Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Cyber-Criminals Behind Maze Ransomware Threaten
Release of Data if Not Paid
A ransomware victim's decision whether to pay a ransom demand often hinges on the availability of current, usable backups or whether the victim can accept the loss of the encrypted data if backups are not available. However, victims may now have to consider the implications of their data being publicly released if they do not pay the demand. The actors behind Maze ransomware, a variant that has become more active since May 2019, recently infected the network of security staffing firm Allied Universal. The cyber-criminals demanded that about $2.3 million in ransom be paid by a set date and threatened to release the company’s data if payment was not received. When the ransom was not paid by the deadline, the threat actors released about 10 percent of the company’s stolen data. They then demanded an increased payment of $3.8 million and threatened to release more data. Since this incident, the threat actors have targeted additional networks using the same tactic of threatening to release stolen data if payment is not made. They recently referenced the Allied Universal incident in their ransom notes, warning victims of the consequences of not paying. In addition to having a comprehensive data backup plan that includes keeping multiple backups stored offline in a separate and secure location and tested regularly to confirm their integrity, the NJCCIC highly encourages organizations to consider encrypting sensitive data at rest and in transit, to reduce the likelihood that a cyber-criminal could publicly release any stolen data in plaintext.Additionally, users and administrators are encouraged to review the Bleeping Computer and Proofpoint articles for information on TTPs (tactics, techniques, and procedures) and IOCs (indicators of compromise) related to Maze ransomware infections.
Announcements
Girls Go CyberStart Cybersecurity Competition
On October 29, 2019, Governor Philip D. Murphy encouraged young women in New Jersey’s high schools to take advantage of an opportunity to explore their aptitude for cybersecurity and computer science by trying to solve the challenges of the 2020 Girls Go CyberStart program. Previous knowledge and experience in information technology or cybersecurity are not needed to participate. A computer and internet connection are the only requirements to take part in this program, which comes at no cost for schools and students. Students use the CyberStart game, an online series of challenges that allows students to act as cyber protection agents to solve cybersecurity-related puzzles and explore exciting, relevant topics such as cryptography and digital forensics.
Open to female high school students, the Girls Go CyberStart initiative encourages participants to explore their interests in cyber studies, learn core cybersecurity skills, and build confidence in problem solving. Students will also have the opportunity to win cash prizes for themselves and their schools.
On December 2, 2019 registration opened and, as of December 5, 2019, New Jersey is ranked 2nd for the number of students registered.
For complete details and to sign up for the Girls Go CyberStart competition please visit www.girlsgocyberstart.org.
Caller Poses as CISA Rep in Extortion Scam
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a phone scam where a caller pretends to be a CISA representative. The scammer claims to have knowledge of the potential victim’s questionable behavior and attempts to extort money.
If you receive a threatening call from someone claiming to be a CISA representative, CISA recommends the following actions:
The US DOJ Unseals Criminal Charges Against Distributors of the Dridex Malware
The US Department of Justice (DOJ) unsealed criminal charges against Maksim V. Yakubets of Russia related to international computer hacking and bank fraud schemes between May 2009 and present, including the distribution of the Bugat malware, later known as Dridex, and Zeus malware. Additionally, the DOJ indicted Igor Turashev of Russia for distribution of the Bugat malware. The two individuals are alleged to have been part of the most widespread hacking campaign the DOJ has encountered, totaling hundreds of millions of dollars in losses and attempted losses. Under the Transnational Organized Crime Rewards Program, there is up to a $5 million reward for information leading to the arrest and/or conviction of Yakubets, the largest reward for a cyber-criminal to date. Details of the charges can be found in the US DOJ press release.
Threat Alerts
Dexphot Polymorphic Malware
Bypasses Security Solutions and Installs Cryptominers
Image Source: Microsoft
Dexphot malware, first identified a year ago, continues to bypass security solutions through the use of code obfuscation, encryption, randomized file names, and the deployment of malicious code in memory, which limits forensic capabilities. This polymorphic malware deploys files that change every 20-30 minutes to hide the installation process, and the contents of the MSI package, names of the archives, and password for decompression differ for each victim. Additionally, Dexphot can update its payload from the web using scheduled tasks, and all components are refreshed upon system reboot and every 90 or 110 minutes while the machine is running. After infection, Dexphot launches and switches between cryptocurrency miners, such as XMRig and JCE Miner. The malware runs the cryptocurrency miner using a technique known as “process hollowing,” in which malicious content replaces code in a legitimate process, allowing it to evade detection. If the malware is detected, monitoring services and scheduled tasks will trigger a re-infection. The NJCCIC recommends organizations educate users about this and similar threats, reminding them to refrain from clicking on links or opening attachments delivered with unexpected or unsolicited emails and exercise caution with emails from known senders. Organizations are advised to implement a defense-in-depth cybersecurity strategy to prevent or limit the impact of a cyber-attack, including the use of behavior-based detection. Technical information, IOCs, and remediation solutions can be found in the Microsoftblog post.
PyXie Trojan Targets Healthcare and Education
Image Source: Threat Vector
A new Python-based remote access trojan, PyXie, is being distributed via a hacking campaign that has targeted at least 30 organizations, primarily in the the healthcare and education sectors. PyXie is capable of keylogging, credential harvesting, recording video, stealing cookies, performing man-in-the-middle attacks, and installing additional malware. The trojan, active since at least 2018, is highly customized, indicating its authors have dedicated significant resources and time. The main infection vector is a sideloading technique that uses legitimate applications to compromise users. Once installed, the trojan uses PowerShell to escalate privileges and gain persistence and uses Cobalt Strike, a legitimate penetration testing tool, to download the trojan’s final payload. Using Cobalt Strike makes detection and attribution more difficult. The NJCCIC recommends organizations implement a defense-in-depth cybersecurity strategy and ensure they are following cybersecurity best practices. More information and IOCs can be found in the Threat Vector article.
Android Vulnerability StrandHogg Exploited in the Wild
Image Source: Promon
A vulnerability, dubbed StrandHogg, affecting all versions of the Android operating system is being actively exploited in the wild. The flaw is present in the ‘taskAffinity’ control setting, which allows an application to assume any identity in the multitasking system; therefore, when a user clicks on a legitimate app, a malicious version can appear on their screen. The user may then be prompted to grant the app permission to various resources on the device, such as the microphone, camera, SMS messages, phone calls, login credentials, location, and more. Researchers have identified 36 malicious apps attempting to exploit this vulnerability. The NJCCIC advises users to refrain from downloading suspicious apps on Google Play or third-party app stores. Users are recommended to be on the lookout for behavior that may indicate a device is infected, such as: an app you are already logged into requesting a login, permission pop-ups that do not contain an app name, apps requesting extensive permissions, typos in the app user interface, or faulty buttons and links within the app. Additional information can be found in the Promon article.
New ZeroCleare Wiper Malware Targets Energy Companies
Image Source: IBM
Researchers at IBM published analysis on a newly-discovered data-wiping malware dubbed ZeroCleare. The malware, believed to have been developed by Iranian state-sponsored actors, was deployed in cyber-attacks targeting energy companies in the Middle East. The malware is a typical wiper developed to delete data from the infected machine, often used to either delete the forensic evidence of an intrusion or to damage a victim’s ability to operate. Based on the IBM analysis, attacks typically begin via brute-force attempts to gain access to company network accounts. Once access is obtained, a SharePoint vulnerability is exploited to install web shells such as China Chopper and Tunna. The attackers then spread through the network, deploy ZeroCleare, use PowerShell/Batch scripts to bypass Windows controls, and use the legitimate tool EldoS RawDisk to wipe the Master Boot Record (MBR) and damage disk partitions. The malware has many similarities to the Shamoon malware, also attributed to Iranian threat actors. While the victim organizations are not named, IBM states that the attacks were targeted. The NJCCIC recommends organizations implement a defense-in-depth cybersecurity strategy, including applying the principle of least privilege, running an updated anti-virus/anti-malware program, and segmenting networks. More information can be found in the IBM report.
Netflix Phishing Scam
Image Source: Naked Security
A phishing campaign has been observed targeting Netflix customers in an attempt to obtain user credentials and payment information. The scam claims that the subscriber’s premium account expired and that an attempt to process their payment was unsuccessful. These emails, however, do contain common phishing red flags, including emitting a subtle sense of urgency and containing text with grammatical errors. If the user clicks the embedded link, they are redirected to a page hosted on a website with a valid HTTPS certificate. Researchers determined that the domain used in this attack was registered on November 11, 2019 and the web certificate was created on November 28, 2019, suggesting that the purpose of its creation was for this and similar scams. The NJCCIC recommends users refrain from clicking on links or opening attachments delivered with unexpected or unsolicited emails, including those from known senders. Users are advised to, instead, navigate to websites by manually typing the URL into the address bar of their browser. If credential compromise is suspected, users are advised to change credentials across all accounts that used the same login information and enable multi-factor authentication where available. Additionally, users are advised to notify their financial institution if payment information was disclosed. Further details can be found in the Naked Security article.
Breach Notifications
TrueDialog
Researchers at VPNMentor identified an unsecured Elasticsearch database belonging to TrueDialog, a short message service (SMS) provider specializing in solutions for small and large businesses as well as educational facilities and amassing over 5 billion subscribers. Breached data includes private SMS text messages, username and passwords, emails, and other personally identifiable information (PII), impacting over 100 million users in the US alone. The database was taken offline immediately upon notification. At the time of this writing, TrueDialog has not disclosed if they will be notifying customers of the breach. Users are advised to avoid sharing sensitive information over SMS.
Threat Profiles
Android: No new or updated variants. ATM Malware: No new or updated variants added. Botnet: No new or updated variants added. Cryptocurrency-Mining: No new or updated variants added. Exploit Kit: No new or updatedvariants were added. Industrial Control Systems: No new or updated variants were added. iOS: No new or updated variants were added. macOS: No new or updated variants were added. Point-of-Sale: No new or updated variants were added. Ransomware: No new or updated variants were added. Trojan: Two updated variants: Emotet, TrickBot
Phishing Emails Are Still Managing to Catch Everyone Out Comment: With the adoption of cloud-computing, many organizations fall into the common misconception that this reduces the need for tightened cybersecurity. Penetration testers at Coalfire Security discovered that 71 percent of employees compromised their credentials when targeted with a simulated phishing attack. Weak passwords, insecure internal procedures, and out-of-date software were the most common discovered vulnerabilities. Cloud-computing can be successful if security settings are properly configured and cybersecurity best practices are maintained.
Cyber at a Glance
The Future of Cybersecurity Insurance Comment: Cybersecurity insurance is a useful and common tool for risk management as it can provide businesses with financial protections in the case of a data breach or cyber incident. As cybercrime evolves and risk management changes, insurance policy protections will change as well; therefore, businesses are advised to regularly evaluate their insurance policies and coverage to determine what types of incidents are covered and which systems are protected. Insurance policies should be well-structured and meet the business needs in order to minimize financial losses incurred from a reduction in revenue, recovery operations, and regulatory fines.
The Blame Game: When Hackers Steal Your Data, Is It a Corporate Failure—Or the Attackers’ Fault? Comment: Organizations may have high confidence in their security posture and implement the necessary technology and processes, and provide user awareness training for their people. However, it takes just one point of failure – such as an unpatched system, unencrypted data, or a specially-crafted socially engineering scheme – for a successful cyber incident or data breach to occur. While the attackers are initiating the malicious activity, everyone has a responsibility to take the appropriate precautions and security measures to limit the opportunity for attack.
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
We respect your right to privacy - click here to view our policy.
