NJCCIC Weekly Bulletin | April 18, 2019

To view this email as a web page, go here.
THE WEEKLY BULLETIN
April 18, 2019
TLP: WHITE

Garden State Cyber Threat Highlights

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Holiday E-card Scams

The NJCCIC has received reports of holiday e-card scams targeting New Jersey residents and agencies. Spoofed emails were sent appearing to originate from legitimate organizations and contained the subject line “…has sent you an ecard.” In order to view the e-card, the scam prompts users to click on the link in the body or bottom of the email, copy and paste the link in the address bar of the browser, or visit the website and enter a personal pickup code. Threat actors commonly leverage public interest during the holidays to conduct financial fraud and disseminate malware. The NJCCIC recommends users educate themselves and others about these types of scams to prevent further victimization. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action.

Announcements

The State of Cybersecurity at the US Local Government Level

The NJCCIC provides information sharing, threat analysis, and incident reporting services to our members and the public at large. We work to make the State of NJ more resilient to cyber attacks by promoting statewide awareness of local cyber threats and widespread adoption of best practices. We have highlighted some key topics from an International City/County Management Association (ICMA) survey, which has provided insight into the state of cybersecurity regarding awareness and support, barriers, and best practices and tools:
  • 61.7 percent of top appointed managers and 42.5 percent of department managers were either moderately or exceptionally aware of cybersecurity issues.
  • 53.8 percent of top appointed managers provided either strong or full support for cybersecurity.
  • 35.6 percent of the elected executives and 33.3 percent of department managers provided either strong or full support for cybersecurity.
  • The top three severe or somewhat severe barriers to achieving the highest possible level of cybersecurity included:
    • Inability to pay competitive salaries for cybersecurity personnel (58.3 percent)
    • Insufficient number of cybersecurity staff (53.0 percent)
    • Lack of funds (52.3 percent)
  • The top three most effective cybersecurity measures were:
    • Formal rule(s) regarding how passwords can be made (77.4 percent)
    • A formal requirement for end users to change passwords periodically (77.1 percent)
    • A formal policy governing the use of personally-owned devices by governmental officials and employees (61.8 percent) 
  • The top three sectors were extremely or very important in terms of learning about cybersecurity problems and best practices:
    • Other local governments (42.5 percent)
    • Vendors (40.8 percent)
    • FBI (40.1 percent)
  • The three most important things to ensure the highest level of cybersecurity were:
    • Greater funding for cybersecurity
    • Better cybersecurity policies
    • Greater cybersecurity awareness among local government employees
  • The least important thing to ensure the highest level of cybersecurity was numerous IT networks/systems.
SECON is where the Cybersecurity, Risk and Audit fields merge to demonstrate the disruptive ways in which professionals and businesses manage, detect, and mitigate risk. It is the premier New Jersey event on the industry calendar where C-Level Executives, renowned speakers, innovators, and disruptors come together to drive change in the future of cybersecurity. For further details, please visit the SECON website.

April is National Supply Chain Integrity Month

Image Source: ODNI
April is National Supply Chain Integrity Month! The Office of the Director of National Intelligence (ODNI) is working with its partners to promote supply chain security. Threat actors may exploit supply chain vulnerabilities by stealing information, corrupting software, and installing malicious software or hardware. Please review the ODNI website for more information about supply chain threats and resources to mitigate risks.
The NJCCIC assesses with high confidence that software supply chain vendors are at risk from local and foreign threat actors infiltrating strong security systems of organizations through the exploitation of an established and trusted distribution channel. General software update attacks can lead to supplementary targeted campaigns of specific regions, sectors, or personnel. Continue reading…

Industry Report: Hospitality

Image Source: Symantec
Symantec researcher, Candid Wueest, conducted an analysis and detailed risks found in the hospitality industry. Some key takeaways are below:
  • More than 1,500 hotel websites spanning across 54 different countries were assessed.
  • 29 percent of hotel websites are not encrypting booking links.
  • Personal information was exposed in 67 percent of the studied cases through booking reference codes. Exposed information includes:
    • full names
    • passport number
    • email address
    • postal address
    • mobile number
    • the last four digits of credit card
    • credit card type
    • expiration date
  • Symantec contacted all the hotels in the study, finding the average response from data privacy officers (DPOs) took at least 10 days.
  • Over 25 percent of the DPOs responded after six weeks.
  • Over 30 service providers like social networks, search engines, and analytics services have shared the booking reference number.
  • Over 200,000 cases of General Data Protection Regulation (GDPR) violations, and data breaches have been reported since the law came into effect a little over one year ago.

Threat Alerts 

HTML5 Hyperlink Pings Used in DDoS Attacks

Image Source: Imperva
A new type of DDoS is actively being exploited against various sites by using an HTML5 feature referred to as hyperlink auditing, or pings. Imperva researchers observed an attack that delivered 70 million ping requests over a four-hour period from an estimated 4,000 IP addresses. The ping feature is a legitimate tracking method used to track clicks on website links and is included in normal online hyperlink code. The attack involved web pages, primarily gaming sites, with two external JavaScript files. One of these files included a range of URLs that were targets of the DDoS attack. Researchers assess that malvertising, or a malicious advertisement, was used in a combination of malware and social engineering to attract users to the pages hosting the script. The NJCCIC recommends users avoid clicking on advertisements and instead navigate directly to the URL. We also advise website and application operators who do not need to receive ping requests to block any Web requests that contain “Ping-To” and/or “Ping-From” HTTP headers on the edge devices (Firewall, WAF, etc.).

APT MuddyWater Exploits ACE WinRAR Flaw

Image Source: Microsoft
Advanced Persistent Threat (APT) MuddyWater, also known as Seedworm, has been identified as the cyberespionage group behind a series of recent Windows attacks. The Microsoft Office 365 Threat Research Team discovered a cyberattack that used an exploit for CVE-2018-20250 that affects WinRAR versions prior to and including 5.61. The WinRAR vulnerability was previously discovered in February 2019 by Checkpoint researchers. Shortly after the vulnerability was discovered, Microsoft identified it being used to target organizations in the satellite and communications industry. Multiple tactics were used in these attacks in an attempt to obfuscate the malicious payload including a fileless PowerShell backdoor that can ultimately give the APT full control of the compromised target. It is estimated over 500 million people use WinRAR worldwide. The technical details of the attack chain are highlighted in the Microsoft Research blogThe NJCCIC advises users to run all Windows updates and refrain from clicking on links or attachments in unknown or unsolicited emails. We also suggest users review a summary of recommendations from Symantec regarding the WinRAR vulnerability.

WordPress YP Plug-in Vulnerability Actively Exploited

Image Source: BleepingComputer
Last week a security researcher publicly posted a proof of concept (POC) highlighting how vulnerabilities in Yellow Pencil Visual Theme Customizer (YP) could be exploited. Unfortunately, Wordfence Security has reported a high volume of attempts to exploit the flaw before patches were made available. The most affected sites have two plug-ins in common, Yuzo Posts and YP, with an estimated 160,000 websites actively using the YP plug-in. The vulnerability allows a threat actor to elevate privileges and change both the site and home URLs with a Structured Query Language (SQL) injection. At this time, the malicious script being used is hosted on the domain “hellofromhony[.]com,” and resolves to 176.123.9[.]53 that has been used in four other attacks by the same threat actor. This domain is redirecting traffic to malicious sites. The NJCCIC recommends users patch systems as updates become available.

‘Nasty List’ Instagram Phishing Scam

Image Source: VirusRemovalGuidelines
The latest phishing scam targeting Instagram users is harvesting login credentials. The messages claim that the recipient is on the ‘Nasty List’ and urge potential victims to navigate to view the page. A link attached to the message will redirect the user to a fake login page, in which credentials will be harvested if entered; thus, continuing to spread the ‘Nasty List’ scam. The linked page looks very similar to the Instagram login page, but the URL may be “nastylist-instapop50” or “TheNastyList_XX.” This scam is sent to all the followers of an already compromised account. Direct messages are also being sent via fraudulent account profiles. The NJCCIC strongly advises Instagram users to avoid clicking on any links sent in messages referring to the “Nasty List.” If a user has inadvertently navigated to this site and still has access to their account, verify that the account is linked to the correct phone number and email address, and then change the password immediately as well as any other accounts that utilized the same password. If a user has lost control of their account, report the incident to Instagram. Lastly, we recommend users enable multi-factor authentication (MFA) available for Instagram.

Vulnerability Advisory

Amazon Employees Eavesdrop Through Alexa

Amazon employees from all over the world have eavesdropped on and reviewed conversations made to Alexa-enabled smart speakers in order to improve the voice assistant’s accuracy and overall customer experience. According to ZDNet, recordings were sent without full names, but users could still be indirectly identified using other information. Some recordings were reportedly criminal or upsetting in nature. Despite Amazon’s strict technical and operational safeguards and zero tolerance policy, the thought of someone listening in on conversations can raise privacy and security concerns. The NJCCIC advises user to review the privacy settings in the Alexa app and additional information in the ZDNet blog post.

Threat Profiles
 
Android: No new or updated variants were added.
Botnet: No new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added. 
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
Ransomware:
 One new variant: RobbinHood.
Trojan: One updated variant: Emotet.

ICS-CERT Advisories
Patches
Apache | Cisco | Drupal (1, 2)
Oracle | VMware
Throwback Thursday
Be Sure to Secure
Threat Analysis

Social Engineering Awareness
Serious Security: How Web Forms Can Steal Your Bandwidth and Harm Your Brand
Comment: Spam can be delivered through various methods including Spam via Electronic Web Submissions (SPEWS). Threat actors can bypass spam filters by using bulk HTTP posting tools to fill out online comment forms, or using contact or reporting forms to send phishing messages into organizations. In addition, phishing emails can come from genuine corporate senders with visually appealing malicious links in the greeting field. It is recommended to verify the email’s legitimacy, use caution when reusing anything from an input form, and run these emails though spam filtering if possible.

Cyber at a Glance
Regulating the IoT: Impact and New Considerations for Cybersecurity and New Government Regulations
Comment: Security concerns are growing with the increasing amount of IoT devices connected to the internet and the migration to cloud services. Consumers and businesses should be equipped and protected with security features both at the time of manufacturing and throughout the device’s life cycle. Best practices, baseline standards and requirements, and further legislative action are necessary to address IoT cybersecurity and to keep up with the changing landscape.

 
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction. 
TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
 
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect
Twitter
Instagram
Facebook
LinkedIn

Share
Forward
Tweet
Share
Share

We respect your right to privacy - click here to view our policy.