NJCCIC Weekly Bulletin | October 18, 2018

To view this email as a web page, go here.
THE WEEKLY BULLETIN
October 18, 2018
TLP: WHITE

Garden State Cyber Threat Highlights

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Banking Trojan Infections Persist Throughout the State

The NJCCIC continues to receive reports from New Jersey businesses and organizations that have been victimized by cyber-attacks stemming from banking trojans, such as TrickBot and Emotet. Banking trojans are deployed by threat actors to obtain credentials for sensitive accounts, such as those for online banking and shopping. The majority of these incidents involved malicious, payment-themed emails which appeared to come from a contact familiar to the recipient. Recently, the NJCCIC also detected an email campaign attempting to deliver the TrickBot banking trojan to New Jersey government accounts. These emails appear to come from PayPal, are sent from an address that includes “noreply,” and display the subject line “PayPal account verification form. First warning.” A malicious Microsoft Word document with the filename of “pp-” followed by random digits is attached. If recipients open the document and enable macros to run, TrickBot will install onto their system and download additional malware and modules. The NJCCIC recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-virus/anti-malware solution. Proactively change administrative, domain controller, and user passwords for financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available. Organizations are advised to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to help detect and prevent email spoofing.

FlawedAmmyy Remote Access Trojan

The NJCCIC recently detected an uptick in malicious emails attempting to deliver the FlawedAmmyy remote access trojan (RAT) to State employees. FlawedAmmyy is a RAT that provides threat actors with full control over infected systems including Remote Desktop control, proxy support, audio chat, and file system manager functionalities. Emails related to recent campaigns display subject lines such as “Invoice for” followed by random digits and the date, and contain an attached Microsoft Word document titled "Invoice" with random numbers. If recipients open the attached file and enable the macros, FlawedAmmyy will download onto their machine. As emails related to this campaign have previously evaded detection by some email security gateways, organizations are encouraged to notify users of this threat and how to identify messages delivered with this campaign. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. If a FlawedAmmyy infection is strongly suspected but your anti-virus solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available. 
Announcements

National Cybersecurity Awareness Month

This October marks the 15th annual National Cybersecurity Awareness Month. The theme for week three, October 15-19, is It’s Everyone’s Job to Ensure Online Safety at Work. When you are on the job – whether it’s at a corporate office, local restaurant, healthcare provider, academic institution or government agency ‒ your organization’s online safety and security are a responsibility we all share. And, as the lines between our work and daily lives become increasingly blurred, it is more important than ever to be certain that smart cybersecurity carries over between the two. Week three will focus on cybersecurity workforce education, training, and awareness while emphasizing risk management, resistance, and resilience. The National Cyber Security Alliance’s CyberSecure My Business™ is a national program that helps small and medium-sized businesses protect themselves, their employees, and their customers against the most prevalent threats. For additional resources and information on cybersecurity best practices, review the NJCCIC’s National Cybersecurity Awareness Month page, here. 

Internship Opportunities

Are you a college student looking for a challenging and rewarding internship that could lead to career opportunities? The NJCCIC is looking for you! We will be accepting applications for our Spring Internship Program through November 2, 2018. The Spring Internship Program will run from January through April. Spring interns must list their availability on their application to help determine their weekly schedule.  For more information and to apply, visit the New Jersey Office of Homeland Security and Preparedness website. 

Industry Report

Malwarebytes Labs released their “Cybercrime tactics and techniques: Q3 2018” report, available here. Some key takeaways are below:
 
  • Banking trojans were the number one detection for both business and consumer Malwarebytes customers this quarter, largely due to an active and widespread Emotet campaign.
  • Malicious cryptomining decreased by 26 percent for businesses from Q2 2018.
  • Ransomware business detections increased 88 percent while consumer detections decreased in Q3.
  • Remote Access Trojans (RATs) ramped up the action this quarter, and were distributed primarily via malspam, though exploit kits also played a part.
  • Adware decreased 19 percent for consumers but increased 15 percent for businesses in Q3.
Threat Alerts
 

Extortion Scam Claims Victim’s Email Account is Hacked

A new extortion campaign is targeting users with scam emails that appear to come from the recipient’s own email account. Similar to recent extortion schemes that included the victim’s password or partial phone number, these spoofed messages claim that the recipient’s email account has been compromised and that threat actors have installed malware onto their device. Emails associated with this campaign display the subject line “[Email address] + 48 hours to pay,” and the body of the message states that the perpetrator has recorded the victim visiting adult content websites and gained access to their social media accounts and messages. An extortion payment is then demanded or the actor will release the video and other personal information to the victim’s contacts. It is important to note that the perpetrators of this scam are simply spoofing recipients’ email addresses and have not actually compromised their accounts. The NJCCIC recommends users educate themselves and others on this and similar scams to prevent future victimization. Additionally, organizations are advised to implement Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to help detect and prevent email spoofing. Cyber incidents may be reported to the NJCCIC via our incident reporting page and to the FBI’s Internet Crime Complaint Center (IC3) via their website. 

New Malware Targets Industrial Control Systems

A threat group, dubbed GreyEnergy, is targeting industrial control system workstations and servers running supervisory control and data acquisition (SCADA) software. The group targets these systems with the GreyEnergy malware capable of obtaining backdoor access, exfiltrating files, capturing screenshots, logging keystrokes, and stealing credentials. The malware is being used for espionage and reconnaissance activity and currently has no destructive capabilities; however, the malware’s modular architecture allows it to expand its capabilities. Researchers at ESET consider GreyEnergy the successor to the BlackEnergy malware used in the Ukrainian cyber-attack blackout of 2015 and is linked to the TeleBots group responsible for the NotPetya attack of 2017. GreyEnergy has targeted energy companies in the Ukraine and Poland. The NJCCIC recommends energy and other critical infrastructure companies review the ESET report on GreyEnergy, implement a defense-in-depth cybersecurity strategy, and keep anti-virus/anti-malware software updated with the latest signatures. 

Information-Stealing Malware Campaign Evades Anti-Virus Detection

Researchers at Cisco Talos recently uncovered a new campaign that leverages a known vulnerability in Microsoft Office, CVE-2017-11882, to deliver information-stealing trojans including Agent Tesla, Loki, and Gamarue. Agent Tesla has the ability to steal login credentials, capture screenshots, record webcam footage, and install additional malware onto infected machines. This campaign distributes emails with an attached Microsoft Word docx file that, when opened, downloads and opens a Rich Text Format (RTF) document containing malicious code. As RTF parsers typically ignore unrecognized code, threat actors are easily able to obfuscate the content of RTF files to mask malicious code. According to Cisco Talos, at the time of analysis, only two out of 58 anti-virus programs marked the file as suspicious. Microsoft issued a patch for CVE-2017-11882 in November 2017. The NJCCIC recommends users and administrators review the Cisco Talos post, use the indicators of compromise (IOCs) provided to help defend against this threat, and ensure all Microsoft Office products are up-to-date with the latest patches. 
Vulnerability Advisory
 

Vulnerabilities in Linksys Routers May Grant Attackers Full Control

Cisco Talos researcher Jared Rittle discovered three vulnerabilities in Linksys E Series routers that could allow a threat actor to execute arbitrary system commands. These vulnerabilities can be exploited by sending an authenticated HTTP request to the network configuration. Linksys E1200 and E2500, designed for small business and home office use, are among the vulnerable models. The NJCCIC recommends users and administrators of affected Linksys routers review the Cisco Talos post and update their device firmware to the latest patch levels. 
Breach Notification
 
Pentagon
The Pentagon disclosed a breach of Defense Department travel records that compromised the personal information and credit card data of US military and civilian personnel. Pentagon spokesman Lieutenant Colonel Joseph Buccino stated that the breach initiated from a commercial vendor that provided service to the Defense Department. The size and scope of the cyber incident is currently unknown but is believed to affect as many as 30,000 individuals. The Defense Department will make notifications to the affected personnel. The NJCCIC recommends those impacted monitor their financial accounts and credit profile, report unauthorized activity immediately, and take advantage of any fraud protection services offered.
Threat Profiles
 
Android: No new or updated variants were added.
Botnet: No new or updated variants were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added.
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
Ransomware: One new variant: Kraken Cryptor. Two updatesCrySiSMatrix.
Trojan: No new or updated variants were added.
ICS-CERT Advisories
 
Throwback Thursday
 
Threat Analysis
Be Sure to Secure
Patch Alerts
Social Engineering Awareness
Phishers are After Something Unusual in Ploy Targeting Book Publishers
Comment: Unusual targets have emerged as part of the latest social engineering scam: book publishers and authors. Several major publishing agencies, including Penguin Random House (PRH), have issued alerts to their employees concerning phishing emails that seek out private information. Threat actors are attempting to acquire user IDs, passwords, social security numbers, back account numbers, tax forms, wire transfers, and even unpublished manuscripts. Any organization can be targeted through phishing attacks; it is advised for all users to verify unexpected attachments or links from known senders by contacting them via another method of communication before opening. 
Cyber at a Glance
What Kanye West Can Teach Us About Passcodes
Comment: Oftentimes, users establish weak passcodes on their mobile devices that are easy to guess; this could allow an unauthorized party to easily gain access to the data on your device. Brute force tools are available to crack smartphone passcodes; however, by choosing strong passcodes, and enabling a limit on unsuccessful attempts and a device wipe option, users can reduce their risk of unauthorized access. For more information on choosing passcodes, passwords, and pins visit the NJCCIC's Be Sure To Secure page on passwords. 
Fake Miners Mine Fake Coins, Make Money by Displaying Ads
Comment: Phony cryptocurrency-mining apps have been spotted in the Google Play Store since May 2018. These apps claim to profit the user by mining cryptocurrency, but, in reality, are only generating revenue for app developers through ads. These apps contain fake mining progress screens and constantly fail to transfer the fake cash balance to your account. Users should always exercise caution when downloading apps, even those from official app stores, and ensure that the app is performing its intended function and does not request excessive device permissions.
 
TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
 
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect
Twitter
Instagram
Facebook
LinkedIn

Share
Forward
Tweet
Share
Share

This email was sent by:

New Jersey Cybersecurity & Communications Integration Cell

DISCLAIMER: This product is provided as is for informational purposes only. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) does not provide any warranties of any kind regarding any information contained within. The NJCCIC does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP). For more information about TLP, see https://www.us-cert.gov/tlp.

Privacy Policy

Manage Subscriptions       Unsubscribe From All Mailings

We respect your right to privacy - click here to view our policy.