NJCCIC Weekly Bulletin | December 13, 2018

To view this email as a web page, go here.
December 13, 2018

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Several NJ Victims of Payroll Diversion BEC Scam

Over the past two weeks, the NJCCIC received several incident reports of business email compromise (BEC) scams that attempted to change employee direct deposit account information to an account controlled by the threat actor, known as payroll diversion. In these cases, oftentimes the perpetrator either spoofs an employee’s email address and contacts the finance or human resources department to request the changes, or spoofs an executive’s email address to request changes on behalf of an employee; in rarer cases, the victim’s actual email account has been compromised. The recently reported incidents have come from organizations in multiple sectors and, therefore, do not appear to be part of a targeted campaign. The NJCCIC recommends educating employees, particularly those in finance or human resources positions, about this and similar scams, and how to identify commonly used tactics like email spoofing. Procedural changes, such as requiring confirmation of any payroll modifications via multiple communication methods, can help to prevent future victimization. The NJCCIC also recommends the addition of “External Email” tags to the subject and body of emails that come from outside an organization and, therefore, require greater scrutiny.

Threat Alerts

New Android Trojan Targets PayPal Users

Image Source: ESET
In November, researchers at security firm ESET discovered a new Android banking trojan that targets mobile users who have the official PayPal app installed. The malware masquerades as a battery optimization app called “Optimization Android,” available on third-party app stores. Upon launch, the app terminates itself and hides its icon. A prompt seeming to originate from Android’s Enable Statistics service asks the user to grant the app access to observe user actions and retrieve window content. The malware then displays an alert to open the PayPal app, and, within five seconds, mimics user interaction to swiftly transfer funds to the attacker’s PayPal account. This process initiates after the user is logged in, letting it bypass multi-factor authentication (MFA). Users who do not have enough funds for the transfer or have no card linked to their account will not be affected. Those that do, however, may fall victim to multiple attacks, as the malware’s malicious accessibility executes whenever PayPal does. The malware’s other functionality allows it to produce phishing overlays on apps like Google Play, WhatsApp, Skype, and Gmail in order to obtain user credentials and payment information. Other features include the ability to delete, send, and intercept SMS messages; forward and make calls; install apps; start socket communications; and obtain user contacts. The NJCCIC recommends Android users only install apps from the official app store, evaluate app ratings and reviews for legitimacy, run a mobile security solution, and be aware of the permissions you grant to apps. For those who installed the malicious app, restart your device in Safe Mode to uninstall the app. For more information on the malware, visit ESET’s blog post, and for further recommendations, visit our Android Malware threat profile.

New Exploit Kit Targeting Home and Office Routers

Image Source: Trend Micro
Cybersecurity firm Trend Micro has identified a new exploit kit, dubbed Novidade, being delivered through multiple campaigns, with the earliest samples dating back to August 2017. A September campaign delivered the exploit kit over 24 million times to Brazilian residents via an instant message link, and a campaign in late October utilized an iframe on compromised websites to distribute the malware globally. Novidade targets home and small office routers, poisoning their Domain Name System (DNS) settings to resolve legitimate domain requests to phishing IPs hosted by the threat actor, also known as a pharming attack. The infection chain begins once a user accesses a compromised site and the page makes several HTTP requests to a list of local IPs used by routers. If a connection is established, the router is queried to download a base64-encoded exploit payload, which attacks the router with all Novidade’s exploits. Novidade then attempts to log in to the router with default credentials, and executes a cross-site request forgery (CSRF) attack to change the DNS server to the attacker’s malicious DNS server. At this point, all devices connected to the router are vulnerable. To protect yourself against Novidade, the NJCCIC recommends keeping device firmware up-to-date, changing your router’s default IP address and credentials, disabling remote access features, and only trusting HTTPS connections with sensitive data. For detailed information about Novidade, review the Trend Micro blog post, the NJCCIC Novidade threat profile, and for exploit kit mitigation techniques, review the NJCCIC Exploit Kit threat profile page.

Shamoon Malware Re-Emerges, Targets Italian Oil and Gas Company

A new variant of the Shamoon malware, made infamous for a cyber-attack on Saudi Aramco in 2012, recently infected the network of Saipem, an Italian oil and gas contractor. During the weekend of December 8th, the malware destroyed files on approximately ten percent of Saipem’s systems, the majority of which were located in the Middle East. The company’s systems for controlling industrial equipment were not affected. Remote Desktop Protocol (RDP) is suspected as the primary infection vector. Saipem is currently restoring their systems from back-ups. While details on this incident are scarce, more information will likely unfold in the coming days and weeks. The NJCCIC recommends organizations employ a defense-in-depth cybersecurity strategy, implement network segmentation, disable unnecessary ports and protocols, and maintain awareness of this and other emerging cyber threats. Some additional details on this incident can be found in the ZDNet article.

Vulnerability Advisory

Linux PolicyKit Vulnerability Allows for Super User

A vulnerability present in Linux’s PolicyKit application allows users with a user-id (UID) greater than the INT_MAX variable, which is set to 2147483647, to execute any systemctl command. It affects PolicyKit version 0.115, which is pre-installed on most Linux distributions. The vulnerability exists due to PolicyKit’s improper validation of permission requests for low-level users. Until a patch is released, it is recommended that administrators not allow any negative UIDs or UIDs greater than 21247483646. This vulnerability has been categorized by MITRE as CVE-2018-19788. The NJCCIC recommends reviewing the Red Hat advisory and following the recommended mitigations.

Threat Profiles
Android: No new or updated variants were added.
BotnetNo new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: One new exploit kit: Novidade.
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
Ransomware: No new or updated variants were added.

Trojan: One updated variant: DanaBot.

ICS-CERT Advisories
Throwback Thursday
Threat Analysis
Be Sure to Secure

Patch Alerts

Social Engineering Awareness
Gift Card-Themed BEC Holiday Scams Spike
Comment: Threat actors are continuing attempts to capitalize off shoppers this holiday season. Festive BEC scams have been on the rise, making up 16 percent of all total email fraud, with that number still expected to grow. These scams target users with fraudulent gift card offers or ask that a donation be made among coworkers to a fake charity organization. Opening links or attachments from the emails results in malware downloads. Furthermore, angular phishing attempts are up 486 percent from last year. In these attacks, scammers inject false ads into conversations on legitimate social media brand pages. Keeping this in mind, it is crucial that you verify the legitimacy of any one person or organization you interact with online.

Cyber at a Glance
November 2018’s Most Wanted Malware
Comment: In November, four cryptocurrency miners occupied spots in the top 10 malware list, with Coinhive in the top spot for the 12th month, impacting 24 percent of organizations globally in the last year alone. The continued threat from cryptocurrency-mining malware highlights the importance of understanding what cryptocurrency miners do, how to identify them, and how to remove them from your system. To learn more about cryptocurrency-mining malware, visit the NJCCIC threat profile page here.


Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.



We respect your right to privacy - click here to view our policy.