Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Email Malvertising Campaign Detected
NJ State employees are being targeted in an email malvertising (malicious advertising) campaign that attempts to use exploit kits to deliver various malware variants. These emails are purportedly a weekly newsletter and contain links that lead to websites injected with malvertisements (malicious advertisements). The malvertisements use exploit kits, such as Fallout and RIG, to deliver malware, including AZORult and Gootkit, with the ability to steal credentials and collect browsing history, saved passwords, and autofill data, among other capabilities. The NJCCIC recommends users avoid clicking on advertisements within websites, run an ad blocker, and keep all hardware, software, and anti-virus/anti-malware updated.
Industry Report
Malwarebytes
The Malwarebytes Cybercrime Tactics and Techniques: Ransomware Retrospective report looks at the top ransomware families causing the most damage for consumers, businesses, regions, countries, and specific US states. Below are some key takeaways:
Business detections of ransomware increased 365 percent between Q2 2018 and Q2 2019.
Consumer detections of ransomware have decreased over the last three quarters.
All top five ransomware families decreased for consumers in Q2 2019 over the previous quarter.
Ransomware attacks against cities and municipalities have increased in frequency, particularly in 2019.
Ryuk and Phobos were the most offending ransomware variants, increasing 88 and 940 percent over the previous quarter, respectively.
Nearly half of all ransomware detections occurred in North America in the last year.
The United States accounted for the most ransomware detections over other countries.
California, New York, and Texas were the top three states infected with ransomware.
Threat Alerts
Malware Attempts to Steal Credentials and Record Video of Victim
Image Source: ESET
ESET researchers identified a malware variant, dubbed “Varenyky,” targeting users in France via spam emails. These emails contain a Word document attachment claiming to be a bill. Once opened, the document states that it is protected and requires human verification, a sneaky way to convince the user to enable macros. If macros are enabled, the malware determines the location of the targeted system. If the system is determined to be in France, the malware downloads and executes. The malware can then steal the victim’s passwords and record the user via the system's camera. The malware uses an FFmpeg executable to initiate video recording when it detects the word “sexe,” indicating the user may be visiting an adult content website. The video recordings could be used in extortion attempts. “Sextortion” emails have circulated since the summer of 2018 and claim to possess similar recordings. In those cases, however, there was no credible threat as no recordings actually existed. While the threat actors are currently focused on users in France, the malware could be used to target users in the United States. The NJCCIC recommends users review the ESET article, avoid opening email attachments from unknown senders, and refrain from enabling macros on documents received in email attachments.
News Website Targeted In Watering Hole Attack
Image Source: ZDNet
FortiGuard Labs discovered a backdoor malware campaign targeting Chinese-speaking users through a Chinese news website hosted in the US. This watering hole attack exploits vulnerabilities in the website to inject links that deliver a backdoor to the computers of unsuspecting site visitors by exploiting known WinRAR and RTF file vulnerabilities, CVE-2018-20250 and CVE-2017-11882. The backdoor installs the malware “Sality,” which is able to harvest system data, collect screenshots, create file lists, launch reverse shells, download files, and steal clipboard text. The NJCCIC recommends users and administrators review the Fortinet article and the ZDNet article, use the indicators of compromise (IoCs) provided to harden their network, and keep anti-virus/anti-malware, hardware, and software updated.
DocuSign Phishing Campaign
Image Source: Proofpoint
Proofpoint discovered an active DocuSign phishing campaign targeting specific individuals at various organizations since late July. Stolen DocuSign branding and visual elements are used in the phishing emails and direct victims to fraudulent landing pages hosted at Amazon Web Services (AWS) public cloud storage (S3) and other public cloud infrastructure. A closer review of the source code of the landing pages reveals the encoding and variable names change with each deployment of the landing page to evade detection. This multibyte XOR obfuscation encoding technique was also analyzed by Proofpoint researchers in February 2016. The NJCCIC recommends users refrain from clicking on links or opening attachments delivered with unexpected or unsolicited emails, including those from known senders. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. If credential compromise is suspected, users are advised to change credentials across all accounts that used the same login information and enable multi-factor authentication where available. For more technical details, please review the Proofpoint post.
Vulnerability Advisories
Vulnerable Drivers Could Allow Execution of
Malicious Actions in Windows Kernel
Image Source: Microsoft
Eclypsium security researchers released details of a design flaw present in more than 40 kernel drivers from 20 hardware vendors. The flaw allows low privilege applications to use legitimate driver functions to execute malicious actions in the Windows kernel and other highly sensitive portions of the Windows operating system. For example, malware running in the user space of the operating system could scan for a vulnerable driver and use it to gain full control of the system. These drivers are made in such a way that allows for arbitrary actions, instead of only allowing the drivers to perform specific tasks. The impacted hardware vendors have been notified by Eclypsium and patches have been issued. Microsoft is using its Hypervisor-enforced Code Integrity (HVCI) capability to blacklist reported drivers. The NJCCIC recommends users and administrators review the Eclypsium blog post for additional details and a list of impacted vendors, and apply patches to all impacted drivers.
Vulnerabilities in HTTP/2 Implementations Could Lead to DoS
Image Source: imgIX
Several vulnerabilities were identified that affect HTTP/2 implementations. Exploitation of these vulnerabilities (CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,CVE-2019-9517,CVE-2019-9518) could cause excessive system resource consumption and lead to a denial-of-service (DoS) condition. Vulnerability details and a list of affected products are provided in the CERT/CC Vulnerability Note. The NJCCIC recommends administrators install the latest updates from HTTP/2 implementers.
Flawed Microsoft CTF Protocol Could Provide
Admin Credentials and Take Over Systems
Google security researcher Tavis Ormandy discovered that the CTF protocol used by Microsoft operating systems going back to Windows XP can be exploited to provide threat actors with elevated privileges and control over an affected system. The problem lies in the way Microsoft CTF (MSCTF) clients and servers communicate with each other. MSCTF is a protocol in the Text Services Framework (TSF) in Windows that manages input methods, keyboard layouts, text processing, and speech recognition. Since there is no access control or authentication, the successful exploitation of the protocol’s vulnerabilities could allow malicious actors to remotely take control of systems, execute arbitrary code, install programs, access and modify data, and create new accounts with full user permissions. The NJCCIC recommends users and administrators immediately apply updates to vulnerable systems after appropriate testing. Microsoft addressed the CTF protocol vulnerability CVE-2019-1162 in this week’s Patch Tuesday updates and provides details in their Security Update Guide. We encourage users to review the Google blog for more information and technical demos.
Breach Notification
State Farm
State Farm Mutual Automobile Insurance Company disclosed a data breach involving usernames and passwords for State Farm online accounts. During the attempted access, the malicious actor used username and password combinations against State Farm accounts and was able to receive confirmation of valid credentials; however, no sensitive information was accessed and no fraudulent activity occurred. State Farm has reset passwords to defend against this credential stuffing attack and recommends that affected users change their password.
Threat Profiles
Android: No new or updated variants added. ATM Malware: No new or updated variants were added. Botnet: No new or updated variants were added. Cryptocurrency-Mining: One new variant: Norman. Exploit Kit: No new or updated variants were added. Industrial Control Systems: No new or updated variants were added. iOS: No new or updated variants were added. macOS: No new or updated variants were added. Point-of-Sale: No new or updated variants were added. Ransomware: No new or updated variants were added. Trojan: One updated variant: Ursnif.
Beware of Fake Microsoft Account Unusual Sign-in Activity Emails Comment: Even emails that appear to come from a legitimate source based on the sender email address and email content may end up being a carefully-executed phishing attempt. Users are advised to exercise caution with emails intending to invoke a sense of urgency or concern. Additionally, it is highly recommended that users avoid entering credentials for any account navigated to via links in emails or social media posts.
Security Warning for Software Developers: You are Now Prime Targets for Phishing Attacks Comment: Software developers are most often targeted by hackers conducting activity against the technology industry, largely due to the increased likelihood that they have privileged access to their network. It is vital for individuals in technology and information security to be especially vigilant with emails they receive by ensuring they come from known senders and exercising caution when choosing to open attachments or click on links. It is also advised for these individuals to limit the professional information they share online to avoid increased targeting.
Cyber at a Glance
Are Your Out-of-Office Replies Revealing Too Much? Comment: While many are aware of the implications of oversharing online, we often forget to take the same precautions at work. Something as seemingly innocuous as out-of-office replies could reveal enough information to assist a threat actor in conducting malicious activity against you or your organization. It is important to remember that out-of-office replies will go to known and unknown individuals alike and, therefore, the information they contain ought to be limited.
Many Local Governments Face a Cybersecurity Awareness Gap Comment: Major cities have been targeted in recent ransomware attacks; however, smaller cities can experience a greater impact due to limited resources including money, technology, and staff. Phishing emails are becoming increasingly more sophisticated and continue to be an effective way to target and propagate cyber-attacks. Cybersecurity education is critical to teach employees how to identify phishing emails and improves an organization’s security posture regardless of size.
End User Device (EUD) Security Guidance Comment: While users may consider information security for devices they are currently using, the security of information on devices no longer in use is often overlooked. Properly wiping out-of-use devices is key in ensuring sensitive data is not accessible to unauthorized parties, both nefarious and benign. Additional guidelines are to be followed when a device has been compromised with malware to prevent reinfection.
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
We respect your right to privacy - click here to view our policy.
