NJCCIC Weekly Bulletin | July 3, 2019

To view this email as a web page, go here.
July 3, 2019

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Ryuk Ransomware Infections Continue
Ryuk ransomware is impacting organizations around the world, including those in New Jersey. In many of the recent Ryuk infections, the targeted network is also infected with the Emotet and/or TrickBot trojan, which are used to move laterally across the network. Any credentials compromised by the trojans are used to identify new systems and determine which to infect with the Ryuk ransomware. Multiple Florida and Georgia municipalities were infected with Ryuk over the last several weeks, in addition to multiple other incidents that have occurred this year. The UK’s National Cyber Security Centre (NCSC) released an advisory, Ryuk Ransomware Targeting Organisations Globally, sharing details of their ongoing investigation into global Ryuk ransomware campaigns. The NJCCIC discourages victims from paying the ransom if impacted by a ransomware infection and, instead, ensure they have a comprehensive data backup plan. Organizations are advised to implement a defense-in-depth cybersecurity strategy and follow the principle of least privilege. In addition to the NCSC advisory, review the following resources from the NJCCIC, Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Cybersecurity and Infrastructure Security Agency (CISA):

The FTC Targets Operators Behind RoboCalls
The Federal Trade Commission (FTC) has charged six corporations and three individuals with illegally robocalling financially distressed consumers, totaling over one billion calls nationwide. The FTC, in combined effort with the Department of Justice (DOJ), coined their new campaign “Operation Call It Quits.” Congress is also taking action with both the House and the Senate working on legislation to protect consumers. The FTC, DOJ, and NJCCIC advise users who receive robocalls to refrain from pressing any options, hang up immediately, block the number, and report the incident to the FTC online or call 1-877-FTC-HELP. 

Threat Alerts
Phishing Campaign Uses QR Codes to Evade URL Analysis
Image Source: Cofense
Some security products attempt to prevent phishing attacks by wrapping or analyzing URLs. However, a new phishing campaign uses QR codes to evade this URL analysis by tempting users to “scan bar code to view document” in a fraudulent SharePoint email. If scanned, the QR code redirects the user to a SharePoint-branded phishing website and prompts them to sign in with AOL, Microsoft, or “Other” account services. In addition, the phishing site is optimized for mobile viewing. Scanning the QR code on mobile devices may evade standard corporate security controls including secure email gateways, link protection services, sandboxes, and web content filters. The NJCCIC recommends users avoid scanning QR codes, clicking on links, and opening attachments from unsolicited or unexpected emails, even those appearing to be from known companies. Users are advised to, instead, navigate to websites by manually typing the URL into the address bar of their browser. Additionally, educating end users about this and similar threats can reduce victimization. Additional details may be found in the Cofense post.

Another Extortion Scam Claims to Have Installed Malware
Image Source: Bleeping Computer
Another extortion scam is making its rounds, this time claiming to have installed a remote access trojan onto the target’s network using the EternalBlue exploit. The scammer sends a threatening email claiming that when the target visited an adult content website, a trojan was installed on their device which recorded video of them. The scammer threatens to send the video to the target's contacts unless a ransom is paid. The scammer attempts to convince the target of their claim’s validity by referencing one of their passwords, making them believe the scammer has access to their device. This password, however, was likely obtained from a previous breach in which this information was exposed and not by compromising the target’s device. If you are currently using the password contained in the email, promptly change it for any associated accounts. The NJCCIC recommends users educate themselves and others on this and similar scams to prevent future victimization. To date, there is no indication that any of these threats are credible. Anyone who receives one of these extortion emails are advised to ignore and delete it. We encourage users to report cyber incidents via the NJCCIC Cyber Incident Report Form and the FBI’s Internet Crime Complaint Center (IC3) website.

Attackers Use Information Gathered in PCM Inc. Breach
to Conduct Gift Card Fraud
Image Source: DevOps Online
PCM Inc., a major US-based cloud solution provider whose clients include state and federal governments, suffered a network intrusion that allowed hackers to access clients’ email and file sharing systems. Although attribution cannot be confirmed, intelligence analysts concur that the threat actor is likely the same group that compromised Wipro earlier this year. According to KrebsOnSecurity, the attacker intends to confiscate client information and credentials in order to conduct gift card fraud at various retailers and financial institutions. Immediately upon notification of the cyber intrusion, PCM Inc. initiated an investigation, stating that impact was limited and the matter had been remediated. The NJCCIC recommends users ensure their anti-virus/anti-malware, hardware, and software are up-to-date, and enable multi-factor authentication where available. Educating others about this and similar threats can limit victimization. Users may refer to the RiskIQ report for further analysis and technical details. Users may report identity theft cases to the FTC at IdentityTheft[.]gov and incidents to the NJCCIC via the cyber incident report form.

US Cyber Command Issues Alert Regarding
Hackers Actively Exploiting Outlook Vulnerability
US Cyber Command issued an alert regarding threat actors actively abusing an Outlook vulnerability (CVE-2017-11774) to plant malware on government networks. This vulnerability was previously exploited in 2018 by the Iranian state-sponsored advanced persistent threat known as APT33. The malware samples recently uploaded by Cyber Command appear to be related to Shamoon activity, also associated with APT33. These samples include tools used for manipulating web servers and downloading additional malware onto infected networks. The NJCCIC recommends users and administrators apply updates to hardware and software as they become available and after appropriate testing. Users are highly encouraged to enable multi-factor authentication where available. More information can be found in the ZDNet article and FireEye report.

Vulnerability Advisories
Medtronic Issues Recall of MiniMed Insulin Pumps Due to Vulnerability
Image Source: IoT Security News
Medtronic issued a recall affecting MiniMed 508 and Paradigm series insulin pumps. A vulnerability (CVE-2019-10964) in these pumps could allow an attacker with adjacent access to change the insulin pump’s settings by connecting wirelessly to the device. Though the vulnerability cannot be remotely exploited and requires a high skill level to accomplish execution, the recall has been implemented due to the inability of the pumps to receive updates. At the time of this writing, there have been no known public exploits targeting this vulnerability. Please see the Medtronic security bulletin for a complete listing of affected devices. The NJCCIC advises users to stay attentive to pump notifications, alarms, and alerts, and maintain physical control of their pump and any attached devices. Additionally, users are encouraged to consider only using internet-connected devices that have the ability to receive updates. Medtronic recommends users of the affected products to consider upgrading to a newer insulin pump model with their healthcare provider. For technical details and mitigations please see the ICS-CERT Medical Advisory and the FDA News Release.

Teams Vulnerability Could Allow Malicious Packages to Run
The update mechanism for the Microsoft Teams desktop app contains a vulnerability that could allow privilege escalation while permitting the average user to download and execute arbitrary files. Researcher Reegun Richard also discovered that malicious code could be executed using Microsoft binary, labeling this a living-off-the-land (LotL) attack. This vulnerability similarly affects GitHub, WhatsApp, and UiPath; however, allowing only the downloading of files. Installation and updating procedures for these apps are managed by the open source project, Squirrel, and use NuGet package manager to administer files. A threat actor could potentially use Squirrel to insert a malicious package containing the shellcode ‘squirrel.exe’ to the NuGet package folder, which will download upon application update. The NJCCIC recommends users of Microsoft Teams desktop, GitHub, WhatsApp, and UiPath apply security updates as they become available. Users can refer to the CBR article or BleepingComputer article for more information.

Breach Notifications
Borough of Westwood, NJ
Around December 22, 2018, the borough of Westwood, New Jersey became aware of unusual activity on their network. An investigation confirmed that malware was introduced into the network on December 22 and that an unauthorized actor may have gained access to portions of the Westwood network that could have revealed names, Social Security numbers, driver’s license numbers or state identification numbers, and financial account or credit/debit card numbers. At the time of writing, there is no evidence the unauthorized actor viewed, accessed, or obtained any of this information. The borough is working with third-party forensic investigators to determine the full scope of the incident. Individuals are encouraged to monitor their credit report and financial accounts for unusual activity, and consider applying a security freeze on their credit profile. More information can be found in the borough’s Notice of Data Privacy Incident.
Data Management Company Attunity
Researchers at UpGuard discovered that Israeli data management company Attunity left three Amazon S3 buckets exposed to the internet with no authentication required to view the data. The information contained in these buckets included data from their clients, including Ford, Netflix, and TD Bank, such as backups of employees’ OneDrive accounts, email correspondence, system credentials, private keys for production systems, sales and marketing contact information, project specifications, and employee personal data. The data stores were discovered on May 13, 2019 and secured four days later. Qlik, owner of Attunity, stated they were still investigating the extent of the exposure. More information can be found in the UpGuard article.
MedicareSupplement.com, an insurance marketing website that assists users in finding supplemental medical insurance, has experienced a breach of approximately five million records. The unsecured MongoDB database is linked to the company’s marketing leads and was quickly secured upon notification. Compromised information includes full names, postal and email addresses, dates of birth, gender, phone numbers, and IP addresses. Nearly 239,000 of these exposed records included areas of interest, such as cancer insurance. Users affected by this breach could potentially become targets of social engineering schemes in the future. More information about this data exposure incident can be found in the Bleeping Computer article.
IoT Vendor Orvibo
Internet of things (IoT) vendor Orvibo leaked billions of user records via an exposed and unsecured ElasticSearch server. Orvibo runs the smart appliance platform SmartMate, used to manage a modern smart home. The exposed data includes logins, password resets, device heartbeats, logouts, customer email addresses, device IP addresses, usernames, and MD5-hashed passwords. A threat actor could use password reset codes to lock users out of their accounts. The security team at vpnMentor discovered the misconfigured server a few weeks ago and have attempted to contact Orvibo; however, the company has yet to respond or secure the server. More information can be found in the Forbes article.

Threat Profiles 
Android: No new or updated variants were added.
ATM Malware: No new or updated variants were added.
Botnet: One updated botnet: BrickerBot.
No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added.
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
 One updated variant: Ryuk.
Trojan: Two new variants: ELECTRICFISH, Ratsnif. Two updated variantsHawkEye, Trickbot.

ICS-CERT Advisories
Throwback Thursday
Be Sure to Secure
This is Security

Social Engineering Awareness
Threat Actors Are Doing Their Homework, Researchers Identify New Impersonation Techniques
Comment: FireEye researchers analyzed a sample set of 1.3 billion emails and have found an increase in three main social engineering attack vectors, identifying new impersonation techniques. Threat actors continue to leverage CEO impersonation fraud and have begun expanding their tactics. Two newly observed tactics this quarter were focused attacks on an organization’s Payroll and Accounts Payable departments. These targets may not be adequately prepared to identify an attack. Oftentimes, when the activity is discovered, the organization has already paid a fraudulent invoice. Providing cyber-related education to employees is vital in combating these attacks.
Phishing-as-a-Service Fuels Evasion Methods, Email Scam Growth
Comment: Phishing campaigns have evolved, now requiring minimal technical knowledge, effort, and cost to get started through Phishing-as-a-Service (PhaaS). PhaaS websites provide threat actors with a variety of resources including phishing templates and spam email lists. Additionally, many phishing campaigns utilize evasion techniques to bypass detection by security software and machine learning. The increase in phishing campaigns reinforces the need to be aware of social engineering tactics and practice good cyber hygiene.
Scammers Prey on Instagram Vanity and ‘Verified Account’ Status
Comment: A new phishing scam promises users the elusive account verified blue checkmark, leading them to a phishing page that steals their account credentials. Users are advised to avoid entering their credentials for this or any other account on pages navigated to via links in emails or social media posts. Users are urged to practice caution, as accounts of known contacts can be compromised and used to perpetuate these scams.

Cyber at a Glance
Anatomy of a Ransomware Attack: How Attackers Gain Access to Unstructured Data
Comment: Attackers use a variety of tactics to infiltrate systems and gain access to data, one of an organization’s most valuable assets. The increasing number of ransomware attacks reinforces the need to address underlying vulnerabilities to prevent infection or re-occurrence. Practicing good cyber hygiene, such as establishing strong passwords and multi-factor authentication, ensuring systems are patched and updated, requiring security awareness training, keeping multiple tested backups stored offline, and continuous network monitoring can significantly lower an organization’s cyber risk.
Over Reliance on Public Cloud Vendor Security Puts Data and Companies at Risk of Breach
Comment: As more organizations turn to third-party cloud service providers, security is becoming a shared responsibility. Organizations are required to perform due diligence since they are ultimately accountable for the confidentiality, integrity, availability, and privacy of information and information systems. Well-defined boundaries and the clarity of security expectations of all involved parties in contractual agreements are essential, especially regarding privileged access, critical business functions, recovery, and compliance and privacy.
Helping Survivors of Domestic Abuse: What To Do When You Find Stalkerware
Comment: Stalkerware is hidden software that can digitally track and monitor locations, phone calls, text messages and emails, photos and videos, and web browsing activity. Detection of installed stalkerware can be difficult and attempts to find it may be recorded on compromised devices. Possible signs of its presence include quickly-depleting battery life, increased data usage, and longer-than-usual response times. If the presence of stalkerware is suspected, users can reduce victimization by identifying and regulating apps and their permissions, creating and checking online accounts from a safe device, and performing factory resets.

The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction. 


Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.



We respect your right to privacy - click here to view our policy.