Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Cyber Hygiene – Patching is Caring
Cybersecurity professionals are often advising users to keep their systems and devices up-to-date because threat actors can exploit unpatched vulnerabilities, resulting in a debilitating cyber-attack. After a vulnerability is first disclosed, it only takes approximately 30 days for threat actors begin exploiting it. Despite the insistence from the cybersecurity community, organizations leave devices unpatched for years at a time, making them susceptible to old exploits. In May 2017, an outbreak of the WannaCry ransomware occurred, infecting hundreds of thousands of devices around the world, including those at Britain’s National Health Service (NHS). The ransomware weaponized the EternalBlue exploit, which targets a vulnerability in Server Message Block (SMB). Microsoft patched this vulnerability and provided updates for systems two months prior to the incident. Now, over two years later, WannaCry attacks are on the rise as many devices are still left unpatched, exposing them to exploitation. While patching systems can take time, it is a necessary practice to protect your network and data. The NJCCIC highly advises users and administrators to patch all software and hardware as updates become available and after appropriate testing. Please review the NJCCIC Cybersecurity Best Practices guide for more cyber hygiene tips.
Announcements
Girls Go CyberStart Cybersecurity Competition
An awards luncheon was held today at Brookdale Community College to honor the 13 New Jersey teams selected for the Girls Go CyberStart Championship Finals. Congratulations to the teams from the following schools:
Absegami High School
Bergen County Academies
Communications High School
Egg Harbor Township High School
Freehold Borough High School
High Technology High School
Lakeland Regional High School
Livingston High School
Red Bank Regional High School
Stuart Country Day School
The Hun School of Princeton
Warren Hills Regional High School
Westfield Senior High School
Between June 5-7, 120 teams across the U.S. participated in a Capture the Flag (CTF) team event; the final stage of Girls Go CyberStart. Cybersecurity CTF’s involve a set of computer security puzzles and challenges that test your skills in areas such as reverse-engineering, memory corruption, and cryptography. When a challenge is solved, it gives the players a flag — a secret string of code that can be exchanged for points. The more points, the higher the team moves up in rank.
Bergen County Academies and Livingston High School placed in the top 25 nationally. Bergen County Academies was First in NJ for the second year in a row!
IRS Warns of New Tax Scams
The Internal Revenue Service (IRS) has issued a reminder urging consumers to look out for two new variations of tax-related phone and email scams. The phone scam involves pre-recorded messages threatening to suspend or cancel a victim’s Social Security number, and the email phishing scam involves a fake agency—the “Bureau of Tax Enforcement”—claiming that the victim owes past due taxes.
Following a February 12 Department of Justice indictment, Muftau Adamu pleaded guilty to conspiracy to commit wire fraud and was recently sentenced to 51 months in prison. The charges stem from various business email compromise (BEC) and romance scams he engaged in between 2014 and 2018. These activities netted Adamu over $10 million. Two co-conspirators were also sentenced to 48 months and 30 months for their participation. Recent indictments against individuals engaged in cybercrime reflects efforts by US law enforcement to hold threat actors accountable for their actions against US citizens, organizations, and government entities.
Threat Alerts
Exim Vulnerability Exploited in Wild
A remote command execution vulnerability, CVE-2019-10149, in Exim – detailed in the June 6 NJCCIC Weekly Bulletin – is being actively exploited by several threat actors. At least two hacking groups were observed targeting Exim servers, with attacks beginning as early as June 9. Exim runs on nearly 57 percent of all email servers. The NJCCIC highly advises administrators of Exim servers update to version 4.92 as soon as possible. More information can be found in the ZDNet article.
Add Recovery Number Phishing Campaign
Image Source: Bleeping Computer
A new phishing campaign warns users to add a recovery phone number to their account with a subject line of “New Account Verification” and states that if the user does not comply, then the account will be deactivated and all of its contents will be lost permanently. If the user clicks on the “Add Recovery Number Now” link, they are redirected to a fraudulent Webmail login page. Once the user’s credentials are entered and submitted, the page redirects to an error page as the credentials are sent to the threat actor. The NJCCIC highly recommends users avoid clicking on any links contained in unexpected or unsolicited emails. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. We advise users to refrain from responding to the email as this confirms delivery of the phishing email to the threat actor. More information can be found in the Bleeping Computer article.
Extortion Scam Campaign Targeting Website Owners
Another scam has surfaced in which extortionists email website owners and threaten to ruin their website’s reputation and blacklist them as spam. The threat actor claims that, if a bitcoin payment is not received, they will send millions of emails from the target’s domain, write negative reviews on the target’s website, and impersonate the target and write offensive messages in other website owner’s contact forms. The subject line is “Abuse and lifetime blocking of the site – [example.com]. My requirements.” The NJCCIC recommends users educate themselves and others on this and similar scams to prevent future victimization. There is no indication that this threat is credible. Anyone who receives this extortion email should ignore and delete it. We encourage users to report cyber incidents via the NJCCIC Cyber Incident Report Form and the FBI’s Internet Crime Complaint Center (IC3) website.
FBI Issues Warning on Phishing Emails
Containing Fake Secure Websites
Image Source: Bleeping Computer
The Federal Bureau of Investigation issued a Public Service Announcement notifying the public that nefarious actors are using TLS-secured (Transport Layer Security) websites in phishing campaigns. Internet users have been conditioned to assume “https” sites are legitimate and they look for the padlock near the address bar to confirm session encryption. These phishing campaigns emulate trustworthy companies and use website certificates to create a false sense of security in an attempt to convince users to submit their credentials or other sensitive information on compromised websites. The NJCCIC recommends users refrain from clicking on any embedded links or attachments, downloading any files, or accepting shared folder invitations that come from unsolicited or unexpected emails. Users are advised to verify the legitimacy of a website beyond the use of “https.” We also encourage users to review the NJCCIC products Don’t Take the Bait! Phishing and Other Social Engineering Attacks and Cybersecurity Best Practices for more information on how to keep their accounts and data safe. For further recommendations, read the full BleepingComputer article.
FIN8 is Back, Targeting Hotel PoS Systems
The hacking group FIN8 is back after a two-year hiatus. According to cybersecurity firm Morphisec, the group is targeting point-of-sale (PoS) systems at companies in the hospitality sector using a new variant of the PunchBuggy/ShellTea backdoor. This backdoor downloads PowerShell code that collects network and user information. The group reportedly targeted at least one hotel located in the US. The NJCCIC recommends individuals ensure they are using chip-and-PIN cards for payments, as opposed to swiping, and for administrators to keep PoS systems updated and behind a firewall. More information and technical details can be found in the Morphisec blog post.
Vulnerability Advisory
Major Vulnerabilities in HSMs Impacting
Banks, Cloud Providers, Government
Image Source: ZDNet
Researchers from Ledger discovered vulnerabilities that can be exploited remotely to retrieve sensitive data in Hardware Security Modules (HSMs). HSMs are hardware-isolated devices that use advanced cryptography to store, manipulate, and work with sensitive data—including digital keys, passwords, and PINs—and can take the form of add-in computer cards, network-connectable router-like devices, and USB thumb drive-like gadgets. Another vulnerability can be exploited in the firmware signature verification to upload a modified firmware to the HSM, creating a persistent backdoor that survives a firmware update, giving a threat actor continued access. These devices are used by financial institutions, cloud providers, government agencies, data centers, and telecommunications operators. The vulnerabilities were reported to the unnamed vendor which published firmware updates with security fixes. The NJCCIC recommends patching systems as firmware updates become available. More technical information about the HSM vulnerabilities can be found in the ZDNet’s article and Jean-Baptiste Bédrune and Gabriel Campana’s research paper, currently available only in French.
Breach Notifications
Tech Data Corporation
Researchers from vpnMentor discovered a security vulnerability involving a log management server at the Fortune 500 company, Tech Data Corporation. The server leaked 264GB in client and business data, including payment information, personally identifiable information (PII), and full company and account details for users and managed service providers. Tech Data reported the vulnerability was corrected and the server was disabled. At the time of this writing, no data stored on the affected server is believed to have been misused. More information about this breach can be found on vpnMentor’s blog post.
US Customs and Border Protection
US Customs and Border Protection (CBP) officials disclosed they were victims of a breach through a cyber-attack on a contractor’s network, believed to be Perceptics. Breached data includes approximately 100,000 license plate images and traveler photos, which was discovered on the dark web and available for free download in late May 2019. Upon notification, CBP immediately contacted law enforcement authorities and members of Congress. According to a CBP official, the contractor transferred copies of the images to their network in violation of CBP policies. This is the second breach affecting DHS this year – the first affecting the Federal Emergency Management Agency (FEMA) in which approximately two million US disaster survivors’ personal information was revealed. Further information can be found in the Cyware article.
The Evolution of Hackers: Protecting Your Company From Social Engineering Comment: Social engineering is one of the biggest threats companies face and unsuspecting targets may be vulnerable to attack. In addition, a high level of technical sophistication is no longer required to engage in this activity as amateur hackers can purchase and customize malware kits and other tools, thus increasing the number of potential attacks. However, well-educated users can reduce their chances of victimization by maintaining awareness of current social engineering tactics.
Cyber at a Glance
8 Ways to Authenticate Without Passwords Comment: The tech industry is aggressively pushing to transition to passwordless authentication. According to the Verizon’s 2019 Data Breach Investigation Report, more than 80 percent of breaches leverage stolen or weak passwords, leading the argument that passwords are an outdated form of authentication. Some examples of passwordless authentication are biometrics and FIDO2.
Criminals Are Selling Hacking Services Targeting World’s Biggest Companies Comment: Dark net vendors are selling hacking services in response to the increased demand for targeted FTSE (Financial Times Stock Exchange) 100 and Fortune 500 businesses, customized malware, and access to corporate networks. Targeted and customized attacks require more work and, therefore, demand a higher cost for the service. The most frequently targeted industries are banking, ecommerce, healthcare, and education. Stolen credentials and phishing are the preferred methods to infiltrate corporate networks; therefore, companies need to strengthen their information security strategy to protect themselves.
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
We respect your right to privacy - click here to view our policy.
