NJCCIC Weekly Bulletin | August 8, 2019

To view this email as a web page, go here.
August 8, 2019

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Box File Sharing Phishing Campaign
The NJCCIC continues to observe phishing campaigns associated with cloud-based file sharing services such as SharePoint, OneDrive, and most recently, Box. Box is a trusted file sharing platform used by 95,000 companies across various industries. The phishing email appears to be from a known or otherwise legitimate user and contains an embedded URL that redirects a potential victim to a fraudulent Box login page. The initial embedded link is not malicious, allowing this activity to bypass security devices. The malicious site is hosted on a compromised server with the intent of harvesting account credentials. The spoofed login page may look very similar to the legitimate site; however, it appears to be an older version. As cloud-based file sharing services increase in popularity amongst businesses, threat actors will continue to simulate these sites for nefarious purposes. The NJCCIC recommends users remain vigilant and follow basic cybersecurity best practices. We strongly encourage educating users about this and similar threats and reminding them to avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails, including those from known senders. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. If credential compromise is suspected, users are advised to change credentials across all accounts that used the same login information and enable multi-factor authentication where available.

El Paso and Dayton Tragedy-Related Scams and Malware Campaigns
In the wake of the recent shootings in El Paso, TX, and Dayton, OH, the Cybersecurity and Infrastructure Security Agency (CISA) advises users to watch out for possible malicious cyber activity seeking to capitalize on these tragic events. Users should exercise caution in handling emails related to the shootings, even if they appear to originate from trusted sources. Fraudulent emails often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations are also common after tragic events. Be wary of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to these events.
To avoid becoming a victim of malicious activity, users and administrators should consider taking the following preventive measures:
IRS Tax Security 2.0 – Taxes-Security-Together
Checklist for Tax Professionals
The Internal Revenue Service (IRS), united with its Security Summit partners, has issued a news release warning tax professionals of the continued growing threat of phishing emails. An estimated 90 percent of data theft incidents begin with a phishing email, oftentimes targeting tax professionals. Threat actors could use stolen data for various purposes, such as identity theft, or to create fraudulent returns. The Security Summit partners recommends tax professionals review cyber best practices, create a data security plan, and further educate personnel regarding cyber threats. The Security Summit partners have prepared a “Taxes-Security-Together” checklist to assist in this endeavor. Additional resources for tax professionals may be reviewed in the IRS news release.

Threat Alerts
GermanWiper Masquerades as Ransomware,
Rewrites Files and Destroys Data
Image Source: ZDNet
Since the end of July, GermanWiper malware has targeted users, particularly those in Germany. The malware is distributed via malicious emails that claim to be a job application from “Lena Kretschmer” with a résumé attached in a ZIP file. The ZIP file contains a LNK shortcut file that, when opened, installs GermanWiper. The malware masquerades as ransomware, appending new extensions to files and opening an HTML ransom note on the infected machine; however, it is actually wiper malware that rewrites local files with 0x00, permanently destroying the data. Though the ransom note claims to give the victim seven days to pay, paying the ransom in this case will not recover the user’s files and, therefore, victims are advised not to pay. Similar tactics are used in the US where threat actors often use ZIP files to deliver malware to end users as many email gateways are unable to properly scan the contents of these files for malware. The NJCCIC recommends users and administrators refrain from opening attachments or clicking links delivered with unsolicited or unexpected emails, and exercise extreme caution when receiving emails with ZIP file attachments, even those from known senders. Email security teams are encouraged to develop a process necessary to quarantine and analyze ZIP file attachments prior to their delivery to intended recipients. Users are advised against paying any ransom demand as paying does not guarantee file restoration and perpetuates the crime. For additional details on GermanWiper, please review the ZDNet article.

Unsubscribe Confirmation Request Scams
Image Source: BleepingComputer
An increase in unsubscribe confirmation scams has been observed, with the intent of collecting working email addresses to perform other attacks. The email may contain “Confirm your unsubscribe request” in the subject line and a generic message without specific information related to the unsubscribe request. If the unsubscribe button is clicked, then a new message will be created and sent to 15-20 email addresses for domains hosted by noip[.]com’s free dynamic DNS service. The NJCCIC recommends users avoid clicking on links and opening attachments within unsolicited or unexpected emails, even those appearing to be from known senders. Users are advised to, instead, navigate to websites by manually typing the URL into the address bar of their browser. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. We advise users to refrain from responding to the email as this confirms delivery of the phishing email to the threat actor. Additionally, educating users about this and similar threats can reduce victimization. Further details may be found in the BleepingComputer post.

Warshipping Attacks
Image Source: SecurityIntelligence
IBM X-Force Red researchers have discovered a new technique called warshipping, which is used to exploit package deliveries and remotely access networks without detection. Unlike wardialing and wardriving techniques, warshipping utilizes disposable, low-cost, and low-power devices to remotely infiltrate corporate or personal home networks and further exploit existing vulnerabilities, steal sensitive information, and exfiltrate data or credentials. Warshipping may pose a greater risk during popular shopping seasons or when employees ship orders to their place of employment. The NJCCIC recommends users follow security best practices such as connecting to trusted wireless networks, implementing a package policy for employees to avoid personal packages sent to businesses, and refraining from bringing packages into secure areas.

Vulnerability Advisories
Zero-Day Flaw Discovered in Linux Systems
Image Source: KDE
A zero-day vulnerability has been discovered affecting nearly all Linux operating systems. The flaw resides in KDE 4 and 5, the desktop environment and applications interface, and could easily allow threat actors to execute code through a command injection in the KDesktopFile. The security researcher, Dominik Penner, elaborated that KDE permits shell expansion, allowing a threat actor to craft malicious .desktop and .directory folders and execute commands located in the “Icon” field. There are currently no known mitigation techniques or patches available at the time of this writing. The NJCCIC recommends Linux users update operating systems when patches are made available. Further details and a proof-of-concept demonstration are available in the BleepingComputer article.

Vulnerabilities in WiFi WPA3 Standard
Image Source: ZDNet
Security researchers discovered two vulnerabilities in addition to the five original vulnerabilities reported earlier in April 2019 in the WiFi Alliance’s WPA3 WiFi security and authentication standard. Both vulnerabilities allow malicious actors to leak information from WPA3 cryptographic operations and brute-force a WiFi network’s password. The first vulnerability, CVE-2019-13377, impacts WPA3’s Dragonfly handshake when using Brainpool curves. The second vulnerability, CVE-2019-13456, impacts the EAP-pwd implementation in the FreeRADIUS framework. At the time of this writing, the WiFi standard is being reviewed and updated with proper defenses. The NJCCIC recommends users patch systems as updates become available. We encourage users to review the technical details in the Dragonblood white paper and the ZDNet article.

Airdrop Flaw Exposes Apple Users to Cyber Attacks
Image Source: Help Net Security
A vulnerability within Apple Wireless Direct Link (AWDL) has been identified that could allow threat actors to perform various attacks including tracking users, injecting malware, and intercepting or modifying transmitted files through a man-in-the-middle (MiTM) attack. AWDL, or Airdrop, is a combination of wireless local area network (WLAN) and Bluetooth Low Energy (BLE) used to enable device-to-device communications. The flaw lies within the BLE discovery mechanism. AWDL is deployed in over one billion Apple operating systems and devices. The NJCCIC recommends that users of affected devices consider disabling Bluetooth to mitigate the risks of this Airdrop flaw. Further information regarding the AWDL vulnerability can be found in the ARS Technica article and the Help Net Security article.

Breach Notifications
An online North American marketplace, Poshmark, disclosed a breach by an unauthorized third party that gained access to its servers, stealing information belonging to US users such as usernames, one-way encrypted passwords salted uniquely per user, first and last names, gender information, and city of residence. Additional stolen information included clothing size preferences, user emails, social media profile information, and internal Poshmark account preferences. Poshmark did not disclose when the breach happened; however, no financial data or user addresses was stolen. Their Canadian userbase was not affected. They are notifying all customers by email on a rolling basis and recommending users change their passwords.
CafePress, a custom T-shirt and merchandise company, has suffered a breach that compromised approximately 23.2 million accounts. CafePress claims an update to their password policy initiated the mass password reset this week; however, at the time of this writing, the company has not acknowledged the breach. Compromised information includes email addresses, names, phone numbers, and physical addresses, which can be used by threat actors to further propagate illicit social engineering attempts. Approximately 12 million users’ passwords may have also been exposed, according to Troy Hunt, the founder of Have I Been Pwned, a site which allows users to verify if their account information may have been compromised due to a breach.  Impacted customers are advised to change passwords, avoid reusing compromised credentials, and monitor accounts for suspicious activity.
Jira Servers
A misconfiguration within Jira servers has publicly exposed internal sensitive information of several global organizations. Jira is a popular project management tool developed by Atlassian and is used by over 135,000 companies to track project tasks, details, and developments. The issue lies within the visibility options when creating new dashboards and filters. Some organizations include Google, Yahoo, NASA, United Nations, and CODIX –a financial software company used by various institutions and agencies within the European Union. This unintentional breach discloses valuable details that could provide research and development (R&D) information to rival companies or be used by threat actors to conduct future attacks. Further details regarding this breach can be found in the Medium article and the BleepingComputer article. Atlassian support provides application configuration instructions.

Threat Profiles 
Android: One updated variant: LokiBot. 
ATM Malware: No new or updated variants were added.
Botnet: One updated variant: Mirai
Cryptocurrency-Mining: No new or updated variants added.
Exploit Kit: One updated variant: RIG.
Industrial Control Systems: No new or updated variants were added.
No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.

Ransomware: One updated variant: MegaCortex.
Trojan: One new variant: LookBack. One updatedTrickbot.

ICS-CERT Advisories
Throwback Thursday
Be Sure to Secure
Threat Analysis

Social Engineering Awareness
Emerging Threats to Cloud-Based Business
Comment: Software as a Service (SaaS) applications, such as Office 365, are utilized in the cloud, shared by multiple users, and remain vulnerable to attack due to social engineering tactics and human error. Successful cyber-attacks allow threat actors to gain access to data and other sensitive information through compromised credentials. Artificial intelligence (AI) anomaly detection, one of many security measures, can help identify patterns and prevent phishing emails before user interaction begins. However, security awareness training is advised as users remain the weakest link.
How Spear Phishing Makes BEC Attacks So Effective
Comment: Spear-phishing and business email compromise (BEC) attacks begin by targeting specific individuals or groups, and continue by conducting reconnaissance on a victim. This targeted form of social engineering uses the information gathered on a target through digital methods for malicious intent—such as financial gain or breaching a network, to further propagate an attack. When reviewing a suspicious email, users are advised to implement PAUSE, an acronym which stands for Plausibility, Attachments, URLs, Sender’s address, and Ensure the validity.

Cyber at a Glance
Smart TVs: Yet Another Way For Attackers to Break Into Your Home?
Comment: Popular internet-enabled “smart” devices can create a better user experience and resolve issues with the help of technology and automation. However, they also provide opportunities for compromise through malware, social engineering, security vulnerabilities, poor configuration settings, and physical attacks through USB ports. These attacks could enable threat actors to hijack devices, record conversations, steal information, and infect systems.
The Risk of Weak Online Banking Passwords
Comment: Threat actors use exposed data found in various breaches to test banking accounts for vulnerabilities due to weak or recycled passwords. Unauthorized SIM swapping, phishing, and vishing are all possible methods used to attempt to gain access to a target’s multi-factor authentication (MFA), if enabled. The attacker may also link the target’s bank account to other apps and accounts already under the threat actor’s control, such as PayPal or Zelle. Leaders across the financial industry are working towards providing a secure, royalty-free standard access platform for consumers and are encouraged to enable MFA in combination with a strong, unique password.
Making the Case: How To Get The Board To Invest In Government Cybersecurity
Comment: Minimizing digital risk is highly recommended to support organization resiliency. Government sector CISOs have distinct challenges that differ from those facing peers in the private sector. Security leaders are urged to build trust through networking and getting involved in top priorities and projects. Cybersecurity affects all aspects of business and is advised to be a high priority.

The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction. 


Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.



We respect your right to privacy - click here to view our policy.