NJCCIC Weekly Bulletin | December 20, 2018

To view this email as a web page, go here.
THE WEEKLY BULLETIN
December 20, 2018
TLP: WHITE

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

They See You When You’re Sleeping, They Know When You’re Awake

The More IoT Devices in Use, the Greater the Opportunity for Threat Actors
In 2017, it is estimated that 8.4 billion connected devices were in use globally, up 31 percent from the year before. Researchers predict that number will reach 20.8 billion by 2020. The internet of things (IoT) introduces many features and conveniences into our lives by rapidly applying connectivity to everyday tasks, appliances, and home features, but it also introduces security and privacy concerns. IoT devices are often targeted by threat actors to take control over and add to a botnet for other cyber-attacks. These devices can also allow threat actors to steal your data, collect account credentials, and manipulate device settings or actions. IoT devices will only continue to become a greater part of our daily lives, with a notable increase this time of year as many people receive connected devices as holiday gifts; therefore, it is vital to implement security controls to properly secure these devices. Below are a just few tips and best practices:
  • Change default credentials immediately. Threat actors can easily obtain manufacturer default credentials to compromise your devices.
  • Enable multi-factor authentication on all devices that offer it. This will help protect you against account compromise via credential theft.
  • Keep your devices’ firmware up-to-date. Apply patches in a timely manner; this will prevent threat actors from exploiting known vulnerabilities.
  • Disable any unused or unneeded features. This will reduce the device’s attack surface, lowering your risk.
  • Avoid connecting IoT devices to unsecured, public Wi-Fi networks. Threat actors may have access to these networks and can target your devices.
  • Secure your home Wi-Fi network. Your IoT devices will often, if not always, run on your home network.
    • Ensure you are using the most secure protocol available, likely WPA2 or WPA3, and establishing strong, hard-to-guess passwords.
    • Set up a firewall at your router. This acts as a barrier between possible threat actors and your network devices.
    • Consider disabling SSID broadcasting. This prevents your Wi-Fi network from populating into a list of available networks.
For additional tips on how to secure your Wi-Fi network, read the NJCCIC Be Sure to Secure post “How to Configure and Secure a Home Wi-Fi Router.”
 
For more information on securing IoT devices, see the US-CERT Security Tip ST17-001.
Announcement
 

NJOHSP #IntelUnclass Podcast

Hacking Your Holiday – How to Protect Yourself From Cyber Criminals This Holiday Season

During the holiday season, it is important to maintain awareness of the many threats posed by cyber criminals while shopping online and in stores. The National Retail Federation estimates that Americans will exceed last year’s holiday spending to total between $717-720 billion between November and December. As the popularity of online shopping continues to increase, so does the number of potential unsuspecting victims for cyber criminals to exploit. Scammers may target victims through a variety of methods, including via phone calls, text messages, emails, compromised websites, or unsecured Wi-Fi networks. This week, a cyber threat intelligence analyst at the NJCCIC discusses proactive steps to reduce your risk and make it harder for cyber criminals to succeed this holiday season. Read the NJCCIC Be Sure to Secure post “Stay Cyber Safe This Holiday Season,” here.
Click here to listen to this week’s episode.
Additional Resources
Threat Alerts
 

New Phishing Tactic to Steal Office 365 Account Credentials

Image Source: ISC
Xavier Mertens of ISC discovered a new phishing campaign targeting individuals with emails meant to look like non-delivery notifications from Microsoft Office 365. The message states that “Microsoft found Several Undelivered Messages” and prompts users to click on a “Send Again” link, citing server congestion as the cause. The “Send Again” link leads to a phishing site that auto-populates the user’s email address and prompts them to sign into their Office 365 account. Once the user enters their password and clicks “Sign in,” they are redirected to the legitimate Office 365 login page. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Instead, we advise visiting the account’s associated website by typing the legitimate address directly into the URL field of your web browser. Additionally, enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.

Extortion Scams Threaten Physical Violence

Image Source: Bleeping Computer
Similar to the previously covered “sextortion” scams, last week, threat actors elevated their tactics to include threats of physical violence via bomb scares. Now, in the latest extortion email campaign, bad actors are threatening victims with execution via a hitman. The threat actor claims someone bought the execution service off their site on the Dark Web, and, for a bitcoin payment of $4,000, states they will consider calling off the hitman and releasing information on who ordered the attack. The emails are poorly written and filled with grammar and spelling mistakes, clear indications of illegitimacy. Because the scams threaten physical violence, they have garnered a lot of attention from law enforcement and the public. While alarming, it is important to remember that all of these extortion threats are unsubstantiated and have not proven to be credible. The NJCCIC recommends users educate themselves and others on this and similar scams. Incidents may be reported to the NJCCIC via our incident reporting page and to the FBI’s Internet Crime Complaint Center (IC3) via their website. BleepingComputer further details this scam in their recent blog post.

Sharpshooter Implant Spies on Major Global Industries

Image Source: McAfee
The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered an advanced reconnaissance campaign targeting nuclear, defense, energy, and financial sectors worldwide. Dubbed “Operation Sharpshooter,” the campaign surfaced in October this year, affecting over 87 organizations, most of them English-speaking. The malware spread through what appeared to be a legitimate job recruitment Microsoft Word document hosted on Dropbox. Once opened, a malicious macro in the document executes shellcode to insert the Sharpshooter downloader into Word’s memory. The downloader contacts its control server and downloads two files: a second-stage, persistent payload known as Rising Sun in %Startup%\mssync.exe, and a decoy Word document. McAfee details fourteen capabilities of the backdoor, including command execution; process launching and termination; file reading, writing, and deletion; connection to an IP; memory clearing; and other information gathering techniques. Data is exfiltrated back to the control server through HTTP POST requests, making it harder for humans or intrusion detection systems to identify. Many similarities to the 2015 backdoor, Duuzer, indicate Rising Sun may be affiliated with the Lazarus Group, but this is not yet confirmed. The NJCCIC highly discourages all users from enabling macros in documents that come in unexpected or unsolicited emails; exercise caution when choosing to enable macros in documents that come with emails from known senders; and keep anti-virus/anti-malware, hardware, and software up-to-date. More information and indicators-of-compromise (IOCs) are detailed in McAfee’s blog post.

Clever Apple Scam Alleges Fake Purchase, Steals Information

Image Source: Bleeping Computer
An advanced, widespread phishing campaign aims to steal Apple account credentials and other sensitive information through an email alleging a purchase was made from the Apple App Store. Users are receiving these emails with a PDF receipt attached that contains malicious, shortened links where one can supposedly dispute the purchase. Clicking on the links, however, brings users to a malicious site identical to the Apple login page. The only noticeable difference is a suspicious-looking URL. If user credentials are entered, a notice appears stating the account has been locked for security reasons and asks that more personal information be provided to confirm the user’s identity. This page asks for a full name, address, telephone number, social security number, date of birth, payment information, security question answers, and driver's license or passport number. If completed, the site states your verification is confirmed and redirects you to the legitimate Apple website, which displays a message saying your session has timed out for security reasons, corroborating the scam’s story. To protect yourself against this and similar scams, the NJCCIC recommends never clicking on links or opening attachments delivered with unexpected or unsolicited emails, and accessing account login pages by manually typing the company’s URL into your browser. More information on this campaign can be found via BleepingComputer’s post.
Vulnerability Advisory
 

Vulnerabilities in ASUS Routers Could Allow Code Execution

Security researcher Diego Juarez of SecureAuth discovered several vulnerabilities in drivers of ASUS routers that could allow threat actors to elevate privileges and execute code. The vulnerabilities exist in ASUS Aura Sync versions 1.07.22 and prior. There are currently no patches or workarounds available to mitigate the flaws. The NJCCIC recommends reviewing the SecureAuth article on the vulnerabilities and applying any patches if they become available.
Breach Notification
 
Facebook API
Facebook announced that a flaw in its application programming interface (API) may have allowed photos from 6.8 million accounts to be accessed by unauthorized third-parties. While these applications received user permissions to access Facebook photos, they are ordinarily restricted to content published on the user’s Timeline; however, from September 13 through September 25, this permission extended to other sections of the user’s profile, such as Marketplace, Facebook Stories, and photos the user uploaded but never published. Facebook estimates that 1,500 apps from 876 developers could have accessed the image content during this time. Potentially impacted users will be notified via Facebook.
Threat Profiles
 
Android: No new or updated variants were added.
BotnetNo new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added. 
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: One new variant: LamePyre.
Point-of-Sale: No new or updated variants were added.
Ransomware: One updated variant: Hidden Tear.
Trojan: One updated variant: Quasar RAT.
ICS-CERT Advisories
 

Patch Alerts
 


Throwback Thursday
 
Threat Analysis
Be Sure to Secure
Social Engineering Awareness
This Business Email Scam Spreads Trojans Through Google Cloud Storage
Comment: Business Email Compromise (BEC) scams target employees through the impersonation of a co-worker, supervisor, CEO, etc., in order to gain privileged company information or install malware. A recent campaign seen targeting financial institutions in the US and UK utilized a legitimate, trustworthy storage service – Google Cloud Storage – to host malicious payloads and deceive email security filters. These payloads typically masquerade as invoices that, once executed, install remote access trojans (RATs), such as the Houdini malware. The financial sector will continue to face innovative delivery methods such as this, highlighting the importance and need for employee security awareness.
Save the Children Charity Org Scammed for Almost $1 Million
Comment: Individuals behind a BEC scam dating back to May 2017 created false payment documents and sent them to individuals authorized to make money transfers at the charity organization Save the Children. The perpetrators successfully misdirected close to $1 million from the organization. BEC scams are rampant, impacting over 19,000 people in the US between June 2016 and May 2018 alone and costing victims a total of $1.6 billion. Individuals are advised to closely examine any requests for payment or money transfers and verify these requests through another means of communication before complying.
Cyber at a Glance
The Most Popular Passwords of 2018 Revealed. Are You Using Them?
Comment: Password security company SplashData released its annual list of the most commonly used passwords. The top two remain unchanged at “123456” and “password,” respectively. In a sign that some are at least attempting to use longer passwords, the third-most used password was “123456789,” up three spots from last year. This insecure list of passwords is a reflection of both users failing to establish strong passwords as well as companies failing to require strong passwords. To better secure your accounts, establish long, complex passwords and enable multi-factor authentication for every account that offers it.
New Malware Pulls its Instructions from Code Hidden in Memes Posted to Twitter
Comment: A newly discovered malware uses a unique method to obtain its instructions: Twitter memes. Malware on an infected device watches a Twitter feed controlled by a threat actor, obtains any posted meme images, and executes commands that are hidden within the images’ source code. This particular malware only grabbed screenshots, but included code that could have obtained running processes, clipboard content, filenames, and usernames. By connecting to Twitter for commands, the malware is more likely to evade detection. This malware demonstrates that threat actors will use any creative means necessary to stay under the radar and carry out attacks.
TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
 
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect
Twitter
Instagram
Facebook
LinkedIn

Share
Forward
Tweet
Share
Share

We respect your right to privacy - click here to view our policy.