Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
COVID-19 Cyber Threats Continue to Evolve
Almost every day, new cyber threats are revealed that exploit public concern over COVID-19, from malicious emails and compromised sites to various scams. This week, two websites promoted a fake anti-virus software that, when downloaded, installed the BlackNET remote access trojan and added the compromised system to a botnet. Additionally, threat actors are accessing D-Link and Linksys router domain name system (DNS) settings in order to have web browsers display alerts for a fraudulent COVID-19 World Health Organization information app. The app actually downloads the Vidar information-stealing trojan. Furthermore, a subdomain of the US Department of Health & Human Services’ website, hhs.gov, is being used by threat actors to redirect users to a document that will download and execute the Raccoon information-stealing trojan. Lastly, while some threat actors have halted operations aimed at healthcare facilities during this time, a medical facility testing COVID-19 vaccines was impacted with ransomware and exposed patient data to encourage the victim to pay. A variation on extortion emails we’ve seen since the summer of 2018 is also circulating, demanding recipients to pay a ransom or the perpetrator will infect them and their family with COVID-19. The NJCCIC has noted an increase in COVID-19 cyber threats aimed at NJ state employees and the Garden State Network. Eight of the ten top phishing campaigns directed at NJ state employees over the last two weeks had COVID-19 themes and lures. These emails attempt to deliver malware or steal user credentials. Some of the emails include the following tactics: a sender claiming to be terminally ill with COVID-19 and requesting money via bitcoin, an attachment containing a COVID-19 Bulletin for Business Partners, and an attachment containing information on COVID-19 actions, an attachment that provides information on how to obtain in-demand personal protective equipment (in above image). The NJCCIC reminds users to remain especially vigilant during this time and exercise caution with COVID-19-themed emails, social media posts, and websites. Additionally, only use trusted sources – such as official government websites – for information on COVID-19. New Jersey provides updates on COVID-19 at covid-19.nj.gov and NJOHSP provides rumor control and disinformation updates at njohsp.gov/covid19.
Announcement
Tips for Teleworkers, Remote Access Security
The NJCCIC This is Security post “Tips for Teleworkers, Remote Access Security” provides telework program fundamentals, best practices for using remote access, and guidance on establishing device and home network security.
Threat Alerts
Phishing Emails Claim to be from WHO Director-General
A new phishing campaign delivers emails purportedly from the Director-General of the World Health Organization (WHO) Tedros Adhanom Ghebreyesus. The emails contain an attachment, named CURE.exe, that supposedly includes information on drugs for the prevention and treatment of COVID-19. The .exe file attachment contains a .NET executable that downloads the HawkEye trojan. HawkEye is an information stealer that logs keystrokes and captures screenshots. The data is sent back to the threat actors via encrypted email. A similar phishing campaign is targeting NJ State employees with these same lures, but instead using a malicious Word document to deliver HawkEye. The NJCCIC recommends users exercise caution with COVID-19-themed emails, social media posts, and links. More information on this campaign is found in the IBM X-Force post.
Active Exploitation of Vulnerabilities in Adobe Type Manager Library
Microsoft disclosed that threat actors are exploiting two unpatched remote code execution vulnerabilities in Adobe Type Manager Library (ATML). The vulnerabilities exist in Windows when the ATML improperly handles a specially-crafted multi-master font. There are currently no patches available for the vulnerabilities; however, Microsoft has provided workarounds. The NJCCIC recommends users and administrators apply the workaround to impacted systems and apply updates when they become available. More information can be found in the Microsoft Security Advisory.
Kwampirs Campaign Continues to Target Supply Chains
The FBI released a FLASH detailing an ongoing Kwampirs malware campaign targeting the supply chains of global industries. This campaign targets the software supply chain, healthcare, energy, and financial sectors, with the FBI assessing software supply chain companies as a key target. The campaign has two phases: the first establishes persistent presence on the targeted network and executes secondary malware, the second delivers additional Kwampirs payloads to further exploit the infected system. A second FBI FLASH was released that provides YARA rules for detecting Kwampirs activity. The NJCCIC recommends users and administrators employ cybersecurity best practices including applying the principle of least privilege; establishing a comprehensive data backup plan; exercising a defense-in-depth cybersecurity strategy; and keeping all hardware, software, and anti-virus/anti-malware programs up to date.
New Mirai Variant Targeted Vulnerable NAS Devices
Image Source: Palo Alto Networks
A new Mirai botnet variant, dubbed Mukashi, exploited a known critical remote code execution vulnerability affecting Zyxel network-attached storage (NAS) devices. Mukashi launched brute force attacks against multiple IoT devices running firmware versions up to 5.21 in order to control them and conduct Distributed Denial of Service (DDoS) attacks. Zyxel has issued firmware patches and workarounds to remediate the vulnerability. The NJCCIC recommends users patch affected systems by updating the firmware to the latest version as soon as possible after appropriate testing. We advise users to establish strong, unique passwords for each device/account. Further details and IOCs can be found in the Zyxel security advisory and the Palo Alto Networks article.
APT28 Targeted Email Servers: Port Scans by Region
Image Source: Trend Micro
APT28, also known as Sofacy and Pawn Storm, is a Russian advanced persistent threat (APT) group best known for targeting the Democratic National Committee (DNC) in 2016. Traditionally, the group used spear-phishing campaigns to infiltrate targeted networks; however, Trend Micro reported that APT28 has been scanning for vulnerable email servers, including those running Microsoft SQL Servers and Directory Services. Throughout 2019, they scanned for port 443 and 1433 in search of exposed email servers. Once servers were discovered, the threat actors brute-forced credentials to access email data and send spam. Targets included government, military, defense contractors, universities, and schools in several European countries, among others. The NJCCIC recommends entities that may be considered high-value targets for APT28 operations review the Trend Micro report for more information on recent campaigns and associated indicators of compromise (IOCs). Organizations are advised to educate end users on this and similar threats; implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; and keep anti-virus/anti-malware, hardware, and software updated to the latest vendor-supported patch levels.
Vulnerability Advisories
Vulnerability in OpenWRT Could Allow MitM Attack
Image Source: OpenWRT Project
A serious remote code execution vulnerability, tracked as CVE-2020-7982, has been disclosed affecting OpenWRT (OPEN Wireless Router). OpenWRT is widely used in Linux-based embedded operating systems to route network traffic. The flaw resides in the OPKG package manager and affects its integrity-checking performance, preventing correct parsing of embedded checksums in the signed repository index. The vulnerability may allow a threat actor to conduct a Man-in-the-Middle (MitM) attack by injecting arbitrary package payloads, resulting in the attacker gaining complete control over the device and managed traffic. Affected versions include 18.06.0 to 18.06.6 and 19.07.0, as well as LEDE 17.01.0 to 17.01.7. OpenWRT has provided remediation in the available updates, though this has been identified as a partial solution. The NJCCIC recommends users of affected OpenWRT versions to apply updates immediately. Further information can be found in The Hacker News article.
Vulnerabilities in Apple Products
Several vulnerabilities exist in various Apple products (iCloud, iOS, iPadOS, iTunes, macOS, Safari, tvOS, watchOS, Xcode), the most severe of which could allow a threat actor to execute arbitrary code, gain the same privileges as the logged-on user, or bypass security restrictions. If the logged-on user has elevated privileges, the threat actor could install programs, manipulate data, or create new user accounts. The NJCCIC recommends users and administrators apply updates to impacted products as soon as possible after appropriate testing.
Breach Notification
General Electric
General Electric (GE), a global Fortune 500 company, has acknowledged a breach affecting present and former employees and their beneficiaries. Between February 3-14, 2020, an unauthorized user gained access to the email account of Canon Business Process Services, which GE contracts with to process employee documents. Exposed sensitive documents includes divorce, death, and marriage certificates, beneficiary information, support orders, as well as direct deposit and tax withholding forms. Additionally, driver’s licenses, passports, Social Security numbers, and banking account numbers were revealed. GE was informed February 28 and has notified potential victims. It is unclear if GE is the only affected customer at this time. Further information can be found in the Threat Post article.
How Cybercriminals Target Company Emails and What You Can Do To Prevent It Comment: Phishing, spear-phishing, and smishing campaigns are on the rise, specifically targeting mobile devices in an attempt to steal credentials. Malicious actors will use credentials from compromised accounts to send deceptive email or text messages containing truncated URLs to launch spoofed login webpages or app screen overlays. Sandboxing technology, device management, phishing simulations, and data breach response simulations can help improve defenses against these attacks.
Cyber at a Glance
The Cybersecurity Implications of Working Remotely Comment: Many employees are working remotely due to the impact of the current COVID-19 pandemic, increasing the attack surface and risk of human error. Devices may not be protected or connected securely to the network and virtual private networks (VPNs). The increase in emails may contain both legitimate requests and phishing scams. It is recommended to use judgment before clicking on any suspicious links or attachments, create strong passwords, enable multi-factor authentication where available, and monitor access controls.
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
We respect your right to privacy - click here to view our policy.
