NJCCIC Weekly Bulletin | September 12, 2019

To view this email as a web page, go here.
THE WEEKLY BULLETIN
September 12, 2019
TLP: WHITE

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Urgency: A Common Tactic Used in Phishing Emails
Image Source: 2017-2018 NJ Cybersecurity Poster Contest 7th Grade National Winner
Threat actors employ a variety of tactics in social engineering schemes in order to convince users to divulge sensitive information, click on a malicious link, or open a malicious attachment contained in a phishing email. Portraying a sense of urgency is one of the most commonly-used tactics in these schemes. This is a highly-effective technique as the targeted user may be less likely to scrutinize the email if they are acting quickly on the request. In addition, perpetrators create the appearance that the phishing email is part of a long chain of communication, causing the user to perceive the email as legitimate. NJ State employees, as well as other local government workers in New Jersey, frequently receive such emails as part of large social engineering schemes. The threats employees face at the State government level are commonly an indication of what other government workers, private sector employees, and private citizens are also encountering. The NJCCIC recommends all users educate themselves on phishing red flags and heed caution when choosing to take action on emails that portray a sense of urgency, even those from known senders. User awareness is effective at reducing victimization via phishing emails and other social engineering tactics.
Announcements
Business Email Compromise: The $26 Billion Scam
The FBI released alert I-091019-PSA, an update to a previous Public Service Announcement (PSA) addressing Business Email Compromise (BEC) scams. This PSA includes new information, including statistics and threat types, gathered from complaints submitted to the FBI’s Internet Crime Complaint Center (IC3). To reduce the risk of attack via a BEC campaign, follow the FBI’s suggested protections, including educating employees on commonly used tactics, identifying scam emails, and updating processes and procedures to verify the validity of requests to transfer money or sensitive data.
 
CISA and FBI Release Reports on North Korean Malware
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released information on two malware variants, ELECTRICFISH and BADCALL, used by the North Korean government-associated advanced persistent threat (APT) group known as HIDDEN COBRA or Lazarus Group. Malware Analysis Reports AR19-252A and AR19-252B include technical details, such as indicators of compromise (IOCs), for BADCALL and ELECTRICFISH, respectively.
 
Ransomware Protection Strategies
The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the Nation. Helping organizations protect themselves from ransomware is a chief priority for CISA. Organizations are encouraged to review the following resources to help prevent, mitigate, and recover against ransomware:
Victims of ransomware should report it immediately to CISA, a local FBI Field Office, or a Secret Service Field Office.
 
Think Before You Post Campaign
The Federal Bureau of Investigation (FBI) has released an article on their Think Before You Post campaign, designed to educate students on the use of social media and how to avoid making poor choices when posting, texting, or emailing thoughts or grievances that could lead to disruptive behavior, including threats. The FBI article stresses that this type of online behavior could result in serious consequences to the individual as well as the community.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the FBI article for information about the Think Before You Post campaign. CISA also recommends users review the CISA Tip on Identifying Hoaxes and Urban Legends for information on the potential dangers of viral emails. CISA encourages users to report suspicious activity to their local FBI field office and to FBI CyWatch at cywatch@fbi.gov. 
Industry Report
Proofpoint
The Proofpoint Human Factor 2019 Report details research collected over the last 18 months, including 2018 and the first half of 2019, and examines threat data taken from around the globe. Below are some key takeaways:
  • Email remains the top attack vector.
  • The threat landscape is increasingly “people-centric.”
  • “Very Attacked People” tend to be easily discovered identities or targets of opportunity.
  • Education, finance, and advertising/marketing had the highest average Attack Index (a measure of attack severity and risk) of all industries.
  • Generic email harvesting accounted for nearly 25 percent of phishing schemes in 2018, followed by Office 365 phishing.
  • The most effective phishing campaigns in 2018 were “Brain Food,” a scam used to harvest credit cards; however, in 2018, cloud storage, DocuSign, and Microsoft cloud services phishing were very effective.
  • Imposter attacks, such as business email compromise, significantly impacted engineering, automotive, and education industries.
  • Over 99 percent of emails distributing malware required some type of human intervention to be effective.
  • Domain fraud and abuse increased.
Threat Alert
Phishing Campaigns Target US Universities
Image Source: Proofpoint
At the beginning of the school year, threat actors actively target the education sector, particularly university environments, with phishing campaigns developed for library and student management portals. The threat actors distribute emails containing links or HTML attachments, directing targets to cloned university login portals with stolen branding and lookalike domains to manipulate users into disclosing their login credentials. Once credentials are submitted, the targets are redirected to genuine university login portals that display a failed login attempt while the stolen credentials are sent to the threat actors. The NJCCIC recommends users refrain from clicking on links or opening attachments delivered with unexpected or unsolicited emails, including those from known senders. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. If credential compromise is suspected, users are advised to change credentials across all accounts that used the same login information and enable multi-factor authentication where available. For more technical details, please review the Proofpoint post. 
Vulnerability Advisories
Critical Remote Code Execution Flaw in Exim
A critical vulnerability was discovered in the Exim mail transfer agent (MTA) versions 4.80 to 4.92.1. The flaw, CVE-2019-15846, can be exploited with specially-crafted SNI (ServerName Indication) data during the initial TLS handshake or with a crafted client TLS certificate, allowing an unauthenticated actor to remotely execute code on the mail server with root privileges. At the time of this writing, no exploits have been found; however, Qualys’ research team does have a working proof of concept (PoC) exploit. The vulnerability was first reported by Zerons and analyzed by Qualys’ research team. The NJCCIC recommends Exim MTA users and administrators review the Exim advisory and Bleeping Computer article, and update to patched version 4.92.2.
 
Vulnerabilities in GPS Trackers
Image Source: Avast
Researchers at Avast Threat Labs discovered vulnerabilities in about 600,000 GPS trackers used to monitor the location of a user, such as a child, senior, or pet. The GPS devices, including the T8 Mini GPS Tracker Locator and similar models from manufacturer Shenzhen i365 Tech, are low cost and small enough to easily hide. The vulnerabilities include the use of the same default password “123456,” assigning ID numbers based on the device’s IMEI (International Mobile Equipment Identity), and transmitting device data in plaintext. Exploiting these vulnerabilities could result in monitoring or modifying sensitive traffic, or performing a Man-in-the-Middle (MitM) attack. The NJCCIC recommends choosing GPS trackers with security built into the product’s design – including the ability receive vendor updates to patch vulnerabilities – and change device default passwords. Avast disclosed the vulnerabilities to the manufacturer, but had not yet received a response at the time of this writing. We advise users to consider discontinuing use of these devices until patches become available. Please review the Avast article for more technical details.
Breach Notification 
Monster
A web server of an unnamed recruitment customer of the online employment solution Monster exposed US job applicants' resumes and CVs from 2014 to 2017. The exposed data may include phone numbers, home addresses, email addresses, and prior work experience. The server was secured in August 2019. Monster did not notify affected users of the third-party breach because they consider the exposed data as under ownership of their customers.
Threat Profiles 
Android: One updated variant: LokiBot
ATM Malware: No new or updated variants were added.
Botnet: No new or updated variants were added. 
Cryptocurrency-Mining: No new or updated variants added. 
Exploit Kit: No new or updated variants were added.
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
Ransomware: No new or updated variants were added.
Trojan: No new or updated variants were added.
ICS-CERT Advisories
3S-Smart Software Solutions GmbH CODESYS Control V3 Online User Management
3S-Smart Software Solutions GmbH CODESYS Control V3 OPC UA Server
3S-Smart Software Solutions GmbH CODESYS V3 Library Manager
3S-Smart Software Solutions GmbH CODESYS V3 Products Containing a CODESYS Communication Server
3S-Smart Software Solutions GmbH CODESYS V3 Web Server
BD Pyxis
Delta Electronics TPEditor
Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU (Update A)
OSIsoft PI SQL Client
Philips IntelliVue WLAN
Red Lion Controls Crimson
Rockwell Automation Allen-Bradley PowerMonitor 1000 (Update A)
Rockwell Automation Arena Simulation Software (Update A)
Siemens IE-WSN-PA Link WirelessHART Gateway
Siemens Industrial Products
Siemens SIMATIC PCS7, WinCC, TIA Portal (Update C)
Siemens SIMATIC TDC CP51M1
Siemens SIMATIC WinCC and PCS7 (Update B)
Siemens SINETPLAN
Patches
Throwback Thursday
Be Sure to Secure
Threat Analysis
Social Engineering Awareness
Over $37 Million Lost by Toyota Boshoku Subsidiary in BEC Scam
Comment: BEC scams cost organizations at least hundreds of millions of dollars per year in losses. One of the best ways to prevent BEC attacks is to implement processes and procedures that require multiple levels of approval to issue wire transfers, ensuring that the requesting party and bank account information is legitimate. In addition, organizations are encouraged to implement Domain-based Message Authentication, Reporting and Conformance (DMARC) to help prevent email spoofing.
 
When Corporate Communications Look Like a Phish
Comment: Despite security awareness training and phishing simulations, some company employees may still have difficulty discerning phishing emails from legitimate ones. Oftentimes, legitimate corporate communications include typical phishing indicators, such as emails from unknown senders, or money transfer requests for vendor services. Organizations are encouraged to incorporate familiar email communications relevant to the intended user and refrain from using corporate templates in phishing simulations.
Cyber at a Glance
Supply Chain Security: Five IT Strategies For Choosing Vendors Wisely
Comment: Many organizations utilize third-party vendors and thereby inherit those vendor vulnerabilities, thus expanding the organization’s threat landscape and increasing their risk. Critical steps to ensure supply chain security include: conducting assessments, making cybersecurity training a routine requirement; creating baseline guidelines, policies, and controls; verifying compliance; understanding how data at rest and in transit is handled; and identifying and remediating risk.

 
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction. 
TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
 
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect
Twitter
Instagram
Facebook
LinkedIn

Share
Forward
Tweet
Share
Share

We respect your right to privacy - click here to view our policy.