NJCCIC Weekly Bulletin | September 5, 2019

To view this email as a web page, go here.
THE WEEKLY BULLETIN
September 5, 2019
TLP: WHITE

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Incident Reports of Targeted BEC Campaigns Continue 
The NJCCIC continues to receive numerous incident reports from organizations around the State impacted by various business email compromise (BEC) campaigns, such as direct deposit scams and real estate wire transfer scams. Unlike generic phishing scams, BEC campaigns are a highly targeted form of social engineering, oftentimes incorporating preliminary reconnaissance on potential victims. To make email messages appear more legitimate and believable, malicious actors commonly spoof the source name and/or email address of a familiar contact, use email domains that mimic a trusted source, or compromise a legitimate business account. The body of these messages often portray a sense of urgency and instruct the recipient to transfer funds or other sensitive information to the malicious actor, or to update paycheck direct deposit information to the malicious actor’s account. The NJCCIC recommends users refrain from forwarding or responding to these messages, and instead verify the source and instructions of any monetary transaction or request for sensitive data received via email through a separate means of communication. We also encourage users to view our publication Don’t Be Fooled: Ways to Prevent BEC Victimization for additional tips and information about BEC campaigns and how to reduce victimization.

Announcement
Potential Hurricane Dorian Cyber Scams
The Cybersecurity and Infrastructure Security Agency (CISA) warns users to remain vigilant for malicious cyber activity targeting Hurricane Dorian disaster victims and potential donors. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a hurricane-related subject line, attachment, or hyperlink. In addition, users should be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events.
To avoid becoming victims of malicious activity, users and administrators should review the following resources and take preventative measures:
If you believe you have been a victim of cybercrime, file a complaint with the Federal Bureau of Investigation Internet Crime Complaint Center at www.ic3.gov.

Industry Report
FireEye
The FireEye Beyond Compliance: Cyber Threats and Healthcare report explores the theft of data and disruptive and destructive threats to healthcare organizations. Below are some key takeaways:
  • Healthcare organizations have a critical need for consistent, near real-time access to information and patient data.
  • Financially motivated threat actors pose a high-frequency, high-impact threat to the healthcare sector.
  • Personal Identifiable Information (PII), Protected Health Information (PHI), financial data, and access to critical systems are targeted for intelligence collection purposes, further reconnaissance, and cyber-attacks.
  • Valuable intellectual property data at research and development organizations is vulnerable to economic espionage via cyber-attacks.
  • Cyber-attacks lead to credential theft, malware distribution, cryptomining, and sale of compromised access to healthcare systems.
  • Ransomware or extortion campaigns can limit access to patient or health information, or disrupt critical care, increasing the likelihood a healthcare organization will pay a ransom demand.
  • Cryptomining malware increases processing and network load, decreases system stability, and possibly decreases the infected devices’ lifespan.
  • Medical Cyber Physical Systems (MCPS) or biomedical devices are increasingly connected to networks and accessed remotely.
  • The attack surface expands with the introduction of healthcare-focused Internet of Things (IoT) devices, such as inventory-tracking “smart” storage, remote patient monitoring and tracking systems, and remote data access devices.

Threat Alerts
Multiple Websites Delivered Exploits to iPhones for Years
Image Source: Project Zero
Security researchers at Google’s Project Zero discovered several malicious websites that had been hijacked and used to distribute exploits to iPhones users for nearly three years. The targeting was indiscriminate, delivering a monitoring implant to any iPhone visitor without any user interaction. The researchers estimate that the sites received thousands of visitors per week. The five exploit chains targeted 14 iOS vulnerabilities in iOS versions 10.x, 11.x, and 12.x. The implants could allow a threat actor to steal data from iMessages, photos, and GPS location in real-time; however, rebooting the infected device would remove the malware. After receiving a notification from Project Zero, Apple distributed iOS 12.1.4 in an out-of-band update on February 7, 2019. The NJCCIC recommends iOS users keep their devices up-to-date with the latest patches and review the Project Zero post for more information.
 
Ransomware Leaves Hundreds of Dental Practices’ Data Inaccessible
PerCSoft, a cloud management provider for Digital Dental Record, which runs the data backup service DDS Safe that is used by hundreds of dental offices in the US, recently fell victim to a ransomware attack. The attack, which occurred on August 26, rendered sensitive data, including medical records, charts, and insurance documents inaccessible for approximately 400 dental practices. Reporting indicates PerCSoft was hit with the Sodinokibi variant and that the company chose to pay the ransom demand. The decryptor was shared with the impacted companies to recover their encrypted files; however, at the time of this writing, some offices claim they were unable to restore all files. The NJCCIC discourages victims from paying ransom demands if impacted by a ransomware infection and, instead, ensure they have a comprehensive data backup plan in place. Organizations are advised to implement a defense-in-depth cybersecurity strategy and follow the principle of least privilege. For more information, please review the Digital Dental Record update, the KrebsOnSecurity article, and the NJCCIC product, “Ransomware: Risk Mitigation Strategies.” 
 
Web Clickjacking Fraud Makes a Comeback
Image Source: Sophos
Clickjackings have been around for more than a decade, utilizing various forms and techniques. Web clickjackings utilize elements on a web page for a hidden purpose, often to trick users into clicking on an advertisement. The techniques employed continue to evolve with the use of JavaScript. Three different methods were found: interception by hyperlinks, interception by event handlers, and interception by visual deception. Some websites work with third-party scripts to hijack user clicks for monetization. The NJCCIC recommends users refrain from clicking on suspicious advertisements, links, or other elements within websites and keep all hardware, software, and anti-virus/anti-malware updated. We also advise users to review the OWASP website and the Sophos article for more information on clickjacking.

Vulnerability Advisory
Supermicro BMCs Vulnerable to Compromise
Image Source: Eclypsium
Eclypsium researchers discovered vulnerabilities in the baseboard management controller (BMC) firmware of Supermicro motherboards. The vulnerabilities, dubbed “USBAnywhere,” are found in the BMC’s virtual USB feature, which permits system administrators to plug a USB in their own computer but view it as a virtual USB connected to a remotely-managed system. This allows data to be transferred from the local USB to the remote system. Researchers found several flaws in the authentication used by the application. By exploiting one of the flaws, a threat actor could interact with the BMC without proper credentials, and potentially boot the machine from a malicious USB image, exfiltrate data to the USB, or engage in other attacks against the BMC or the server it manages. Threat actors can initiate attacks remotely by scanning for BMCs with an open TCP port 623. A scan by the researchers determined that between 47,000 and 55,000 Supermicro BMCs are exposed online and in danger of exploitation. The NJCCIC recommends users and administrators of Supermicro BMCs install available patches as soon as possible and place BMCs in a private network not exposed to the internet. More information on the USBAnywhere vulnerabilities can be found in the Eclypsium blog post.

Threat Profiles 
Android: No new or updated variants added. 
ATM Malware: No new or updated variants were added.
Botnet: No new or updated variants were added. 
Cryptocurrency-Mining: No new or updated variants added. 
Exploit Kit: No new or updated variants were added.
Industrial Control Systems: No new or updated variants were added.
iOS:
No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.

Ransomware: No new or updated variants were added.
Trojan: No new variants. One updated: Astaroth.

ICS-CERT Advisories
Patches
Throwback Thursday
Be Sure to Secure
Threat Analysis

Social Engineering Awareness
Phishers Are Angling For Your Cloud Providers
Comment: Many companies are outsourcing to cloud-based providers for their business needs. Companies grant third party vendors a high level of trust with their data; therefore, malicious actors target these vendors in order to compromise accounts, gain unauthorized access to client data, and use their access to conduct targeted phishing campaigns. This threat reinforces the importance of implementing appropriate processes and controls when doing business with third parties, including cloud service providers.
BEC Overtakes Ransomware and Data Breaches in Cyber-Insurance Claims
Comment: Business Email Compromise can be a very costly incident for an organization, particularly small and medium-sized businesses. Enable multi-factor authentication for all accounts that offer it - favoring the use of authentication apps and tokens over SMS or email-based codes - to reduce the risk of account compromise, apply Domain-based Message Authentication, Reporting, and Conformance (DMARC) to mitigate email spoofing, and establish processes and procedures that require multiple layers of approval for the transfer of money to significantly reduce an organization’s risk of falling victim to a BEC scam.

Cyber at a Glance
Rash of Ransomware Continues With 13 New Victims—Most of Them Schools
Comment: The recent ransomware attacks against local governments were followed by an increase in attacks against educational institutions. School districts are a prime target due to low budgets for technology, resources, and staffing. These attacks can be very costly when accounting for losses due to recovery and restoration, as well as any ransom demands paid.

 
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction. 
TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
 
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect
Twitter
Instagram
Facebook
LinkedIn

Share
Forward
Tweet
Share
Share

We respect your right to privacy - click here to view our policy.