NJCCIC Weekly Bulletin | December 27, 2018

To view this email as a web page, go here.
THE WEEKLY BULLETIN
December 27, 2018
TLP: WHITE

The NJCCIC wishes our members and all New
Jerseyans a happy and healthy New Year!

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Dridex Phishing Campaign

Image Source: Trend Micro
The NJCCIC has detected a phishing campaign targeting New Jersey State employees and users around the country that intends to install the Dridex banking trojan onto targeted systems. Recent subject lines associated with this campaign begin with words such as “Payment,” “Inv,” “Acknowledge,” and “Account,” followed by varying letter/number combinations. These emails contain Microsoft Word document attachments that when opened and if macros are enabled, downloads the Dridex trojan. Banking trojans are used by threat actors to obtain login credentials for financial and other sensitive accounts. The NJCCIC recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-virus/anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.
Announcements
 

Partner Webinar

Make Protecting Your Small Business Assets Against Cyber Threats A Goal This New Year

Join the National Cyber Security Alliance (NCSA) for a webinar on protecting small business assets against cyber threats. Speakers from NCSA, the National Institute of Standards and Technology, and Trend Micro will discuss basic strategies for protecting small businesses, as well as some best practices organizations can implement immediately.
  • Date & Time: Wednesday, January 9 @ 2:00 p.m. ET
  • Registration: Register Here
For more information on this and other 2019 NCSA webinars, visit: https://staysafeonline.org/event_category/cybersecure-my-business/
 

Industry Report

McAfee examines the current threat landscape in their “Threats Report” for Q3 of 2018, available here. Some key takeaways are below:
  • Gaining valid user credentials continues to be the easiest means for threat actors to severely compromise an organization.
  • Uncommon file types that bypass email filters, like IQY files, are being used to deliver banking malware.
  • Overall reported cyber incidents fell 12 percent, but the private sector saw a 150 percent increase during Q3.
  • Credit card theft originates more often on third-party payment platforms than point-of-sale (POS) systems.
  • Ten million new samples set JavaScript malware at a record high (up 45 percent); coin-mining malware also saw a 55 percent increase during Q3, and a 4400 percent increase over the past four quarters.

DHS Releases Information on Chinese Malicious Cyber Activity

The US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released technical details on the tactics, techniques, and procedures (TTPs) used by Chinese government threat actors to actively target information technology (IT) service providers, such as managed service providers and cloud service providers, and their customers. All IT service providers and their customers are encouraged to follow the recommendations, tools, and actions provided in their post and in alerts TA17-117A and TA18-276A.
 

DOJ Charges Chinese Nationals for Hacking
Technology Companies and Government Agencies 

On December 20, the US Department of Justice (DOJ) announced charges against two Chinese nationals, Zhu Hua and Zhang Shilong, with conspiracy to commit computer intrusions and wire fraud, and aggravated identity theft in connection to global hacking operations meant to steal trade secrets and intellectual property from technology companies and government agencies, as well as personal data on over 100,000 members of the US Navy. The charged individuals acted under the advanced persistent threat (APT) group known as APT10 and Stone Panda, who began their hacking campaigns in 2006. The recent indictment reflects the increased effort in recent years by US law enforcement to publicly hold threat actors accountable for cyber crimes against US citizens, organizations, and government entities.
 

Anticipatory Awareness Message: Cyber Security for Smart Buildings

The FBI and Telecommunications Industry Association (TIA) released a Private Industry Notification (PIN) regarding the inclusion of next-generation information and communication technologies into smart building infrastructure and the possible new threat vectors for malicious cyber actors that may result. The notification provides a primer on presumed and anticipated security issues which may arise from the increasing number of smart buildings across the US, and presents partners in industry with some mitigation measures and best practices.
Threat Alert
 

Domain Spoofing Offers a Way to Bypass 2FA

Amnesty International published a report providing insight into multiple phishing campaigns targeting Human Rights Defenders (HRDs) in the Middle East and North Africa. The campaigns focus on Google and Yahoo accounts, and attempt to override two-factor authentication (2FA), also known as multi-factor authentication (MFA). One campaign, dating back to 2017, appeared as a “security alert” email that lured victims to malicious domains masquerading as Google or Yahoo. Once on the site, users entered their credentials and 2FA code. This information was sent to the threat actor just in time to compromise the account before the access code expired. A second campaign targeted email services touting security, like Tutanota and ProtonMail. In this case, threat actors registered domains that were almost identical to legitimate ones, and included a padlock symbol for transport encryption. These sites stole user account credentials while separately logging the user into the legitimate mail service domain. Phishing continues to be a major threat to organizations at all levels and, therefore, the NJCCIC highly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Instead, we advise visiting the account’s associated website by typing the legitimate address directly into the URL field of your web browser. Despite the tactics used in these campaigns, we highly recommend enabling MFA on all accounts that offer it for extra security. For more information and a list of indicators, review the Amnesty International report.
Breach Notification
 
Caribou Coffee
Caribou Coffee recently suffered a data breach exposing customer payment information taken from 265 US stores during a three-month period. An unauthorized party had access to point-of-sale systems between August 28-December 3, 2018, revealing customer names, payment card numbers, expiration dates, and security codes. Payments made through its rewards program were unaffected. Impacted customers are advised to monitor financial accounts for suspicious activity, notify their card issuers immediately if they notice unauthorized charges made to their accounts, and take advantage of any free credit monitoring services offered by Caribou Coffee.
Threat Profiles
 
Android: No new or updated variants were added.
Botnet: One updated botnet: Mirai.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added. 
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
Ransomware: One new variant: JungleSec.
Trojan: One updated variant: Smoke Loader.
ICS-CERT Advisories
 
Throwback Thursday
 
Threat Analysis
Be Sure to Secure
Social Engineering Awareness
Beware of BMW Lottery Email Scam Stating You Won a BMQ M240i
Comment: Scam campaigns such as this are attempting to gain personal information from recipients. If an individual replies, threat actors will often continue to target that person as they know this email account is active and the recipient is susceptible to similar scams. Information gathered in this campaign can be used to perform identity theft or gain access to victims’ accounts. Users are advised to refrain from answering scam emails and providing any personal information; simply delete these and similar messages.
Cyber at a Glance
2019 Cyber Security New Year’s Resolutions
Comment: While it is impossible to safeguard yourself against every cyber threat, there are a number of things you can do to better secure yourself online in the new year: secure your passwords by changing passwords that are easy to guess, resetting default passwords, and enabling MFA whenever possible; stop oversharing online as threat actors can leverage what you post against you; only use sites that have an encrypted connection via HTTPS; implement regular backups of important data in case it is corrupted or lost; keep all your software and hardware patched and up-to-date to minimize vulnerabilities; scrutinize any emails you receive for legitimacy; and consider using a VPN for even tighter security.
TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
 
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect
Twitter
Instagram
Facebook
LinkedIn

Share
Forward
Tweet
Share
Share

We respect your right to privacy - click here to view our policy.