The NJCCIC frequently detects phishing campaigns attempting to compromise Microsoft Office 365 accounts. These accounts are often targeted due to their access to sensitive data and additional applications. Researchers recently reported on a new phishing campaign that claims to come from the “Office 365 Team” warning the user that their account is going to be deleted unless the request is cancelled within the hour. This new campaign employs the old tactic of creating a sense of urgency to convince users to take risky actions, such as clicking on a link in an unexpected email. Once clicked, the link directs the user to a fraudulent Microsoft Office Support Account Update page that prompts the user to sign into their account in order to cancel the request. Once the user’s credentials are entered and submitted, they are sent to the threat actors and the user is redirected to a landing page with a “thanks!” message. The login and other landing pages were created using Excel Online. The NJCCIC highly recommends users avoid clicking on any links contained in unexpected or unsolicited emails. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. We advise users to refrain from responding to the email as this confirms delivery of the phishing email to the threat actor. More information can be found in the Bleeping Computer article.
Announcement
Girls Go Cyberstart Cybersecurity Competition
The Girls Go CyberStart National Championships is happening this week. Over three days, from June 5-7, there will be 120 teams across the country vying for the State and National prizes. New Jersey has 13 teams of girls competing – let’s cheer them on!
The leaderboard for the Girls Go CyberStart National Championship is available online and they will play until 6:59pm on June 7. Go Jersey cyber girls!
School Name
Absegami High School
Bergen County Academies
Communications High School
Egg Harbor Township High School
Freehold Borough High School
High Technology High School
Lakeland Regional High School
Livingston High School
Red Bank Regional High School
Stuart Country Day School
The Hun School of Princeton
Warren Hills Regional High School
Westfield Senior High School
Team Name
Absegami Javadoc Juveniles
Bergen County Academies - GGCS
CHS Cyber Club
EHT Cyber Club
FHS Girls Go Cyber
HTHS GirlsGo Cyber Club
Lakeland Regional High School Cyber Club
SuperCyberGirls
RBRHS
Stuart
The Hun School CS
CS@WH
WHS Coding With A Cause
Threat Alert
Cryptocurrency Users Targeted in Recent SIM Swapping Attacks
Several cryptocurrency users were recently impacted by SIM swapping attacks. SIM swapping is conducted by threat actors to gain access to a target’s SMS text messages in order to circumvent multi-factor authentication (MFA). This most recent wave of SIM swapping attacks occurred against US-based cryptocurrency users. The NJCCIC advises all users to establish account PINs with their mobile phone providers to prevent individuals without that PIN from making changes to their account. While criminals are successfully circumventing MFA in some cases, it is still one of the best security options users can enable to prevent account compromise. More information on the SIM Swapping attacks can be found in the ZDNet article, and more information about MFA can be found in the NJCCIC This is Security post.
Vulnerability Advisories
Microsoft and NSA Issue Warnings for BlueKeep Vulnerability
Just weeks after patching a vulnerability, dubbed BlueKeep, in legacy versions of Windows operating systems, Microsoft issued a second warning urging users and administrators to update their systems as soon as possible. It was revealed that nearly one million unpatched devices are connected directly to the internet, making them easy to target. On June 4, the National Security Agency (NSA) issued a similar warning. The vulnerability, CVE-2019-0708, is a flaw within Remote Desktop Services and affects Windows Server 2008 and Windows Server 2008 R2, Windows 7, Windows Vista, Windows Server 2003, and Windows XP. These warnings were issued in an effort to avoid a WannaCry-like incident, as the vulnerability could be modified to self-propagate. The NJCCIC recommends users and administrators update impacted Microsoft Windows systems as soon as possible.
Exim Servers Vulnerable to Remote Command Execution Flaw
Researchers at Qualys discovered a remote command execution vulnerability, CVE-2019-10149, that affects Exim, a mail transfer agent which, as of June 2019, runs on over half of all mail servers visible on the internet. The vulnerability affects installations of version 4.87 to 4.91 and could allow a remote or local threat actor to run commands on the Exim server as root and take over systems. The NJCCIC recommends administrators update their Exim servers to version 4.92, released in February 2019. More information can be found in the Qualys security advisory.
FPGA Chip Vulnerability Affecting Cloud Services and IoT
Image Source: Help Net Security
Researchers from the Karlsruhe Institute of Technology (KIT) discovered a vulnerability in field-programmable gate arrays (FPGAs) impacting the security of cloud services and Internet-of-Things (IoT) applications. FPGAs are programmable computer chips that can assume every function of another computer chip. Their fields of application include smartphones, networks, the Internet, medical engineering, vehicle electronics, and aerospace. They are known to be secure and ideal for cloud service provider server farms due to their low current consumption. However, the concurrent use of the FPGA chip allows threat actors to conduct side-channel attacks and use the energy consumption of the chip to access data, allowing them to break encryption or crash the chip altogether, resulting in data loss. Similar issues may exist for other computer chips. At the time of this writing, restricting immediate access to the FPGAs can help minimize the risk of attack, though this can be challenging. The NJCCIC recommends patching systems as updates become available. More technical details on the impact of this vulnerability can be found in the Technology Network article and the IACR research paper.
Breach Notifications
Checkers and Rally’s
Checkers and Rally’s disclosed a breach of its point-of-sale systems at over 100 restaurant locations. Many of the systems were infected in 2018 and 2019; however, some infections date back as far as 2016. Most systems were cleaned in April 2019 after the infection was detected. The criminals were able to access payment card numbers, card verification codes, and expiration dates. Patrons who paid for items at any of the affected locations during the compromised dates are highly advised to review their financial statements and notify their banks of any unauthorized charges, and consider requesting a new card. More information can be found in Checker’s Notice of Data Breach.
American Medical Collection Agency
The American Medical Collection Agency (AMCA) discovered that an outsider infiltrated its web payment systems and accessed data belonging to other companies. Nearly 12 million patients of Quest Diagnostics and 7.7 million patients of LabCorp may have had their financial, personal, and medical information compromised between August 1, 2018 and March 30, 2019, including social security numbers, credit card numbers, and bank account details. Laboratory test results were not revealed in the breach. Please review the news release from Quest Diagnostics, the LabCorp filing, and the KrebsOnSecurity post for company statements and more information.
The Rise in Mobile Phishing Attacks Comment: Many people believe mobile devices are secure and do not expect to receive malicious SMS texts. However, mobile devices, especially Android devices, of those in the financial industry are primary targets for SMS phishing attacks. SMS phishing messages are hard to track as it is very easy to spoof phone numbers, routing of messages is not accessible, and message filtering technology is almost non-existent. Mobile-specific phishing kits utilize URL padding to mimic smaller login screens of legitimate mobile apps and truncate URLs to trick users into thinking they are directed to legitimate websites.
Cyber at a Glance
Ransomware Isn’t Just a Big City Problem Comment: Ransomware activity has already reached a record number this year. Threat actors target unsuspecting users in phishing and spear-phishing campaigns in order to discover and exploit organizations with vulnerabilities, gaps in operational security, overall weak infrastructure, and configuration issues. Patching, upgrades, email protection tools, user education and security awareness training, and endpoint security software provide defense in depth to minimize the risk of infection. Unfortunately, ransomware can still break through some of the most hardened environments; therefore, it is important to identify, segment, and back up valuable data and have an isolation plan for infected systems.
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
We respect your right to privacy - click here to view our policy.
