NJCCIC Weekly Bulletin | November 8, 2018

To view this email as a web page, go here.
November 8, 2018

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Dropbox Account Phishing Campaign

The NJCCIC has detected a phishing campaign targeting New Jersey organizations that is crafted to obtain login credentials for Dropbox accounts. As Dropbox is a common platform used by businesses and organizations to share and access files remotely, compromised credentials could pose a significant risk to network security. This campaign delivers unsolicited emails with an embedded URL that redirects users to a fraudulent Dropbox login page designed to mimic the company’s legitimate website. Recent subject lines associated with this campaign include “Sent from,” “Invoice File From,” “Kindly Review,” and “Scanned from a Xerox Multifunction Printer.” According to Proofpoint’s “The Human Factor Report 2018,” Dropbox account phishing was the top phishing attack by volume; these emails are some of the most successful at bypassing email defenses. The NJCCIC recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. Additionally, enable multi-factor authentication where available to prevent unauthorized access as a result of credential compromise.


National Critical Infrastructure Security and Resilience Month

The Nation's critical infrastructure provides essential services that underpin American society and sustain the American way of life. We know critical infrastructure as the power we use in our homes and businesses, the water we drink, the transportation systems that get us from place to place, the first responders and hospitals in our communities, the farms that grow and raise our food, the stores we shop in, and the Internet and communication systems we rely on to stay in touch with friends and family. The security and resilience of this critical infrastructure is vital not only to public confidence, but also to the Nation’s safety, prosperity, and well-being.

Critical Infrastructure Security and Resilience Month, observed in the month of November, builds awareness and appreciation of the importance of critical infrastructure and reaffirms the nationwide commitment to keep our critical infrastructure and our communities safe and secure. Securing the nation's infrastructure is a national priority that requires planning and coordination across the entire community.

The National Cybersecurity and Communications Integration Center provides resources and publications to assist critical infrastructure owners and operators in better protecting their systems and networks.

Threat Alert

Zero-Day Vulnerability in Cisco Products Could Cause DoS Condition

Threat actors are exploiting a zero-day vulnerability in Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense software to cause a denial-of-service (DoS) condition by triggering a device reboot. The vulnerability is present in the Session Initiated Protocol (SIP) inspection engine turned on by default and can be triggered by sending SIP requests to the affected appliance. Exploiting the flaw can be done remotely and without authentication. While there are currently no software updates to address the vulnerability, there are multiple mitigation options. The NJCCIC recommends reviewing the Cisco Security Advisory for more information, a list of vulnerable products, and available mitigation techniques.

Vulnerability Advisories

Side-Channel Vulnerability Could Be Exploited to Steal Data

A new side-channel vulnerability, dubbed PortSmash, uses a timing attack to steal information and other processes running in the same CPU core with SMT/Hyper-Threading enabled. SMT/Hyper-Threading is a technique to improve the efficiency of CPUs by allowing two logical cores to run separate processes at one time. Researchers used this attack to steal the private decryption key from an Open SSL thread running in the same core as the exploit code. The researchers successfully exploited this vulnerability against Intel Skylake and KabyLake processors and expect it to also work against AMD Ryzen processors. The NJCCIC recommends reviewing the security advisory and white paper released by the researchers and upgrade to OpenSSL 1.1.1, apply the patch to other OpenSSL versions, or disable SMT/Hyper-Threading in the bios.

Apache Struts 2.3.36 and Earlier Vulnerable to Remote Code Execution

Apache is advising users and administrators of Apache Struts 2.3.36 and prior to immediately upgrade to the latest version of Commons FileUpload library, 1.3.3. A vulnerability exists that could allow a threat actor to perform remote code execution. Struts versions 2.5.12 and later are not affected as they are already using the latest version of Commons FileUpload library. The NJCCIC recommends reviewing the Apache security advisory and immediately upgrading systems to Apache 2.5.12 or later, or to Commons FileUpload library version 1.3.3.

Vulnerabilities in Solid-State Drives Can Be Exploited to Decrypt Data

Researchers at Radboud University discovered vulnerabilities in solid-state drives (SSDs) that can be exploited to decrypt hardware-encrypted data without authentication by modifying the device firmware or using a debugging interface to modify the password validation routine. SSDs from popular vendors Crucial and Samsung were found vulnerable. Additionally, Microsoft’s BitLocker software encryption is also vulnerable as it defaults to hardware encryption if available. Crucial has released firmware updates for their affected SSDs, Samsung has released a notice and firmware updates for some of their affected SSDs, and Microsoft released an advisory with mitigations for BitLocker. The NJCCIC recommends reviewing the report from Radboud University for a list of affected products and vulnerability details, and updating the firmware for impacted SSDs where available.

XSS Vulnerability in Evernote Allows Local File Execution

Security researcher TongQing Zhu of Knownsec discovered a cross-site scripting (XSS) vulnerability in version 6.15 of Evernote for Windows that can be leveraged to run programs remotely on a victim’s computer. This version lacks proper data validation, allowing the insertion of <, >, and characters into the file name of an image embedded in a note. It also utilizes the Node.js framework through a NodeWebKit application runtime, allowing for JavaScript code execution when in presentation mode. As a result, a threat actor could embed a link that loads a malicious script in the file name of an image inside a note, and send the note to a victim. If the victim is persuaded to view the note in presentation mode, NodeWebKit will automatically execute the code, allowing it to open system programs and files. Evernote has patched the vulnerability in its 6.16.1 beta update. The NJCCIC highly recommends all Evernote for Windows users update to the latest version and review CVE-2018-18524.

Breach Notification
HSBC bank has suffered a data breach, allowing threat actors to gain access to some customers’ information including account numbers, balances, addresses, and transaction history. Unauthorized actors accessed user accounts from October 4, 2018 to October 14, 2018, likely through credential stuffing attacks. HSBC suspended impacted accounts after detecting the activity and will contact users via email or phone to assist them in accessing their accounts and changing their online banking credentials. The breach reportedly affects about 1 percent of US HSBC accounts. HSBC is offering one year of credit monitoring and identity theft protection services.

Threat Profiles
Android: No new or updated variants were added.
BotnetNo new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added.
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: One new variant: CoinTicker.
Point-of-Sale: No new or updated variants were added.
No new or updated variants were added. 
TrojanNo new or updated variants were added.

ICS-CERT Advisories
Throwback Thursday
Threat Analysis
Be Sure to Secure
Patch Alerts

Social Engineering Awareness
Why are Fake Elon Musk Bitcoin Scams Running Rife on Twitter Right now?
Comment: Recent cryptocurrency scams are again leveraging the identity of celebrities to promote fraudulent Bitcoin giveaways on Twitter – this time spoofing Tesla CEO Elon Musk. Threat actors obtained credentials of verified accounts (ones with blue checkmarks) and, in an effort to appear legitimate, used authentic profile photos, legitimate-looking display names, and retweeted authentic celebrity tweets. The compromised accounts tweeted out Bitcoin payment addresses and asked users to send in a small amount of Bitcoin in exchange for a random, larger amount that is never paid. These tweets were falsely promoted by Twitter’s ad service. More compromised accounts replied to the tweets noting successful transactions, trying to entice other users to fall for the scam. To determine whether an account is legitimate, verify the account is using the current, legitimate Twitter handle, and remember that online offers which look too good to be true probably are.
College Test Prep Scams are Happening
Comment: Scammers often capitalize on upcoming events to target victims and, with personal information exposed in data breaches, it is easier than ever to tailor spear-phishing emails for increased success. In this case, the scammers targeted the parents of students likely to take the PSATs and SATs. Using the student’s name, address, and phone number – pieces of information easily obtainable online – the scammer can make their claim appear more legitimate to the parents. Individuals are advised to never divulge their payment card or other sensitive information to an unsolicited or unexpected caller or email sender, and to research any company before purchasing goods or services from them. You can report scams to the FTC here.

Cyber at a Glance
Hackers Gear Up for the Holidays Too
Comment: As the popularity of online shopping continues to increase, so does the number of potential unsuspecting victims for cyber criminals to exploit. With the holiday season quickly approaching, shoppers must remain vigilant and take proactive steps to safeguard their personal and financial data. For suggestions on ways to reduce your risk and keep personal information secure this holiday season, review the NJCCIC post: Staying “Cyber Safe” While Shopping.


Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.



We respect your right to privacy - click here to view our policy.