NJCCIC Weekly Bulletin | February 14, 2019

To view this email as a web page, go here.
THE WEEKLY BULLETIN
February 14, 2019
TLP: WHITE

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Phishing Emails Containing Blue Box Lead to Tech Support Scam Sites

Image Source: Microsoft
The NJCCIC has observed phishing emails containing a clickable blue box attempting to be delivered to NJ State employee email accounts, and have received reports from outside organizations receiving similar messages. These emails contain blue boxes with phrases such as “Display complete,” “Display Message,” or “Display trusted message.” Clicking on the link will likely bring the user to a tech support or survey scam page meant to steal the user’s personal or financial information, or convince them to download malware or remote access software onto their system. The NJCCIC recommends users avoid clicking on links that come with unsolicited or unexpected emails. Microsoft will not contact you regarding suspicious or malicious activity on your device and, therefore, users are advised not to contact any tech support numbers that appear on websites or in pop-up messages.
Announcements
 

Save the Date

Date: Wednesday, March 20, 2019 | Time: 8:30 a.m.
Location: The Event Center at iPlay America, Freehold, New Jersey
Audience: Public sector organizations including state, county and
municipal governments and authorities, K-12 and higher-education
Over the past year, the NJCCIC received numerous reports of cyber incidents, many ransomware, that significantly impacted municipal and county government organizations here in NJ, resulting in millions in ransoms being paid out and major operations disruptions. Oftentimes, poor cyber hygiene was what allowed the threat actors to succeed. We will provide attendees with practical strategies, tactics, resources, and tools to help manage cyber risk in their respective organizations. Event registration coming soon. 

Industry Report

Proofpoint details the threats, trends, and key takeaways of threats within their customer base and the wider threat landscape in their “Quarterly Threat Report Q4 2018,” available here. Some highlights are below:
  • The number of email fraud attacks against targeted companies increased 226 percent quarter over quarter, and 476 percent compared to Q4 2017.
  • About 60 percent of companies observed their domains spoofed by email fraudsters.
  • Banking trojans remain the top email-based threat in Q4, making up 56 percent of all malicious payloads, with Emotet comprising 76 percent of all banking trojan payloads.
  • Ransomware dropped in Q4 to just over one tenth of 1 percent of all malicious email messages.
  • Remote access trojans (RATs) comprised 8.4 percent of all malicious email payloads in Q4, the most prevalent being the FlawedAmmyy RAT at 88 percent.
  • Angler phishing – when threat actors insert themselves into legitimate interactions between consumers and brands – increased 40 percent since Q3 and over 500 percent since the beginning of 2018.
Threat Alerts
 

New Phishing Attack Targets Victims Twice Using Google Translate

Image Source: Akamai
Akamai discovered a new phishing campaign alerting the user that their Google account had been accessed from a new Windows device. The message appears legitimate on a mobile device, but reveals red flags on a desktop. If the link is clicked, the landing page appears to be Google’s login portal, but the malicious website is loaded through Google Translate. A benefit for threat actors to use Google Translate is that it fills the URL field with random text and the victim sees a legitimate Google domain. If credentials are entered here, they are sent to the threat actors and then a second phishing attack is triggered, bringing the user to another landing page appearing to be Facebook’s mobile login portal. Again, if credentials are entered here, they are sent to the threat actors. The NJCCIC strongly recommends never opening attachments or using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. We recommend reviewing Akamai’s blog post for more details about this phishing campaign.

Phishing Attack Targets US Anti-Money Laundering Officers

Image Source: Krebs on Security
The National Credit Union Administration (NCUA) disclosed a phishing campaign targeting Bank Secrecy Act officers at US credit unions and other financial institutions. The officers were targeted because they are required to report suspicious financial transactions with the NCUA according to the USA Patriot Act. Threat actors spoofed the email addresses of the officers, claimed a suspicious transfer was put on hold, and advised them to review the attachment which contained a malicious link. The NJCCIC strongly recommends never opening attachments or using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. We recommend reviewing NCUA’s press release and Krebs on Security’s blog post for more details about this phishing campaign.

Triout Android Spyware is Back

Image Source: Bitdefender
Bitdefender discovered the re-emerging Android malware, dubbed Triout, posing as a legitimate online privacy application to trick users into downloading it. The Triout spyware hides in a fake version of the privacy tool Psiphon, appearing and acting like the real version as to not raise any suspicion. The threat actors behind the malware seem to be selective when targeting users. Triout collects device data such as phone calls, text messages, photos, and GPS location. The NJCCIC strongly recommends only installing apps from trusted sources and keeping Android operating systems up-to-date. More information about the details of this spyware campaign can be found on Bitdefender’s blog post.

Windows Malware Runs on Macs

Image Source: Trend Micro
Trend Micro discovered a malicious Windows payload targeting Mac users and overriding Mac’s built-in protection Gatekeeper, which only checks for native Mac files. The Mac installer contains a suspicious EXE file and, when executed, collects system information and sends it to the C&C server, which could potentially be used for other attacks or infection attempts. The US is one of several countries targeted. The NJCCIC advises users to refrain from downloading any files, programs, or software from unofficial channels or sites; and ensure hardware, software, and anti-virus/anti-malware are up-to-date. Trend Micro provides technical details and behaviors of this malware here.

Phishing Campaign Uses Long URL

Image Source: Bleeping Computer
A new phishing campaign sends emails pretending to come from your mail domain’s support department, claiming the user’s email has been blacklisted and requests the user log in to verify the account. If the user clicks on the embedded link, a landing page will appear to enter credentials. What is interesting – and hopefully obvious – about this suspicious scam is the use of about 1,000 characters in the URL link. There is speculation that the reasoning for the long URLs is an effort to hide information in the link. The NJCCIC strongly recommends never opening attachments or using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. We recommend reviewing Bleeping Computer’s blog post for more details about this phishing campaign.
Vulnerability Advisories
 

Apple Fixes FaceTime Bug and Two iOS Zero-Days

At the end of January, a Group FaceTime bug allowed callers to listen in and potentially view the people they were calling without the call being answered. Since then, Apple temporarily disabled the Group FaceTime service until updates became available. Apple has now released updates for iOS and macOS for the Group FaceTime bug and Live Photos. Apple also released updates for two zero-days discovered by Google researchers involving memory corruption issues for the Foundation and IOKit frameworks. The NJCCIC recommends patching systems as updates become available and enable the FaceTime service after updating if it was manually disabled. More details on the Apple vulnerabilities and updates can be found here.

Opening Malicious File Grants Access to Android Devices

A critical vulnerability exists in the Android operating system’s framework that could allow a threat actor to send a malicious PNG image file to an Android device and execute arbitrary code if opened. This is just another example of the steganography technique used to bury malicious code in digital images. Android versions 7.0 and 9.0 are impacted and patches have been released. The NJCCIC recommends patching systems as updates become available. More details on the Android vulnerability and updates can be found in their security bulletin and ZDNet’s blog post.
Breach Notifications
 
VFEmail
Hackers breached the servers of email provider VFEmail[.]net. On February 11, the perpetrators wiped all data from the company’s US servers, destroying all US customer data, including all inbox content. Staff are working to recover users’ emails; however, it appears all US customer data is unrecoverable. VFEmail users no longer have spam email filtering in place and are advised to exercise caution with any emails they receive. More information and updates on the situation can be found via the company’s website and official twitter account.
Millions of Stolen Accounts From Multiple Websites for Sale on the Dark Web
Millions of online accounts from sixteen hacked websites are now up for sale on the Dark Web. Some US-based websites include Animoto, Artsy, and Armor Games, and Whitepages. Most data consists of names, email addresses, and hashed passwords, and many of the websites have notified their users of the breach. It is important for affected users to change their passwords, use strong and unique passwords for every account, and enable multi-factor authentication where available to protect against credential stuffing attacks. More information on these breaches can be found on The Register’s blog post
Threat Profiles
 
Android: One updated variant: Triout.
Botnet: No new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added. 
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
Ransomware: One updated variant: GandCrab.
Trojan: One updated variant: TrickBot
ICS-CERT Advisories
Throwback Thursday
Be Sure to Secure
 
Threat Analysis
 
Patches
Social Engineering Awareness
Romance Scams Will Cost You
Comment: Valentine’s Day may not only attract love, but romance scammers. The number of romance scammers are growing on dating apps, social media websites, and chat rooms. These threat actors are committing identity theft and fraud, and using social engineering tactics to convince romantic victims to reveal personal information and send money. Scams can also include phishing emails with malicious links from phony florists, false electronic greeting cards from secret admirers, and special deliveries requiring credit card payment.
Businesses: It’s Time to Implement an Anti-Phishing Plan
Comment: Phishing attacks are increasing, targeting business employees and customers. No industry is safe, so the need to implement best practices cannot be stressed enough. This includes reviewing and implementing security policies, and educating through security awareness training. The human factor plays a big part, and there are many resources and tools that can be used to explore and test user’s knowledge and skills in order to manage the ongoing threat of social engineering.
Cyber at a Glance
Two Cyber Security Myths You Need to Forget Right Now, If You Want to Stop the Hackers
Comment: Misconceptions can lead to organizations improperly or ineffectively defending against cyber threats. Oftentimes, organizations and individuals do not think of themselves as targets and, therefore, fail to dedicate the necessary resources to lower their cyber risk. There is an assumption that cyber attacks are very targeted when, in fact, threat actors often indiscriminately target users, casting a broad net to increase their chance of success. A second misconception noted by the National Cyber Security Centre was the assumption by senior executives that cybersecurity is too hard to understand and, therefore, not worth engaging in. This can again lead to a lack of resources dedicated to information security, making these organizations more vulnerable.
iPhone Apps Record Your Screen Sessions Without Asking
Comment: Mobile apps have transformed nearly every aspect of our lives. Yet entire user sessions, including every tap, swipe, and keystroke, may be recorded and analyzed for future development and improvements. The user recording technology of session replay services is nothing new and can be beneficial, but when not mentioned in privacy policies, raises the concern of access to sensitive data. There is a constant struggle between the convenience and improvements in technology, and user privacy and security.
Should You Be Scared of Your Laptop’s Webcam?
Comment: Most laptops and mobile devices have a built-in camera that could potentially be accessed and compromised by threat actors. Despite the camera being physically covered, the audio from the built-in microphone can still be accessed. It is important to be aware of the risks, pay attention to the protective warning messages that pop up from your operating system, and be cautious when disabling any functions or security features. If webcam security is a concern, an option is to have a detachable USB camera or choose a device without a camera installed.
TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
 
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect
Twitter
Instagram
Facebook
LinkedIn

Share
Forward
Tweet
Share
Share

We respect your right to privacy - click here to view our policy.