the ransomware threat is evolving - cdn.buttercms.com
Post on 23-Dec-2021
0 Views
Preview:
TRANSCRIPT
THE WEEKLY BULLETIN
April 30, 2020
TLP: WHITE
Garden State Cyber Threat Highlight
Providing our members with a weekly insight into the threats and malicious
activity directly targeting New Jersey networks.
The Ransomware Threat is Evolving
Image Source: Microsoft
Over the last several months, the NJCCIC has reported that multiple ransomware threat
actors have threatened to expose data stolen from ransomware victims if payment is not
made. This trend is continuing and, according to Microsoft, some ransomware threat actors
are exfiltrating data even if they do not plan to use it as leverage for payment. Additionally,
Microsoft’s Threat Protection Intelligence Team found that threat actors are compromising
networks for several months before deploying ransomware, extending their reach within
the network and waiting for the most opportune time in order to maximize their potential
profits. Recent cases reported to the NJCCIC are consistent with Microsoft's findings in
regards to persistence and data exfiltration. Furthermore, Microsoft found that some threat
actors maintain control over network systems in order to launch future attacks. Many
ransomware attacks begin with the exploitation of vulnerable internet-facing network
devices and devices with weak authentication requirements, such as Remote Desktop
Protocol (RDP) servers. As the NJCCIC discussed last week, there are roughly 30,000
internet-facing endpoints in NJ with RDP enabled – all possible vectors to launch a
ransomware attack. Despite this difficult time, healthcare and other critical services, as
well as small and medium size businesses (SMBs), are still targeted by ransomware. In
some cases, the victims have had to make the difficult decision to either pay the criminals
or accept the data loss, significantly impacting their operations. The NJCCIC advises
users and administrators to follow the recommendations provided by Microsoft and
ensure all internet-facing systems, such as RDP servers and Virtual Desktop endpoints,
require multi-factor authentication; search networks for malicious PowerShell,
Mimikatz, and Cobalt Strike activity; search for suspicious access to Local Security
Authority Subsystem Service (LSASS) and registry or security event log modifications;
ensure all systems are patched, including Citrix ADC, Pulse Secure VPN, Microsoft
SharePoint, Microsoft Exchange, and Zoho ManageEngine; and establish a
comprehensive data backup plan that includes keeping multiple, tested backups off the
network and in a separate and secure location. Microsoft provides additional details on
recent ransomware attacks in their blog post. The NJCCIC provides ransomware risk
mitigation strategies in our mitigation guide.
Announcement
Telework Guidance
The Cybersecurity and Infrastructure Security Agency (CISA) has provided a compilation
of telework guidance and resources from industry partners in an effort to assist
organizations and teleworkers in securing their remote working environment. Further
information can be found here. Additionally, the National Security Agency (NSA) has
provided guidance for telework collaboration services here.
Threat Alerts
US Federal Reserve Economic Relief Phishing Campaign
The NJCCIC’s email security solution has identified and blocked multiple COVID-19
phishing campaigns consistent with open-source reporting , including those recently
impersonating the US Federal Reserve with economic relief options through the Payment
Protection Program in order to steal banking credentials. Phishing emails from the “Federal
Reserve System” contain the subject line “Receive payment.” and include a link that, if
clicked, directs the victim to a spoofed website with legitimate logos, stock photos, and
FAQ section. Clicking on the “Get Economic Impact Payment Now” button displays a
drop-down menu of banks to choose from. A login box, containing the selected bank and
its logo, then prompts the victim to enter their banking credentials. If entered, an error
message will display as the credentials are sent to the threat actors in the background. The
NJCCIC recommends users and organizations educate themselves and others on these
continuing threats and tactics to reduce victimization. Users are advised to avoid clicking
links, opening attachments, or providing personal or financial information in response
to emails from unknown senders and exercise caution with emails from known senders.
If you are unsure of an email’s legitimacy, contact the sender via a separate means of
communication. We also advise users not to take action on emails promising economic
relief and, instead, obtain information from official sources.
Black Rose Lucy Ransomware Attempts to Extort Victims by Impersonating the FBI
Image Source: Check Point Research
Cyber-criminals have repurposed an Android botnet and dropper Malware-as-a-Service
(MaaS) to deliver the ransomware variant known as Black Rose Lucy. Check Point
researchers first identified the MaaS in September 2018, which is believed to be developed
by the Russian-speaking Lucy Gang. The ransomware masquerades as a video application
and is commonly delivered via social media links and instant messenger applications. In
order to bypass Android security, a message is displayed requesting the user to enable the
Streaming Video Optimization (SVO). If clicked, the cyber-criminal is granted access to
the accessibility service and encryption is initiated on the device. A ransom note appears
in the web browser window claiming that the encryption was carried out by the Federal
Bureau of Investigation (FBI) due to pornographic content found on the device.
Furthermore, the victim is instructed to pay a $500 fine by providing their credit card
information. It is important to note that the FBI would not conduct operations in this
manner, nor would they ask for credit card details. This use of mobile ransomware
highlights an expansion in the attack landscape. The NJCCIC recommends users exercise
caution when clicking on links within social media posts or instant messages.
Additionally, we urge users to pay close attention to permissions and functions that are
enabled when using applications. Further information can be found in the Check Point
Research article.
Threat Actors Capitalize on Unemployment Fears
Image Source: Help Net Security
As the current pandemic has caused occupational loss and furloughs, cyber-criminals are
capitalizing on unemployment concerns. One campaign currently circulating is a phishing
email crafted to appear as a Zoom meeting invitation that requests the recipient to join for
the purpose of “contract suspension” or “termination trial.” Additionally, the email claims
that the meeting will begin momentarily, enticing the user to click without further scrutiny.
If the link is clicked, the user is directed to a spoofed Zoom login page requesting the user’s
“email” credentials. Once the credentials are entered, the user is redirected to a Zoom help
page, and the credentials are sent to the threat actor. Another phishing campaign claims to
be from an outsourced human resources contractor and requests recipients to view a
fictitious payroll report that includes additional stimulus. The link is hosted on Google
Docs and contains another link that, if clicked, downloads unknown malware. A third scam
that has surfaced are employment ads offering teleworking opportunities. After the victim
acquires an interview and is given an offer of employment, they are prompted to complete
various forms, such as a W-9 and direct deposit. The scammer is then provided with all the
details required to drain bank accounts and steal the victim’s identity. The NJCCIC
reminds users to exercise caution when opening unsolicited emails and confirm details
via an alternate means of communication. Additionally, jobseekers are urged to research
potential employers and businesses prior to providing sensitive information.
Furthermore, we urge users to educate others of these and similar scams to avoid
victimization.
Zero-day Affecting Sophos XG Firewall Actively Exploited
Image Source: Sophos Community
A zero-day Structured Query Language (SQL) injection vulnerability affecting Sophos’
XG Firewall was discovered on April 22, 2020 and is actively being exploited. Threat
actors are deploying trojan malware, dubbed Asnarök by Sophos researchers, in an attempt
to harvest XG Firewall-resident data such as usernames and hashed passwords for local
device administrators (admin), user portal accounts, and accounts used for remote access.
Successful exploitation may lead to remote code execution on both physical and virtual
unpatched firewalls. Sophos has deployed a hotfix to devices that receive automatic
updates, which includes a message on the management interface indicating if the device
was affected. In addition to the hotfix, Sophos recommends resetting device admin
accounts and changing local user account passwords – including accounts that may have
re-used these credentials – in order to repair compromised devices. The NJCCIC urges
Sophos XG Firewall admins who may not have enabled automatic updates to apply the
hotfix immediately. Additionally, we recommend disabling HTTPS admin services and
unused user portals on the WAN interface. For further guidance and technical details,
please review the Sophos security advisory.
Threat Actors Target Trucking Companies
The logistics industry, including trucking companies, has played a critical role during the
COVID-19 pandemic despite supply shortages. Threat actors are taking advantage of this
crisis through vishing attempts offering fraudulent loan forgiveness to small businesses
from the CARES Act, impersonation scams of legitimate logistic companies offering fake
work-from-home positions to repackage and reship items, and the targeting of systems and
networks. These scams present opportunities for fraud, identity theft, and future cyber-
attacks as victims may inadvertently disclose sensitive information. The NJCCIC
recommends users update to strong passwords for all accounts, enable multi-factor
authentication where available, keep all software and hardware updated, exercise
caution with unexpected or suspicious emails and other communications, and
refrain from sharing personal or financial information without verifying the requestor.
Organizations are encouraged to adopt a defense-in-depth cybersecurity strategy, apply
the principle of least privilege, and establish a comprehensive data backup plan. More
information can be found in the Security Boulevard article.
Vulnerability Advisory
Project Zero Discovers Zero-Click Flaws in Apple Operating
Systems
Researchers from Google’s Project Zero discovered six flaws in Apple’s multimedia
processing component Image I/O, a framework responsible for parsing and working with
image files. Image I/O ships with iOS, macOS, tvOS, and watchOS, and most apps running
on these operating systems (OSs) rely on it for processing image metadata. Multimedia
processing components, including Image I/O, are desirable attack surfaces because they
do not require user interaction to run code on the targeted system, sometimes referred to
as “zero-click” attacks. In addition to the Image I/O flaws, the researchers discovered eight
bugs in Open EXR, an open-source library used for parsing EXR image files that come as
a component with Image I/O. All of the discovered vulnerabilities have been patched.
Researchers stressed that more research needs to be conducted into multimedia processing
components. The NJCCIC recommends users running Apple OSs ensure systems are
updated to the latest vendor-supported patch levels. More information can be found in
the Project Zero blog post.
Breach Notification
Nintendo
Nintendo is restricting logins and resetting passwords for up to 160,000 Nintendo Network
ID (NNID) accounts that may have been accessed by unauthorized third parties. Potentially
exposed information may have included name, date of birth, gender, country/region, and
email address. Users are advised to establish strong passwords and refrain from reusing
the same password across multiple accounts.
Threat Profiles
Android | ATM Malware | Botnet | Cryptocurrency-Mining | Exploit Kit
Industrial Control Systems | iOS | macOS | Point-of-Sale | Ransomware | Trojan
ICS-CERT Advisories LCDS LAquis SCADA
Patches
Adobe (Bridge, Illustrator, Magento)
Chrome | Cisco | Juniper
Samba | VMware
WordPress (1, 2)
Throwback Thursday
COVID-19 Cybersecurity Resources
Social Engineering Awareness
The Human Brain is Both a Liability and Asset for Cybersecurity: Here’s Why
Comment: Curious users may find themselves easily drawn to requests, offers, or topics
of interest and suddenly become the victim of specially-crafted phishing emails or business
email compromise (BEC) scams. Cyber-criminals use evolving social engineering tactics
in order for their target to take the bait and quickly practice the bad habit of clicking before
thinking. However, users can arm themselves against the “reel” deal and develop healthy
cybersecurity habits through frequent security awareness training and repetitive phishing
simulations.
Cyber at a Glance
Aimed at Moving Targets: Five Cyber Threats That Put Mobile Devices at Risk
Comment: Many people use mobile devices to connect and communicate with others, and
may do so with a false sense of security. Cyber-criminals can target users and vulnerable
devices to gain access to sensitive information, install malware, and infiltrate networks and
other systems. The security risks of data leakage and cyber-attacks can be reduced by
installing reputable apps, checking security and privacy settings, keeping mobile devices
updated, and exercising caution with suspicious communications, websites, and apps.
The information contained in this product is marked Traffic Light Protocol (TLP):
WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE
information may be distributed without restriction.
TLP: WHITE
Questions?
Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
top related