Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Malspam Campaigns Attempt to Deliver Emotet
The NJCCIC has received reports of several malicious email spam campaigns containing Word documents or links to download Word documents that, when macros are enabled, attempts to download and install the Emotet trojan. Emotet is often used to install additional malware onto systems to steal information and perpetuate additional spam campaigns. Since Emotet resumed activity in August 2019 after a four-month hiatus, several tactics have been deployed, including themes of fake invoices, order confirmations, payment confirmations, and shipping issues. Last week, Edward Snowden’s new book was used as a lure, claiming the memoir was attached as a Word document. This week, emails containing a malicious Word document displaying a fake Microsoft Office Activation Wizard prompted users to complete the activation of Microsoft Office by clicking on the Enable Editing and Enable Content buttons, which would then download Emotet. The NJCCIC recommends educating users about this and similar phishing threats, reminding them never to click on links or open attachments delivered in unexpected or unsolicited emails, and to avoid enabling macros in Word documents. Users are advised to run updated anti-virus/anti-malware programs on all devices and enable multi-factor authentication where available to prevent account compromise as a result of credential theft. Users may report incidents to the NJCCIC via the Cyber Incident Report Form.
New Jersey Cybersecurity Spotlight
New Jersey Student Awarded $22,000 Scholarships
in the US Cyber FastTrack Competition
Gabrielle McCormack, a student at Stevens Institute of Technology in Hoboken, is among 100 finalists in the Cyber FastTrack competition who have been awarded $22,000 scholarships to attend the Applied Cybersecurity Program at the SANS Technology Institute. Scholarship winners will complete three advanced cybersecurity immersion courses and will also earn the professional GIAC certifications associated with each course as validation of their skill set.
Cyber FastTrack is an innovative nationwide competition that provides high-aptitude students with the practical cybersecurity training that employers demand. In the six months since the 2019 competition began in April, the scholarship winners outperformed more than 13,000 other candidates.
It is not surprising that Gabrielle is a member of this elite group. She recently graduated Stevens Institute with high honors with a bachelor’s degree in Software Engineering and a minor in Computer Science. Gabrielle is currently working toward a Master of Science degree in Cybersecurity while also working as a Software Engineering intern at Becht Engineering. She is a recipient of the SMART Scholarship for Service through the Department of Defense and upon graduation will be working for the Naval Air Warfare Center Aircraft Division (NAWCAD) within the Naval Air Systems Command (NAVAIR) as a Software Engineer.
“Like many other companies, NAVAIR has a need for more cybersecurity experts who can help ensure their security,” Gabrielle said, “and I intend to use the knowledge from my Masters and the skills gained from this program to leave my positive mark in protecting our country from risk of cyber-attacks as best I can. For this reason, a job in cybersecurity is my top priority, and I intend to use my passions to make a positive difference in the world.”
Congratulations Gabrielle! New Jersey is proud to have students like you who will make our state and nation cyber strong!
Announcements
National Cybersecurity Awareness Month - OWN IT
The National Cybersecurity Awareness Month 2019 theme is “OWN IT. SECURE IT. PROTECT IT.” This theme emphasizes the role each individual plays in online safety and enhancing cybersecurity at home and at work.
The first call to action is “OWN IT: Understanding Your Digital Profile.” Many individuals have several accounts on various social media platforms and use a variety of apps on their devices that can present opportunities for malicious actors to compromise sensitive personal information. Users are encouraged to evaluate the security and privacy settings of social media and similar accounts and make any necessary adjustments. Additionally, users are advised to exercise caution when downloading apps onto their devices, ensuring they are only downloaded from official app stores. Furthermore, review the app’s security and privacy settings, and audit the requested app permissions, being careful not to provide access exceeding what is necessary for the app’s advertised function.
For more information on National Cybersecurity Awareness Month, please visit the StaySafeOnline website and the NJCCIC website.
DHS Cyber Hunt and Incident Response Teams Act of 2019
In response to increasing ransomware threats nationwide, the US Senate has passed the DHS Cyber Hunt and Incident Response Teams Act of 2019 (S.315). This Act authorizes the Department of Homeland Security (DHS) to assist both public and private entities with mitigation and defense against cyber-attacks by using federally-resourced cyber hunt and incident response teams. The House of Representatives passed similar legislation (H.R.1158) September 24th. Congress anticipates that this legislation will encourage collaboration between the private sector and DHS cyber response teams to protect vital digital infrastructure.
Cyber Resiliency Workshops
FEMA is providing a one-day workshop to introduce best practices in cyber resiliency, seek to foster communication within companies, entities and industries to strengthen resiliency capabilities, and will identify continuity and crisis management planner’s potential gaps in response capabilities. Attendees will hear subject matter experts on best practices; question a panel of experts on what works or does not work for them; review current real-world case studies; and learn more about resources available in the community and state.
This FEMA Cyber Resiliency Workshop will be held on October 21, 2019 at Monmouth University in West Long Branch and on October 22, 2019 at the New Jersey Innovation Institute in Newark and is free and open to the public with advanced registration. The workshop registration and agenda links are:
Malvertising Campaign Distributes Over 1 Billion Ads
Image Source: BetaNews
Confiant researchers have observed a successful malvertising campaign executed by a known threat actor, eGobbler, targeting iOS, Windows, Linux, and macOS systems. Nearly 1.16 billion malicious pop-up ads were distributed between August 1st and September 23rd. This campaign dropped a new exploit payload similar to the one used by eGobbler to target iOS users in April in which the built-in Chrome pop-up blocker was circumvented. This new method was designed to abuse WebKit browsers using several content delivery networks in an attempt to remain inconspicuous. WebKit was patched on August 12th, while Apple patched vulnerabilities in iOS 13 on September 19th and in Safari 13.0.1 on September 24th. The NJCCIC recommends using a pop-up blocker and refraining from clicking on pop-up ads, choosing instead to navigate to desired websites by manually typing the URL in browser address bars. For further information, users can review the ZDNet article.
Ransomware Attacks Hit Healthcare Industry
Image Source: Threat Post
Ransomware attacks have compromised computer systems of at least three hospitals in Alabama, causing them to limit their services to critical new patients. Current hospital patients will be cared for; however, ambulance services have been directed to take patients to other local hospitals. In a similar ransomware attack this week, seven Australian hospitals and several health service providers were forced to either operate manually or close until computer systems are operational. Additionally, last month, a medical practice in California suffered a ransomware attack in which they suffered irreparable damages and recently announced they will be closed permanently as of December 2019. Ransomware attacks across all industries have sharply increased over the last two years, impacting the healthcare industry as they provide critical everyday services. Cyber criminals will continue to target these vulnerable industries, recognizing the need to promptly return to normal business. The NJCCIC recommends organizations establish a comprehensive data backup plan that includes scheduled data backups and keeping multiple backups kept offline in a separate and secure location. We also suggest regular cyber training and awareness exercises for all employees. Additional details may be found in the Bleeping Computer article. For further information regarding the risks to the healthcare sector, users are encouraged to review the NJCCIC threat analysis product.
Vulnerability Advisories
Prying-Eye Vulnerability Could Expose Online Conferences
Image Source: WAMC.ORG
Cequence researchers discovered a vulnerability, dubbed Prying-Eye, in WebEx, Zoom, and possibly other online conferencing products. Threat actors could use the Application Programming Interface (API) feature to cycle through meeting IDs to access meetings and possibly maintain access for an extended period of time through enumeration attacks. Cisco and Zoom were notified of the vulnerability in July and have since issued advisories; however, the vulnerability is still prevalent. Researchers explained that, “…direct-to-API attacks are increasingly common. By targeting the API as opposed to scripting a form fill, a bad actor can leverage the same benefits of ease of use.” At the time of this writing, there has been no evidence that Prying-Eye has been exploited in the wild. The NJCCIC advises users of online conferencing products to ensure meeting sessions are enabled with application-provided security controls and are password-protected. For more information, please review the Cequence blog post.
Vulnerability in WIB SIM Browser on Mobile Phones
Image Source: SecurityWeek
AdaptiveMobile Security discovered a Simjacker attack in early September 2019. On September 21st, researchers from Ginno Security Labs disclosed a similar variant of the SIM card attack method involving the Wireless Internet Browser (WIB), dubbed WIBattack. This vulnerability allows malicious actors to track users’ devices by exploiting the WIB apps running on the SIM card and by sending a specially formatted binary SMS (called an OTA SMS) that contains WIB commands. Supported commands on a WIB app include Get location data, Start call, Send SMS, Send SS requests, and Send USSD requests. Both attack methods are difficult to detect and patch. The NJCCIC recommends users patch systems as updates become available. We encourage users to review the SecurityWeek article for more technical details and video demonstration of this WIBattack vulnerability.
Breach Notifications
Zynga Inc.
The popular mobile social gaming company, Zynga Inc., has become the latest breach victim of a Pakistani hacker, also known as Gnosticplayers. Zynga Inc. acknowledged the breach and announced that, at this time, ‘Words With Friends,’ and ‘Draw Something,’ have been illegally accessed, affecting approximately 218 million users. The cybercriminal is also responsible for several rounds of data dumps on the dark web marketplace, Dream Market, earlier this year, after hacking popular mobile apps, resulting in over 700 million confirmed compromised accounts. Compromised information includes names, email addresses, login and account IDs, and hashed passwords. Password reset tokens, phone numbers, and Facebook IDs that the user previously provided or requested are included. Further details can be found in The Hacker News article, and the Dark Reading article. Users of these gaming apps are advised to immediately change their passwords for these accounts and any others that use the same credentials, and enable multi-factor authentication where available. Additionally, exposed emails and phone numbers may be used in social engineering schemes.
DoorDash
An unauthorized third party accessed user data for the popular on-demand food delivery service, DoorDash, affecting approximately 4.9 million consumers, Dashers, and merchants who joined on or before April 5, 2018. Users who joined after April 5, 2018 were not affected. The breached user data includes profile information, the last four digits of consumer payment cards, the last four digits of bank account numbers, and driver’s license numbers. Since the breach, DoorDash has taken steps to block access by the unauthorized user, enhance security, notify affected users, and encourage users to change their passwords as a precautionary measure.
How Can We Thwart Email-Based Social Engineering Attacks? Comment: The tools and techniques used in social engineering attacks, such as phishing and BEC scams, are constantly evolving to evade detection. Malicious actors are targeting the human factor, popular technology platforms, cloud services, and loopholes in business processes. Organizations are recommended to invest in a multi-layered defense, including security training and ensuring information regarding business transactions and processes are not public-facing.
Cyber at a Glance
15,000 Webcams Vulnerable to Attack: How to Protect Against Webcam Hacking Comment: Despite warnings for years about the risks associated with leaving webcams and other internet-of-things (IoT) devices internet-facing without required authentication, users continue to leave their devices unsecured. This can lead to privacy concerns and open users up to blackmail if a malicious actor gains access to sensitive footage.
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
We respect your right to privacy - click here to view our policy.
