NJCCIC Weekly Bulletin | March 7, 2019

To view this email as a web page, go here.
March 7, 2019

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Phishing Campaigns Target Dropbox

The NJCCIC observed threat actors sending tax-themed Dropbox phishing emails to State employee email addresses. These emails appear to be sent from a person at a tax-related business; however, the address is spoofed and the headers of these emails reveal a different “Reply-To” address. The emails contain a “View file” blue box link that supposedly downloads a PDF document titled with the spoofed employee’s first and last name and email address followed by “1040a.pdf.” The embedded link will likely either attempt to download a malicious document that will install malware on the user’s device or direct the user to a spoofed site meant to steal the user’s Dropbox login credentials. Other reported Dropbox phishing campaigns distribute emails that convey a sense of urgency and contain “Drop-Box Secure [New invoice from]” in the Subject line and Dropbox graphics with an embedded link. Phishing attacks often target file-sharing sites as users trust these brands and services, and they are commonly used for business processes, making these accounts more likely to have access to sensitive information. The NJCCIC recommends users refrain from clicking on any embedded links or attachments, downloading any files, or accepting shared folder invitations that come with unsolicited or unexpected emails, and verify emails from known senders via a separate means of communication. We encourage users to review the NJCCIC products Don’t Take the Bait! Phishing and Other Social Engineering Attacks and Cybersecurity Best Practices for more information on how to keep their accounts and data safe.


Cyber Symposium

Date: Wednesday, March 20, 2019 | Time: 8:30 a.m.
Location: The Event Center at iPlay America, Freehold, New Jersey
Audience: Public sector organizations including state, county and
municipal governments and authorities, K-12 and higher-education
Over the past year, the NJCCIC received numerous reports of cyber incidents, many ransomware, that significantly impacted municipal and county government organizations here in NJ, resulting in millions in ransoms being paid out and major operations disruptions. Oftentimes, poor cyber hygiene was what allowed the threat actors to succeed. We will provide attendees with practical strategies, tactics, resources, and tools to help manage cyber risk in their respective organizations. Click here for more details and registration. 

Girls Go Cyberstart Cybersecurity Competition 
On February 19, Governor Philip D. Murphy encouraged young women in New Jersey’s high schools to take advantage of an opportunity to explore their aptitude for cybersecurity and computer science by trying to solve the challenges of the 2019 Girls Go CyberStart program. Previous knowledge and experience in information technology or cybersecurity are not needed to participate. A computer and internet connection are the only requirements to take part in this program, which comes at no cost for schools and students. Students use the CyberStart Game, an online series of challenges that allows students to act as cyber protection agents to solve cybersecurity-related puzzles and explore exciting, relevant topics such as cryptography and digital forensics.
Open to female high school students, the Girls Go CyberStart initiative encourages participants to explore their interests in cyber studies, learn core cybersecurity skills, and build confidence in problem solving. Students will also have the opportunity to win cash prizes for themselves and their schools, and at least 10 New Jersey high school girls will receive $500 scholarships to help pay for college. In 2018, 453 girls in 44 schools throughout New Jersey participated in Girls Go CyberStart, and the goal for 2019 is to triple those numbers.
Registration and complete details for the Girls Go Cyberstart competition may be found at www.girlsgocyberstart.org. As of March 3, New Jersey was ranked 4th for the number of students preregistered.
Click here to read the full press release.

Industry Reports

Symantec provides a deep dive into cybersecurity attack trends in their Internet Security Threat Report (ISTR) 2019, available here. Some key takeaways are below:
  • One in ten URLs were malicious.
  • Web attacks were up 56 percent since 2017.
  • Over 2018, cryptojacking events declined 52 percent.
  • Enterprise ransomware incidents were up 12 percent.
  • Overall ransomware incidents were down 20 percent.
  • Mobile ransomware incidents were up 33 percent.
  • Supply chain attacks increased 78 percent.
  • 48 percent of all malicious email attachments were Microsoft Office files.
  • There was a 1000 percent increase in malicious Powershell scripts.
  • Emotet accounted for 16 percent of all financial trojan activity, up from four percent in 2017.
  • There were 49 espionage indictments by US authorities in 2018, up from four in 2017.
  • Spear-phishing remained the most popular attack vector, used by 65 percent of known groups.
Image Source: Akamai
Akamai details the threat landscape and trends in the retail sector in their 2019 State of the Internet Report. Some key takeaways are below:
  • The retail sector was the top target for credential stuffing attacks between May 1 and December 31, 2018, especially in the US.
  • Apparel retailer sites were targeted the most due to high merchandise values, which is expected to hit $4.88 trillion by 2021.
  • On average, there were 115 million attempts to compromise or access user accounts per day.
  • Threat actors take advantage of the same account credentials used for multiple accounts.
  • A single All-in-One (AIO) bot can target more than 120 retailers at once.
  • The available lists of stolen credentials and the successful malicious use of AIO bots can compromise accounts, make purchases, and resell the stolen merchandise quickly and for a high price.
Microsoft provides top cybersecurity trends in their Security Intelligence Report (SIR) Volume 24, available here. Some key takeaways are below:
  • Ransomware encounters declined about 60 percent between March 2017 and December 2018.
  • Cryptocurrency mining is still prevalent, with an increase in browser-based cryptocurrency miners.
  • Windows Defender blocked more than 400,000 infection attempts worldwide that were linked to a supply chain attack caused by a compromised peer-to-peer application.
  • Inbound phishing emails increased 250 percent between January and December 2018.
  • There was a decrease in malware encounter rates in 2018.

Threat Alerts

Academic Institutions and Non-Profits Targeted in
Scam Requesting Gift Cards

Image Source: Agari
Threat actors in the scamming group “Scarlet Widow” are increasingly targeting school districts, universities, and non-profits in a social engineering scheme. Oftentimes, the actor sends a staff member an email impersonating their boss and requesting them to buy gift cards and send them photos of the back of the cards. According to researchers at Agari, the cards are then traded at a reduced price on the peer-to-peer cryptocurrency exchange Paxful and the earned bitcoin is then sold for cash. Gift cards are the most reported payment method in these types of scams. The NJCCIC recommends users review the Agari research and avoid complying with requests for the purchase of gift cards received via email without confirming the request via a separate means of communication. We highly encourage educating others about this and similar threats.

APT 40 Targets Academic Institutions for Sensitive Maritime information

According to research from cybersecurity firms FireEye and iDefense, APT 40, a Chinese state-sponsored advanced persistent threat (APT) group, has targeted over 27 universities who conduct maritime research and development, some of which have been contracted by the Department of Defense (DoD). Some academic institutions targeted include Massachusetts Institute of Technology (MIT), the University of Hawaii, and the University of Washington. APT 40 has also targeted organizations in the engineering, defense, and transportation industries. The group has been the most active of any Chinese hacking group that cyber intelligence agencies detected over the past year. APT 40 begins their operations by sending phishing emails, sometimes assuming the identity of journalists, Navy officials, and other academic institutions. Next, they deploy malware, such as Gh0st RAT trojan, to maintain persistence on a compromised network and begin harvesting credentials. Once this is accomplished, they begin to move laterally within the network to ultimately gain access to intellectual property. At this time, APT 40’s efforts have resulted in the theft of sensitive military information, to include submarine missile plans and ship maintenance data. The NJCCIC advises all universities and academic institutions to refrain from clicking on links or opening attachments in unsolicited or unexpected emails, and report any suspicious emails to their local IT department, local police department, and the NJCCIC via the Cyber Incident Report form here.

Vulnerability Advisories

Users Advised to Update Chrome to Patch Zero-Day Vulnerability

A zero-day vulnerability in Google Chrome was patched in last Friday’s update to version 72.0.3626.121. The security flaw is a memory error that exists in Chrome’s FileReader, a web API that lets web apps read the contents of files stored on a user’s computer. Successful exploitation of the vulnerability could allow a threat actor to execute malicious code. According to Chrome’s security lead, the vulnerability is already being actively exploited by threat actors. The NJCCIC highly advises Google Chrome users for Windows, Mac, and Linux operating systems to update to version 72.0.3626.121 as soon as possible and review the release notes for more information.

macOS Zero-Day Vulnerability Disclosed by Project Zero

Researchers from Google’s Project Zero revealed information regarding a macOS zero-day vulnerability, dubbed “BuggyCow,” after Apple failed to address the issue by the 90-day deadline. The copy-on-write (COW) behavior bypass flaw could allow a local user to escalate privileges. The researchers also provided proof-of-concept (PoC) code to exploit the vulnerability. The NJCCIC recommends macOS users review the Project Zero  post and apply the patch if and when one becomes available.

Intel Chips Vulnerable to Non-Spectre Attack Dubbed “Spoiler”

Researchers from Worcester Polytechnic Institute in Massachusetts and the University of Lübeck in northern Germany discovered a new flaw that targets an area of the Intel processor called the Memory Order Buffer, which manages memory operations and involves the cache. The vulnerability in the memory subsystem can directly leak timing behavior due to physical address conflicts and may reveal critical information. Since Spoiler is not a Spectre attack, the previously released patches for Spectre-related flaws will not resolve the issue. Researchers believe a patch may not be available for some time, even years. Possible hardware fixes could address the issue but would affect performance. Intel believes the issue can be protected against by employing side channel safe software development practices. The NJCCIC recommends users review the research paper and ZDNet’s blog post for more information and apply patches if and when they become available.

Threat Profiles
Android: No new or updated variants added.
Botnet: No new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added. 
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
Ransomware: One updated variant:
Trojan: One updated variant: 

ICS-CERT Advisories
Throwback Thursday
Be Sure to Secure
Threat Analysis
Adobe | Chrome | Cisco

Social Engineering Awareness
IRS’ Warning of Tax-Related Identify Theft
Comment: Identity theft has made the IRS’ “Dirty Dozen” list of tax scams again for 2019. Tax-related identity theft occurs when a threat actor uses tax-related information to file a fraudulent tax return to claim a refund. Taxpayers are advised to continue to remain vigilant and protect their sensitive tax and financial data by recognizing and avoiding phishing emails, and refraining from clicking on links or attachments in unknown or unsolicited emails.
Shifting Strategies: Using Social Media, SEO in Tech Support Scams
Comment: Tech support scammers are changing tactics. The cold-calling techniques traditionally used in these scams have become less effective, so scammers are adopting new strategies, such as pop-up alerts using web and JavaScript tricks, and social engineering tactics. Scammers can create fake tech support websites on popular social media platforms and spread fake toll-free numbers and keyword-rich links, thus enabling the malicious website to appear on web search engines results with higher rankings, articulating credibility. Users are advised to navigate to official company websites when searching for technical and customer support contact information. Victims are encouraged to report incidents to their local police departments and to the NJCCIC via the Cyber Incident Report form.

Cyber at a Glance
Insecure VPNs: Top Risks and Symptoms That Stronger Security is Needed
Comment: Virtual private networks (VPNs) promise to provide a private and secure connection between end-user devices and the VPN server; however, some VPN solutions do not meet this expectation. Threat actors can take advantage of certain VPN vulnerabilities and security issues, posing a great risk, particularly to enterprises. As with any technology product or service, users are encouraged to research before selecting a VPN service.
Will Pay-For-Privacy Be the New Normal?
Comment: Online privacy as a right should be industry practice. However, there are possible proposals to pay for privacy, which can further the divide between socioeconomic classes; affect how companies collect, use, and sell data; and affect the security and protection of that data. Privacy terms and conditions can be vague or hidden, and at the expense of the user; therefore, the online tracking and sharing of information with third parties and potential malicious threat actors is a big concern.


Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.



We respect your right to privacy - click here to view our policy.