NJCCIC Weekly Bulletin | December 19, 2019

To view this email as a web page, go here.
THE WEEKLY BULLETIN
December 19, 2019
TLP: WHITE

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Threat Actors Publish Ransomware Victims’ Names and Data Who Refuse to Pay
Image Source: KrebsonSecurity
In a previous bulletin, the NJCCIC reported that the threat actors behind the Maze ransomware variant are threatening to release victims’ data if ransom payments are not received. Other cyber-criminals have adopted this tactic, including those behind the Sodinokibi/REvil and Zeppelin variants. Just this past week, the actors behind Maze created a public website that names its victims who refused to pay their ransom demand and plan to use this site to publish the companies’ data. Ransomware victims are now forced to contend with the consequences of their organization being publicly named and having data released if they choose not to pay the ransom, thereby encouraging victims to pay. The NJCCIC recommends organizations ensure any sensitive data on their network is encrypted at rest and in transit, and cryptographic keys are kept secure so that any exfiltrated data cannot be publicly released in a readable form. Additionally, organizations are advised to implement a comprehensive data backup plan, significantly limit privileged access, implement an administrative tier model, and restrict endpoint accesses using group policy. More information on these recent ransomware tactics can be found in the KrebsonSecurity article.
Announcement
Girls Go CyberStart Cybersecurity Competition
Girls Go CyberStart registration opened up this month and New Jersey schools are making us proud with 52 schools already signed up! Over the winter break there are lots of ways to warm up those cyber muscles and be ready to rock the competition in January. Try these practice puzzles at Mrs. G's CyberStart Tips blog or play the sample challenges at CyberStart Go. Make it your New Year's resolution to recruit one more NJ school or group of girls to sign up for Girls Go CyberStart!
Industry Report
Emsisoft
Emsisoft published The State of Ransomware in the US: Report and Statistics 2019, which details ransomware attacks against government agencies, educational establishments, and healthcare providers in 2019, and highlights insights and recommendations to reduce successful attacks against these entities in the coming new year. Below are some key takeaways:
  • In 2019, ransomware attacks impacted at least 948 government agencies, educational establishments, and healthcare providers.
    • 103 state and municipal governments and agencies.
    • 759 healthcare providers.
    • 86 universities, colleges, and school districts totaling up to 1,224 individual schools.
  • Total cost of ransomware attacks in 2019 potentially exceed $7.5 billion.
  • Disruptions caused by ransomware incidents put public health, safety, and lives at risk.
  • The average ransomware incident reportedly costs $8.1 million and 287 days to fully recover.
  • Ransomware incidents in 2019 increased sharply due to organizations’ existing security weaknesses and the development of increasingly sophisticated attack tactics.
  • In some cases, governments failed to implement even the most basic of IT best practices, such as failing to have a backup mechanism in place.
  • Recommended initiatives include improving security standards and oversight, increasing guidance, investing more in IT security, closing the intelligence gap, having better public-private sector cooperation, implementing legislative restrictions on ransom payments, and encouraging more vendor and service provider action.
  • Ransomware incidents are predicted to increase in both sophistication and frequency with the possibility of data exfiltration for leverage.
Threat Alerts
Global Phishing Campaign Targets Government Procurement Services
Image Source: Anomali Labs
Anomali researchers discovered an active credential phishing campaign targeting various government departments—including procurement, bidding, and logistics—from multiple countries. The largest number of attacks have been seen in the US targeting the US Department of Energy, US Department of Commerce, and the US Department of Veterans Affairs, among others. The emails appear as though they are sent from a government agency and direct the recipient to click on a link that leads to a spoofed government agency website and requests the user to login with their credentials. The spoofed website has legitimate names, information, and documents to reduce suspicion. Anomali discovered a total of 62 legitimate domains and 122 phishing websites during their investigation. The cyber-criminals and their motivations are unclear at the time of this writing, but the researchers believe that it could be an effort to conduct corporate espionage and possibly gain access to potential bidders to undercut competition or compromise government supplies for long-term gain. The NJCCIC recommends organizations educate users about this and similar threats, reminding them to refrain from clicking on links or opening attachments delivered with unexpected or unsolicited emails and exercise caution with emails from known senders. Users are advised to, instead, navigate to websites by manually typing the URL into the address bar of their browser. If credential compromise is suspected, users are advised to change credentials across all accounts that used the same login information and enable multi-factor authentication where available. Further details can be found in the Anomali white paper and the ZDNet article.
Emotet Trojan Requests RSVP to Holiday Party
Image Source: Bleeping Computer
A new malspam campaign is taking a festive approach by sending Christmas-themed emails that contain malicious attachments which attempt to download and install the Emotet trojan. The emails entice the target to open the email using subject lines such as “Christmas Party next week,” “Christmas party,” “holiday schedule 2019-2020,” or “holiday.” The emails contain an attached Word document supposedly providing the party menu. When the user opens the document, they are prompted to click on the Enable Editing or Enable Content button to display the contents, which then downloads Emotet. The NJCCIC recommends educating users about this and similar phishing threats, reminding them never to click on links or open attachments delivered in unexpected or unsolicited emails, and to avoid enabling macros in Word documents. Users are advised to run updated anti-virus/anti-malware programs on all devices and enable multi-factor authentication where available. Details can be found in the Bleeping Computer article.
POS Malware at Gas Stations Across North America
In security alerts published in November and December 2019, VISA detailed incidents of POS malware at gas pump and gas station operators across North America. Cyber-criminals are installing POS malware on fuel dispenser merchants’ networks in order to steal unencrypted payment card data. Many gas station pumps are still not fitted to accept chip card transactions and can only read payment data from the card’s magnetic stripe. The data from the stripe is sent unencrypted (readable) to the gas station’s network where it can be stolen. Fuel dispensers have until October 2020 to become chip card compatible; at that time, the liability will shift to the merchant for any payment card fraud. Gas station fuel pumps in New Jersey have also been targets of payment card skimmer attacks in which physical devices are placed on the gas pumps to steal the same payment data from the card’s magnetic stripe. The NJCCIC recommends fuel dispenser merchants encrypt card data while in transit and at rest, deploy compatible chip card readers as soon as possible, and train gas station attendants on how to recognize payment card skimmers. Customers are advised to use credit cards or cash at fuel pumps in place of debit payments to reduce the impact of payment card fraud. Additional information on recent POS malware incidents can be found in the VISA alert and the ZDNet article.
Hackers Compromise Smart Security Devices
Smart security devices – such as doorbells, security cameras, and smart locks – contain multiple vulnerabilities that could provide an individual with unauthorized access. Cyber-criminals have hacked Ring devices across the US, harassing private citizens and their families through device speakers, shouting obscenities, racial slurs, and otherwise taunting users. Additionally, live feeds accessed through security cameras have even been posted through hacking forum podcasts. Similarly, researchers were able to exploit improperly designed communication protocols, intercepting a secret passphrase sent between the KeyWe smart lock and corresponding app. This vulnerability could allow hackers to lock a user out of their house or grant entry to criminals. Unfortunately, these smart locks are unable to receive firmware updates and patches, leaving users at risk unless the locks are uninstalled. Researchers have warned users of security and privacy concerns; however, many of the vulnerabilities exploited could be prevented by properly securing these devices. The NJCCIC urges smart security device users to choose devices that can receive security updates and keep devices patched, establish strong and unique passwords for each device, and enable multi-factor authentication (MFA) where available. Further details can be found in the Bleeping Computer article.
Vulnerability Advisory 
Zero-Day in TP-Link Archer Routers Could Allow Device Takeover
Image Source: TP-Link
A zero-day vulnerability has been discovered by IBM X-Force Red researchers affecting both home and business TP-Link Archer routers. If exploited, the critical flaw could grant access to unauthorized users, allowing potential attackers the capability to reset admin passwords and take control of devices via Telnet on the local area network (LAN). Businesses are susceptible to greater risk when routers are used to enable guest Wi-Fi. Additionally, the flaw could provide potential attackers an access point to perform reconnaissance and lateral movement to devices within the network. TP-Link has released updates and urges customers to apply patches immediately to the following products: Archer C5 v4; Archer MR200v4; Archer MR6400v4; Archer MR400v3. The NJCCIC recommends users of TP-Link Archer routers to change default passwords and ensure updates have been applied, keeping software up-to-date, and enable multi-factor authentication (MFA) where available. Further details can be found in the Security Intelligence article
Several Vulnerabilities Discovered in Schneider Electric SCADA Products
Image Source: Schneider Electric
Schneider Electric released advisories identifying multiple vulnerabilities found in EcoStruxure (formerly known as ClearSCADA) and Modicon programmable logic controllers (PLCs) used in critical infrastructure systems. The Modicon flaws, of which two are high severity, could allow denial-of-service (DoS), while the EcoStruxure SCADA software vulnerabilities could cause a server-side crash through a stack-based buffer overflow. One of the identified flaws resides in the Power SCADA Operation, which is a power monitoring and control software that is used to maximize uptime throughout IT, healthcare, industrial, and electro-intensive sectors. The NJCCIC highly encourages users of Schneider Electric products to apply patches to the affected systems immediately. Further details can be found in the Trend Micro article.
Threat Profiles 
Android: No new or updated variants.
ATM Malware: No new or updated variants added.
Botnet: No new or updated variants added.
Cryptocurrency-Mining: No new or updated variants added. 
Exploit Kit: No new or updated variants were added.
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
Ransomware: Two new variants: BuranSnatch. Two updatedMaze, Sodinokibi/REvil.
Trojan: One updated variant: Emotet.
ICS-CERT Advisories
Patches
Throwback Thursday
Social Engineering Awareness
Something’s Phishy
Comment: Phishing campaigns are especially active during the holiday season, spreading gift card, greeting card, package shipment notice, and discount notice scams. Cyber-criminals target individuals and small businesses through information obtained from websites, social media sites, and data breaches in order to craft a realistic phishing email. Emails may be convincing enough to trick users into clicking links based on normal user experiences and a sense of urgency; therefore, best practices – such as verifying the legitimacy of the email, user awareness training, and enabling multi-factor authentication – should be implemented to reduce victimization.
Cyber at a Glance
Mac Threat Detections on the Rise in 2019
Comment: Despite the common thought that the total number of PC threats is greater than its counterpart, Mac threats are increasing, primarily consisting of adware and potentially unwanted programs (PUPs). While Macs come with security software installed, it is advised to also have another anti-virus or anti-malware program running as a defense-in-depth measure. Regardless of the platform, users are recommended to ensure operating systems and anti-virus/anti-malware programs are patched and up-to-date.
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction. 
TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
 
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect
Twitter
Instagram
Facebook
LinkedIn

Share
Forward
Tweet
Share
Share

We respect your right to privacy - click here to view our policy.