Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
BEC Campaign Attempts to Change Direct Deposit Information
The NJCCIC has received numerous incident reports from educational organizations around the State impacted by various business email compromise (BEC) campaigns involving direct deposit scams. Unlike phishing scams, BEC campaigns are a highly targeted form of social engineering. Threat actors commonly spoof the source name or email address of a familiar contact, use email domains that mimic a trusted source, or compromise a legitimate business account. The body of these messages often instructs the recipient to transfer funds or other sensitive information to the threat actor, or to update paycheck direct deposit information to the threat actor’s account. The threat actor purports to be away from their desk and sends the message via a mobile device, conveying a sense of urgency with poor spelling and grammatical errors. The NJCCIC highly recommends users refrain from forwarding or responding to these messages, and instead verify the source and instructions of any monetary transaction or request for sensitive data received via email through a separate means of communication. We advise users to view our publication Don’t Be Fooled: Ways to Prevent BEC Victimization for additional tips and information about BEC campaigns.
Announcements
Girls Go Cyberstart Cybersecurity Competition
The Girls Go CyberStart competition started March 20th, offering high school girls in 27 states the opportunity to explore cybersecurity through a free interactive event featuring digital puzzles and challenges.
There is a huge shortage of cybersecurity experts in the US. Girls Go CyberStart encourages high school girls to explore the exciting career opportunities in the field, join the global cybersecurity community, and learn skills that will ensure our country offers a safe place to live, work, and play online.
In just the first day of competition, over 2,200 girls signed up and started cracking cryptography, spotting web vulnerabilities, and scripting code. New Jersey girls made us especially proud, taking the #3 spot in most girls registered in a state!
We invite you to watch and monitor the rankings here and think about who do you know—what girls, schools, or teachers—could benefit from Girls Go CyberStart? Please let them know registration for Phase 1 is open until April 12 at http://girlsgocyberstart.org.
NJCCIC Website User Experience
The NJCCIC needs your help! We are looking to improve your experience using our website, so we would love to get your feedback. As a member of the NJCCIC, you are one of our most valuable assets. So we want our online presence to be as intuitive and user-friendly as possible. By taking our survey, you’re providing us with valuable information that we can use to tailor our web presence to your needs! To share your thoughts, click hereand complete our questionnaire!
Threat Alerts
New GlitchPoS Malware Targets Point-of-Sale Terminals
Image Source: Talos Intelligence
Cisco Talos recently discovered Glitch PoS (Point-of-Sale) malware available for purchase on a crimeware forum. The payload is small, containing only a few functions, and will connect to a command and control (C2) server which sends instructions to the malware. PoS malware is generally deployed on retailers' websites and retail PoS terminals with the goal of tracking customer payment information. Threat actors may use this malware to obtain credit card numbers and immediately sell this information to other potential threat actors or seek personal financial gain. PoS terminals are often overlooked as security risks, and have become a soft target for threat actors. The developer of GlitchPoS is also assessed to have been the creator of DiamondFox L!NK botnet used in the 2015-2017 attacks. The NJCCIC recommends businesses using PoS software implement network security appliances, malware protection, and secure internet gateways that can detect malicious activity.
Hackers Use Recent Disaster to Spread Malware
Image Source: Bleeping Computer
Threat actors are using recent tragedies to distribute malware via spam emails. The emails claim knowledge of leaked information from the dark web pertaining to “possible airlines that will go down soon,” and requests users forward the email and attachment to loved ones. If the attached Java archive (JAR) file is opened, it will then execute a Houdini Remote Access Trojan (H-WORM RAT) as well as Adwind, which is a backdoor capable of stealing user information. The NJCCIC strongly recommends users refrain from both forwarding unsolicited emails and clicking on any links or attachments in these emails. More information about this malspam campaign can be found on Bleeping Computer’s blog post.
Scammers Target Christchurch Terror Attack Donations
Image Source: Newshub
Westpac Bank is warning the public about a phishing scam bearing the bank’s logo, targeting those who wish to donate to the victims of the recent terror attack in Christchurch, New Zealand. Hovering over the link in the email points to a website called “mothersawakening” and a fraudulent account number for donations. The correct account number is listed in the Newshub article. The national Computer Emergency Response Team (CERT) warned about other scams and cyber attacks associated with this tragedy: phishing emails containing links to fake online banking log-ins, sharing of malicious video files on compromised websites or on social media, threat actors changing websites to spread political messages, and websites receiving threats of denial-of-service attacks. The NJCCIC advises users to refrain from responding or clicking on unsolicited links, and instead navigate directly to official company websites when donating.
New Sextortion Scam Accuses Victim of Pedophilia
Image Source: Sophos
A new sextortion email scheme has surfaced, claiming to have incriminating evidence of pedophilia against the potential victim. The threat actor, masquerading as a CIA officer willing to accept a bribe, asks the potential victim to pay them in bitcoin, and in return, will expunge records related to child pornography. The scam may include personal information in an attempt to legitimize their claim. The potential targets of this scam tend to be either wealthy or well-known and concerned for their reputation.The NJCCIC advises any recipients of this and similar emails to refrain from providing a response or sending any money and, instead, delete the email. We also recommend educating others about this and similar scams to reduce victimization. More information about this scam can be found in the Sophos blog post.
Vulnerability Advisories
Extracting BitLocker Keys From a TPM
Windows uses BitLocker to encrypt drives with two protectors, the Trusted Platform Module (TPM) and the Recovery Key. A researcher from Pulse Security recently discovered that the encryption keys can be extracted by hard-wiring into the TPM chip and sniffing communications via the LPC bus, either with a logic analyzer or a cheap FPGA board. The new method of extraction requires physical access to devices and will result in the device’s destruction due to the hard-wiring. The NJCCIC recommends users review the research article and Microsoft’s BitLocker Countermeasures for more technical details. We highly encourage users ensure pre-boot authentication is enabled and restrict physical access to devices, especially those with highly sensitive or valuable information.
Severe Security Bug In PHP Library Used in PDF Files
Image Source: ZDNet
Secarma researcher, Sam Thomas, was the first to identify the severe security flaw impacting TCPDF, which is one of the “big three” PHP libraries. TCPDF is a free and open source software hypertext preprocessor (FOSS-PHP) that allows a user to create PDF files. “Polict” recently discovered a variant of this vulnerability, which can be exploited either on websites that allow the user to generate the PDF or on websites that contain cross-site scripting (XSS) weaknesses. Malicious code could then be planted in data that is fed to the TCPDF library used in creating the PDF. TCPDF is used in a multitude of locations including content management systems (CMS), plugins, CMS themes, enterprise intranets, and invoicing solutions. The NJCCIC recommends patching systems as updates become available. More technical details on TCPDF can be found in Polict’s blog post and ZDNet’s blog post.
Breach Notification
Sizmek
The online advertising firm Sizmek Inc., the third-largest ad server network in the world, recently suffered a data breach. A cybercriminal was discovered selling access to a basic user account on a dark web criminal forum in Russian. The account, however, was able to modify ads, offers, and marketing analysis for several well-known business brands in the US. This access could leave the site exposed to sabotage and its users subject to possible malware. It appears that the threat actor targeted accounts of key employees, and infiltrated those accounts of past employees, vendors, and partners that were not disabled. Two frequently used methods of compromise are password spraying and “brute-force light” attacks. Sizmek CEO, Mark Grether, stated that appropriate physical, technical, and administrative safeguards have been implemented, ensuring that the protocol issue has been corrected.
Threat Profiles
Android: No new or updated variants added. Botnet: No new or updated botnets were added. Cryptocurrency-Mining: No new or updatedvariants were added. Exploit Kit: No new or updated exploit kits were added. Industrial Control Systems: No new or updated variants were added. iOS: No new or updated variants were added. macOS: No new or updated variants were added. Point-of-Sale: No new or updated variants were added. Ransomware: No new or updated variants were added. Trojan: Two updated variants: Cardinal, Trickbot.
Inside Security: Plan For That One Unintended Click Comment: Security awareness training against phishing attacks has its limitations since users are only as strong as the weakest link. Therefore, it is important to enable multi-factor authentication where available through the use of physical tokens, mobile applications, or one-time passcodes sent via SMS. In addition, proper security controls are recommended such as least-privileged access, role-based access, and network segmentation.
Current Phishing Defense Strategies and Execution Are Not Hitting the Mark Comment: Phishing defense and governance conveys that simulations and other active knowledge-based tools are not common components of many organizations’ employee phishing awareness and training. Assessments in skills needed to validate user behavior modification (through phishing simulations), evaluations of the quality of incoming information, and establishment of clear goals that can be tracked for improvement are key in improving one’s phishing defense. Human risk is reduced significantly through security awareness and phishing simulation training, lowering the number of breaches and costly security incidents an organization may face.
Business Email Compromise (BEC) Attacks Moving to Mobile Comment: BEC campaigns are conducted typically via email and target specific victims. However, threat actors are initially requesting the user’s mobile phone number via email, and then going mobile via SMS messaging, further enabling the victims to perform various quick tasks. User awareness training and confirming the legitimacy of the requests are key to preventing attacks and loss.
Cyber at a Glance
You Left WHAT On That USB Drive?! Comment: Many second-hand USB memory sticks sold have been found to host a plethora of recoverable, sensitive data, allowing previous owners to be easily identifiable. Research suggests that most people are uneducated on data erasure techniques and unaware of the risks associated with leaving data on these devices. A common misconception is that dragging files to trash will fully erase data, but that data can be recovered with minimal effort. Proper security hygiene involves overwriting the storage area where it is residing to help prevent future data leaks.
Why Phone Numbers Stink as Identity Proof Comment: Phone numbers have increasingly been used as a single-point of authentication to verify the identity of account holders. However, this ease-of-access feature forsakes security. Multiple factors could allow the phone number to be compromised such as divorce, late phone payments, subscriber identity module (SIM) swapping attacks, and recycled numbers. Allison Nixon, director of security research at Flashpoint, a New York City-based cyber intelligence firm, revealed multiple examples of potential compromise. She emphasized why phone numbers, which are publicly available and not assigned to an individual over a lifetime, are posing a substantial security risk.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
We respect your right to privacy - click here to view our policy.
