security number to fraudulently file a tax return to collect the refund.

Please review the following resources for more information:
IRS – Identity Protection: Prevention, Detection and Victim Assistance
IRS – Taxes. Security. Together
IRS/NCCIC – Security Tip ST15-001 - IRS and NCCIC Caution Users: Prepare for Heightened Phishing Risk This Tax Season

Mozilla Firefox Releases New Anti-Tracking Feature

Image Source: Mozilla
Mozilla’s mission and fight for the right to privacy has painted a clearer picture for users by providing more choices in controlling and protecting their privacy and data. Users now have the ability to choose a privacy level in line with their preferences. The redesigned Enhanced Tracking Protection (or Content Blocking) feature is in the latest version of Firefox, which can be found by selecting Preferences, then Privacy & Security. Under the Content Blocking section, there are three privacy levels to choose from: Standard (selected by default), Strict, or Custom. More information about Mozilla’s new anti-tracking feature and privacy levels can be found on Mozilla’s blog post here and wiki page here.

Microsoft Introduces New Tools for Security and Compliance

Image Source: Microsoft
Beginning late January and through March 2019, Microsoft will roll out two new security and compliance tools that enable organizations to have centralized management across Microsoft 365 services, including Office 365, Windows 10, and Enterprise Mobility + Security (EMS), with several Azure capabilities. Both tools provide workspaces with actionable insights, alerts, and scores. The Microsoft 365 Security Center provides security solutions for identities, data, devices, applications, and infrastructure. The Microsoft 365 Compliance Center provides compliance solutions for classification, data governance, and case management. Learn more about these new tools by reviewing Microsoft’s blog post and technical supporting documentation here.

Webinar: Chinese Cyber Activity Targeting Managed Service Providers

On December 20, 2018, the Cybersecurity and Infrastructure Security Agency (CISA) announced that malicious actors working on behalf of the Chinese government have been carrying out a campaign of cyber attacks targeting managed service providers (MSPs). Victims of these attacks have suffered from the loss of sensitive or proprietary information, as well as service disruptions, financial loss, and reputational harm. Organizations of all sizes, from all sectors, are still at risk for similar attacks in the future. Previously posted information on this threat can be found here: http://www.us-cert.gov/China.

Join CISA for a virtual Awareness Briefing to review the background of this threat, as well as recommended steps MSPs and their customers can take to protect themselves from future attacks.

Register now for one of two upcoming Awareness Briefings. Content is the same for each session.
  • Wednesday, February 6 at 1:00 p.m. ET
  • Friday, February 22 at 1:00 p.m. ET

This is Security
This series, written by NJCCIC Director Mike Geraghty based on his extensive experience in information security, will provide practical strategies and tactics to help strengthen your organization's cybersecurity posture.

The Importance of Multi-Factor Authentication

Knock, knock – Who’s There?
This month, another collection of user ID’s and passwords was released on the dark web. It includes more than two billion records that have been compiled from data breaches dating back as far as 2008. Identity and authentication mechanisms - i.e. usernames and passwords - are intended to provide reasonable assurance that the person logging into a system is who they say they are. But with billions of leaked identifiers and authenticators, along with the fact that individuals are likely to use the same authenticator across multiple accounts, that assurance is significantly diminished. But that’s not all – password-stealing trojans from Emotet to Trickbot abound, sitting stealthily on millions of infected computers just waiting to steal users’ credentials. So what’s the takeaway? A password alone can no longer be considered sufficient to authenticate users to systems and services, particularly those containing sensitive information. Continue Reading…

Threat Alerts

Attackers Use Steganography to Obfuscate PDF Exploits

Image Source: Adobe
EdgeSpot researchers discovered a powerful exploit obfuscation technique used to make malicious PDF documents appear legitimate and, therefore, bypass the detection of almost all anti-virus engines. This technique enabled all streams to look normal and all images to be viewable. Researchers believe this is the first time the steganography technique has been used to hide malicious JavaScript code in images embedded in PDF documents. The NJCCIC recommends users avoid clicking on any unsolicited or suspicious links or files. EdgeSpot provides additional information about their findings here.

New Ransomware Incorporates Phishing Tactic

Image Source: MalwareHunterTeam
A new ransomware variant, dubbed CryTekk, is using a phishing tactic in its attacks. Within their ransom note is an option to click the “Buy Now” button to use a major credit card to pay the ransom – allowing the victim to avoid paying via bitcoin, as is typically required. If the victim clicks the “Buy Now” button, they are redirected to a PayPal phishing website requesting the individual’s credit card information and, once the user clicks “Agree and Continue,” they are directed to a new page that prompts them to enter their personal information and again click “Agree and Continue.” The following page shows a “Your account access is fully restored!” confirmation window. All of the information provided in these pages are sent to the threat actor, allowing them to fraudulently use the victim’s payment card details at a cost far exceeding that of the initial ransom demand. The NJCCIC discourages victims from paying the ransom if impacted by a ransomware infection and, instead, ensure they have a comprehensive data backup plan. We recommend reviewing the MalwareBytes post for more information and the NJCCIC Ransomware Threat Profile for ransomware mitigation strategies.

APT39 Cyber Espionage Group Targets Personal Information

Image Source: FireEye
FireEye researchers identified a new Iranian cyber espionage advanced persistent threat (APT) group, dubbed APT39, deploying backdoors to gain access to and steal individual’s personal information. In these attacks, the targeted network is initially compromised via spear-phishing emails with malicious attachments or links. Then, APT39 establishes a foothold, escalates privileges, and conducts reconnaissance on the network. The group then moves laterally and maintains persistence using remote desktop protocol (RDP) and archives stolen data using a compression tool. APT39 has targeted organizations across the world, including those in the United States, with a focus on the telecommunications and travel industries. Other targeted industries include: technology, government, business services, transportation, and media and entertainment. The NJCCIC recommends those that may be considered high-value targets for APT activity review the FireEye report for technical details, including tactics, techniques, and procedures (TTPs). Organizations are advised to educate end users on this and similar threats; implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; and keep anti-virus/anti-malware, hardware, and software updated.

Apple Users Targeted by Malvertising Group

Image Source: Confiant
A malicious advertising (malvertising) group, dubbed “VeryMal,” targeted Apple users in a malvertising campaign that employed steganography to hide malicious code inside advertisements (ads). After clicking on the malicious ad, the embedded JavaScript code forces the browser to navigate to a URL that displays a popup instructing the user to install software updates, often for Adobe Flash Player. These software updates contain a version of the Shlayer MacOS malware. This variant is used as a jumping off point to install additional malware onto a user’s system. The group is believed to have taken control of over five million web sessions from legitimate sites. The NJCCIC advises users to avoid clicking on ads on webpages or in popups, refrain from downloading any software from unofficial channels or sites, and ensure hardware, software, and anti-virus/anti-malware are up-to-date. More information on the VeryMal group and their activities can be found in the Confiant report.

Vulnerability Advisories

Microsoft Exchange Vulnerable to Privilege Escalation

Fox-IT security researcher Dirk-jan Mollema discovered that by combining three known vulnerabilities, threat actors could escalate the privileges of any user with a Microsoft Exchange mailbox to Domain Admin access. Mollema accomplished this by exploiting Exchange’s high privileges in the Active Directory domain, NTLM authentication’s vulnerability to relay attacks, and the ability to authenticate to an threat actor-controlled website with the computer account of the Exchange server. At the time of writing, there is no fix; however, Mollema suggested several mitigations to combat this threat. A proof-of-concept tool to carry out such an attack has also been released. The NJCCIC recommends affected users and administrators of Microsoft Exchange 2013 and newer apply the mitigations provided by Mollema until patches become available. More information on the vulnerabilities, technical details, and mitigations can be found on Mollema’s website.

Threat Actors are Bypassing Network Protections via RDP Tunneling

Image Source: FireEye
A Microsoft Windows component, Remote Desktop Protocol (RDP), provides administrators and users with remote access to systems. Threat actors are bypassing network protections using RDP utilities, network tunneling and host-based port forwarding, by taking advantage of unprotected ports in the network’s firewall. Threat actors are using PuTTY Link, or Plink, for inbound RDP tunneling, allowing them to establish SSH network connections to other systems. Using these tactics, they can move laterally to segmented networks through an administrative jump box without disrupting legitimate administrators; making these intrusions and attacks difficult to detect. The NJCCIC recommends reviewing and applying the host-based and network-based prevention and detection mechanisms, which can be found on the FireEye blog post here.

Threat Profiles
Android: No new or updated variants were added.
Botnet: No new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added. 
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: One updated variant: Shlayer.
Point-of-Sale: No new or updated variants were added.
Ransomware: No new or updated variants were added.
Trojan: No new or updated variants were added. 

ICS-CERT Advisories
Throwback Thursday 
Be Sure to Secure
Threat Analysis

Patch Alerts

Social Engineering Awareness
Understanding More About Phishing Techniques to Reduce Your Digital Risk
Comment: Threat actors share tips, tools, and techniques on various online forums, and have access to a variety of tutorials and templates for pretexting using social media sites, spoofing, or cloned websites. They hope to increase their chances of success through more sophisticated tactics to convince and bait users. It only takes just one click to fall victim; therefore, it is important to reduce the risk of becoming a target by limiting what information is shared online, enabling multi-factor authentication, and learning how to identify phishing emails.
Google Offers Online Phishing Quiz
Comment: The goal of phishing is often to steal passwords and gain access to accounts and information. One of the best ways to limit the impact of a successful phishing attempt is multi-factor authentication as, once enabled, a threat actor will not be able to successfully access the account with only stolen credentials. The best protection to prevent falling victim in the first place is to be able to identify phishing emails and know what to look for. Google’s Jigsaw created and launched an online phishing quiz to test a user’s ability to identify phishing emails. In addition, Google account users can help protect themselves from entering their password in a fake login page by using Google’s Chrome extension “Password Alert.”

Cyber at a Glance
Facebook Debuts Scam Ads Reporting Tool
Comment: Malicious advertisements (malvertisements) are often used to deliver malware, steal credentials, and convince users to get involved in get-rich-quick schemes. Facebook’s new tool will allow users to easily flag scam advertisements and, hopefully, allow Facebook to remove the ads from the platform more quickly. This and similar tools empower users to submit reports that could mitigate all users’ risk by reducing the amount of malicious content they are exposed to.


Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.



We respect your right to privacy - click here to view our policy.