Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Legitimate Email Servers Used to Relay Phishing Messages
Image Source: OVIPanel
The NJCCIC observed instances of threat actors using legitimate email servers as relays for their phishing campaign messages in attempts to bypass detection by email security tools. A similar tactic was observed in which threat actors abused Google’s SMTP relay service via the “smtp-relay.gmail.com” SMTP server to spoof Gmail tenants without being detected. These tactics make it more likely for emails to be delivered to end user inboxes, increasing the likelihood of victimization. As more tactics are developed to circumvent security controls, organizations become more reliant on end users to identify potentially malicious messages.
The NJCCIC recommends organizations create a Domain-based Message Authentication, Reporting, and Conformance (DMARC) DNS record and set the directive to “reject” or “quarantine.” Additionally, disable mail relaying from external accounts, disable public access to port 25 on the host and limit access only to authorized users and endpoints for non-email servers, remove public access to the server hostname/IP and limit access only to authorized users and endpoints, and perform vulnerability scans against the server(s), applications, and databases hosted by the server(s). Users can increase organizational resiliency to cyber threats by staying aware and updated on current tactics and techniques threat actors use. For additional information on SMTP relays, review the Proofpoint article.
Increase in Exploitation of Windows Print Spooler Vulnerabilities
Windows Print Spooler is an application that manages the printing process. Microsoft released emergency patches to address a Windows Print Spooler vulnerability, PrintNightmare, discovered in June 2021. New patches were released regularly as additional vulnerabilities surfaced since updates did not always adequately remediate the flaws. The vulnerabilities could allow threat actors to gain access to corporate networks, servers, resources, and data. Furthermore, they could remotely execute code with SYSTEM privileges, potentially resulting in ransomware infections and data exfiltration. Some organizations have yet to implement the patches, leading to continued exploitation by threat actors. Researchers recently discovered an increase in the number of cyberattacks exploiting multiple vulnerabilities in Windows Print Spooler. Between July 2021 and April 2022, threat actors conducted approximately 65,000 cyberattacks through the Windows Print Spooler application, with nearly half of those attacks occurring in the first four months of 2022. The number of exploitation attempts is expected to grow.
The NJCCIC recommends users and organizations apply the latest Windows security updates as soon as possible after appropriate testing. Furthermore, keep all hardware and software up to date to ensure known vulnerabilities are addressed. For details on all patches, review the Microsoft Security Update Guide. Additional details can be found in the Dark Reading article.
.
Exploit Attempts Against F5 BIG-IP Vulnerability
Last week, an advisory in the NJCCIC Weekly Bulletin detailed a critical vulnerability, tracked as CVE-2022-1388, in F5’s BIG-IP networking devices. Cybersecurity researchers have since developed exploits for the flaw, and exploit attempts in the wild have already been observed, leading to warnings for administrators to update devices as soon as possible after appropriate testing. Threat actors could exploit the flaw for initial network access that could lead to lateral movement, data theft, ransomware deployment, and more. The flaw impacts BIG-IP versions 16.1.0 to 16.1.2, 15.1.0 to 15.1.5, 14.1.0 to 14.1.4, 13.1.0 to 13.1.4, 12.1.0 to 12.1.6, and 11.6.1 to 11.6.5; versions 12.x and 11.x will not receive patches. On May 10, CISA added CVE-2022-1388 to the Known Exploited Vulnerabilities catalog.
The NJCCIC advises administrators to update BIG-IP as soon as possible after appropriate testing. If updating immediately is not feasible, follow the mitigations provided by F5. These include blocking all access to the iControl REST interface of the BIG-IP system through self IP address, blocking iControl REST access through the management interface, or modifying the BIG-IP httpd configuration. Additional details can be found in the F5 security advisory.
.
New Cyberattack Hides Fileless Malware in Windows Event Logs
A new cyberattack method conceals fileless malware in Windows event logs using an advanced multistage technique that leverages penetration testing software with custom modules, according to security researchers. During a targeted campaign traced back to September, a .RAR file containing a custom malware dropper was downloaded through a legitimate file-sharing website. The dropper then duplicated Windows OS error handling program WerFault.exe before loading malicious code into a “wer.dll” file stored in the same folder. This file was used to inject the event logs with 8 KB fragments of shellcode, which were later combined to deploy trojans.
The exploitation of Windows event logs to deliver fileless malware is a new technique not observed in previous attacks and reflects a sophisticated approach by unidentified threat actors. A duplicate WerFault.exe file with “1.1” appended to the title string may be an indicator of compromise. Security researchers have warned that threat groups are likely to use this tactic in future attacks following the temporary exposure of a proof of concept that surfaced briefly on GitHub.
The NJCCIC recommends Windows users implement an endpoint detection security solution that provides behavior-based detection capabilities in conjunction with anti-APT and EDR solutions. Organizations are further advised to provide the latest threat intelligence and training to their employees. Detailed Windows event logging and centralized log collection may by useful for incident response. A full analysis of the cyberattack method can be found on Securelist. Additional details are available on BleepingComputer and TechRepublic.
Vulnerability Advisory
High-Severity Vulnerabilities Impact Hundreds of HP Products
Two high-severity vulnerabilities were identified in the HP BIOS (UEFI firmware). The vulnerabilities, tracked as CVE-2021-3808 and CVE-2021-3809 (CVSS v3 8.8), affect over 200 HP PC products, including laptops, workstations, and retail point-of-sale systems. Successful exploitation of these vulnerabilities may allow cyber threat actors with local SYSTEM access to escalate privileges to System Management Mode (SMM). Executing in SMM would give cyber threat actors full control over the operating system and facilitate further attacks. There are no reports of active exploitation; however, a proof of concept was released on May 10.
The NJCCIC recommends users of impacted HP products apply patches and mitigations immediately after appropriate testing. Further information can be found in the SecurityWeek article.
Russia/Ukraine Cyber Threat Update
Currently, the NJCCIC is not aware of any specific or imminent cyber threats to New Jersey. However, the cyber threat level in New Jersey is currently set to ELEVATED, which indicates a significant risk due to increased hacking, virus, or other malicious activity that compromises systems or diminishes service. On May 10, the U.S. Department of State attributed cyberattacks against commercial satellite communications networks at the launch of the invasion of Ukraine in late February to Russian state-sponsored cyber threat actors. The cyberattacks intended to disrupt Ukrainian command and control during the invasion but also impacted very small aperture terminals (VSATs) across Europe. Additional details regarding this and other Russian cyber threat activity can be found on the Cybersecurity and Infrastructure Security Agency (CISA) current activity webpage. Please refer to the latest NJCCIC Advisory and update and the CISA Shields Up website for the latest risk mitigation practices.
The information contained in this product is marked Traffic Light Protocol (TLP): WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and individuals.
Connect
Share
We respect your right to privacy - click here to view our policy.