Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Malware Bypasses Email Content Filters Using Compressed Executables
The NJCCIC has received reports of malicious software packing distributed via email campaigns attempting to bypass content filters. The email messages include .img attachments containing malicious compressed executables. If uncompressed and manually executed, the njRAT, NanoCore RAT, or KPOT Stealer malware will be installed, which can be used to collect system information, steal usernames, passwords, and other sensitive information, and capture screenshots of desktops or webcams. The subject line may contain “invoice # from [business name]” or “wire confirmation.” The file icon used by the malware may also be spoofed to look like a known document in order to further trick users into opening it. Cofense recently discovered a new variant of H-W0rm/Houdini Worm called WSH trojan, which has similarities to njRAT. The NJCCIC strongly encourages educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails, including those from known senders. We recommend users verify emails from known senders via a separate means of communication. Additionally, organizations are advised to implement Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) to help detect and prevent email spoofing. We encourage users to report cyber incidents via the NJCCIC Cyber Incident Report Form.
Announcements
DHS Email Phishing Scam
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of an email phishing scam that tricks users into clicking on malicious attachments that look like legitimate Department of Homeland Security (DHS) notifications. The email campaign uses a spoofed email address to appear like a National Cyber Awareness System (NCAS) alert and lure targeted recipients into downloading malware through a malicious attachment. CISA encourages users and administrators take the following actions to avoid becoming a victim of social engineering and phishing attacks:
Be wary of unsolicited emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact your organization's helpdesk or search the internet for the main website of the organization or topic mentioned in the email).
Immediately report any suspicious emails to your information technology helpdesk, security office, or email provider.
New Decryption Tool Eradicates GandCrab
A new GandCrab decryption tool is available for versions 5.0 through 5.2 of the ransomware, allowing victims to retrieve encrypted files. This free tool has been released in combined efforts from the FBI, Europol, multiple international police agencies, Bitdefender, and other cybersecurity groups. GandCrab was one of the most debilitating and aggressive families of ransomware since its inception in January 2018, affecting an assessed 1.5 million users. The actors behind the variant recently announced their retirement. The free decryption tool can be downloaded from Bitdefender Labs and No More Ransom Project. For more information, please read the ZDNet article.
Threat Alerts
XENOTIME Threat Group Targeting Electric Utilities in US
Image Source: Dragos
The XENOTIME threat group responsible for targeting oil and gas companies with the TRISIS malware in 2017 is now targeting electric utilities in the United States and the Asia-Pacific. The group, attributed by cybersecurity firm FireEye to the Russian government-owned Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), used the TRISIS malware to target Schneider Electric’s Triconex safety instrumented systems (SIS). At that time, XENOTIME researchers believed the group's targets were restricted to organizations in the Middle East. Since at least May 2018, however, Dragos observed the group targeting safety systems other than Triconex at companies around the world. Thus far, it appears no intrusion attempts have been successful. Dragos suggested this behavior may be in preparation for a future cyber-attack as the activity is consistent with reconnaissance efforts. The NJCCIC recommends organizations in the electric sector and other critical infrastructure sectors review the Dragos blog post for additional details and defense recommendations. Organizations are advised to implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; and keep anti-virus/anti-malware, hardware, and software updated.
Ransomware Attacks Hit City Governments
Ransomware continues to impact governments and businesses, targeting many victims through phishing emails. Officials in Riviera Beach City in Florida paid $600,000 to bad actors after their computer systems were impacted by ransomware, including their email and 911 systems. The city of Baltimore is still recovering from May’s ransomware attack as they get operations back up and running. They refused to pay the ransom, but due to lost revenue and recovery efforts, the costs are estimated at $18 million. The NJCCIC discourages victims from paying the ransom if impacted by a ransomware infection and, instead, ensure they have a comprehensive data backup plan. We advise users to review the NJCCIC products Don’t Take the Bait! Phishing and Other Social Engineering Attacksand Cybersecurity Best Practicesfor more information on how to keep their accounts and data safe. We recommend reviewing the NJCCIC Ransomware Threat Profilefor ransomware mitigation strategies.
New WSH Malware Targets Banking Customers
Image Source: Cofense
The threat actors behind the H-W0rm/Houdini malware released a new variant, dubbed “WSH,” which was observed in phishing campaigns targeting financial institutions and their customers. The actors masquerade as legitimate banks, such as HSBC, and send .mht web archive files to users that, when opened, directs them to a .zip archive containing the malware. Once downloaded, the malware retrieves additional executables that provide a Windows keylogger, a mail credential viewer, and a browser credential viewer, with the ultimate goal of stealing user account credentials. WSH is currently sold on underground forums as a $50 per month subscription. The NJCCIC recommends users avoid clicking on links and opening attachments from unsolicited or unexpected emails, even those appearing to be from known companies. Users are advised to, instead, navigate to websites by manually typing the URL into the address bar of their browser. Additionally, educating end users about this and similar threats can reduce victimization. Additional details may be found in the Cofense post.
CISA: Exploit Successful Against Windows BlueKeep Vulnerability
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning users of affected Microsoft Windows operating systems (OS) that they successfully tested an exploit against a vulnerable Windows 2000 server. The exploit targets the BlueKeep vulnerability, CVE-2019-0708, present within the Remote Desktop Protocol (RDP) used by Windows OS and can be used to take control of affected systems. Microsoft recently released a warning urging users and administrators to update their systems as the vulnerability is considered “wormable,” allowing it to propagate to other vulnerable systems and spread rapidly without user interaction. The NJCCIC highly encourages users and administrators apply patches to affected systems as soon as possible after appropriate testing, consider upgrading any End-of-Life systems, and disable unnecessary ports and services. More information on the vulnerability, including a list of affected operating systems and links for updating systems, can be found in the Microsoft advisory.
Azure Systems Running Exim Exploited
Threat actors have created a worm that exploits the Exim vulnerability, CVE-2019-10149, to take over servers and scan the internet for additional potential victims. Once a system is infected, a cryptocurrency miner is installed. Microsoft reported that Azure infrastructure has been hit by the worm and, while there are controls in place to limit its spread by Azure systems, the machines remain compromised and infected with the cryptocurrency miner. As this vulnerability is actively being exploited, the NJCCIC highly advises users and administrators running Exim to update to version 4.92 as soon as possible after appropriate testing.
Threat Actors Target DNA Sequencing Software
Image Source: Help Net Security
Threat actors are actively exploiting the CVE-2017-6526 vulnerability in dnaLIMS, a popular web-based bioinformatics laboratory information management system used by many scientific, academic, and medical institutions to process and manage DNA sequencing requests. The vulnerability originates from an improperly protected web shell. A POST request to view its page can be used to bypass authentication checks. Successful exploitation can result in DNA theft and for use in other exploits. At the time of this writing, there are no patches available. The NJCCIC recommends users patch systems as updates become available. We advise administrators to place the software behind a firewall, allow only users from certain IP addresses to access the web server (or specific directories), and use a VPN when remote access is performed. For more information, please review the Help Net Security article and the Shorebreak Security Product Security Advisory.
New Phishing Campaign Claims to Require
Users to Log Into Access Encrypted Message
A new phishing campaign affecting Office 365 Business users poses as an alert from your email server and claims to be in receipt of an encrypted message. According to the email, to view the encrypted email, the user must login to OneDrive for Business; however, the embedded link sends the user to a fraudulent site. Any credentials entered into the website are sent to the threat actor. A key indicator of the scam is that Microsoft Business accounts should be protected by multi-factor authentication (MFA) which the user is not prompted for. The NJCCIC highly recommends users avoid clicking on any links contained in suspicious emails and to enable multi-factor authentication where available. To access an account, manually type the URL into the address bar of the browser. For further details please read the Naked Security article.
Breach Notifications
EatStreet
EatStreet, an online food ordering service, suffered a data breach that revealed sensitive information of its delivery and restaurant partners, including payment details. The number of impacted customers and partners is currently unknown; however, the unauthorized third party had access to the company’s database between May 3, 2019 and May 17, 2019. The breach revealed customers’ names, billing addresses, email addresses, phone numbers, and credit card numbers, including expiration dates and verification codes. EatStreet sent separate letters to its customers and partners detailing the incident and what information was accessed. Those impacted by the breach are advised to notify their banks of any unauthorized charges and request new payment cards.
Union Labor Life Insurance Data Breach
Union Life Insurance (Ullico, Inc.), a large national insurance investments company, has revealed that they have suffered a breach due to a successful spear-phishing attack. The breach originally occurred April 1, 2019 after a targeted employee opened a link within a malicious email. This link redirected the unsuspecting victim to a fraudulent file-sharing website, which then harvested login credentials. The compromised information includes personally identifiable information (PII) and protected health information (PHI) of both the individuals and their family members, impacting approximately 87,400 customers. Ullico, Inc. has issued notification letters to those affected, stating that they will provide 24 months identity theft protection services and free credit monitoring.
Threat Profiles
Android: No new or updated variants were added. ATM Malware: No new or updatedvariants were added. Botnet: No new or updated botnets were added. Cryptocurrency-Mining: No new or updatedvariants were added. Exploit Kit: No new or updated exploit kits were added. Industrial Control Systems: No new or updated variants were added. iOS: No new or updated variants were added. macOS: No new or updated variants were added. Point-of-Sale: No new or updated variants were added. Ransomware: No new or updated variants were added. Trojan: One new variant: Dofloo. Two updated variants: H-W0rm, Scranos.
How Fraudulent Domains “Hide in Plain Sight” Comment: Threat actors are utilizing email, websites, applications, and social channels to target their victims, including middle management who work for the CEO or CFO. Scammers are registering fraudulent top-level domains to launch phishing campaigns and business email compromise scams and directing targets to spoofed websites with legitimate certificates. These scams can result in monetary losses to the victim and have reputational and financial implications for the impersonated business. People are often an organization’s weakest link; therefore, they need to be mindful of current social engineering threats.
Cyber at a Glance
How Cybersecurity is Strengthened With MFA Comment: The value of password authentication has been deprecated due to data breaches exposing credentials, leading to credential stuffing attacks and more successful brute force attacks; however, multi-factor authentication (MFA) adds another layer of identification, which may include a code retrieved from a text message, or biometric, such as a fingerprint. If an individual’s credentials are stolen, a bad actor would not be able to access that person’s account without their second factor, making their account more protected against unauthorized access.
Smart Cities, Difficult Choices: Privacy and Security on the Grid Comment: As the world becomes more interconnected and technology-dependent, smart cities intend to improve the quality of life and enhance communications. Planning is key to managing the risk introduced by these new devices and technology. Smart cities can raise privacy and security issues related to data collection, mass surveillance, and overall infrastructure maintenance that can result in unauthorized access to data, reduced anonymity, vulnerable devices, compromised and inaccessible systems, miscommunications, and even mass confusion and chaos.
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
We respect your right to privacy - click here to view our policy.
