covid-19 cyber threats
TRANSCRIPT
THE WEEKLY BULLETIN
April 9, 2020
TLP: WHITE
Garden State Cyber Threat Highlight
Providing our members with a weekly insight into the threats and malicious
activity directly targeting New Jersey networks.
COVID-19 Cyber Threats
As the COVID-19 pandemic continues, cyber threat actors continue to use the crisis to
victimize individuals, businesses, and organizations. The NJCCIC has observed various
phishing campaigns attempting to deliver malicious emails to NJ state employees. These
emails use various tactics to trick recipients to click links, open attachments, divulge
sensitive information such as account credentials, or donate to fraudulent causes. These
tactics include extortion, pleas for charity, impersonation of known individuals or
organizations, and claims to have personal protective equipment. The NJCCIC’s email
security solution blocked four times more malicious emails referencing COVID-19 in the
month of March than in February, as shown in the graph above. As the crisis develops, we
also see changes in the tactics and topics used in these emails. For example, as states and
healthcare facilities began expressing a critical need for more personal protective
equipment and other necessary medical devices, malicious emails claiming to have access
to this equipment began circulating. Additionally, when Congress was working to pass a
stimulus package, we saw an increase in the number of malicious emails referencing the
stimulus, with a peak on the day of and day after the president signed the stimulus into
law, as shown below.
The NJCCIC recommends users and organizations educate themselves and others on
these continuing threats and tactics to reduce victimization. Users are advised to avoid
clicking links, opening attachments, or providing personal or financial information in
response to emails from unknown senders and exercise caution with emails from known
senders. Users are encouraged to research legitimate organizations for monetary or item
donations. If you are unsure of an email’s legitimacy, contact the sender via a separate
means of communication.
Below are some examples of malicious emails referencing COVID-19 that targeted NJ
state employees.
Description: Impersonation of the WHO Director-General
Description: Claims of a Catalog to Order Medical Equipment
Description: Claims of Financial Relief Payment
In addition to phishing campaigns referencing COVID-19, cyber threat actors are targeting
virtual-teleconferencing (VTC) platforms in VTC-hijacking incidents, such as Zoom-
bombing, and continuing to launch ransomware attacks, with healthcare sector entities and
small and medium-sized businesses (SMBs) as recent victims. These attacks are even more
damaging during this time as it is vital for healthcare entities to have access to resources,
though any SMBs were forced to halt or limit operations due to COVID-19, which has
negatively impacted revenue. The NJCCIC recommends reviewing our resource,
“Ransomware: Risk Mitigation Strategies” for guidance on how to reduce the risk of a
ransomware infection and associated impacts, and apply the recommendations within.
Additionally, please report cyber incidents to the NJCCIC via the Cyber Incident
Reporting Form . The US DHS Cybersecurity and Infrastructure Security Agency and
the UK’s National Cyber Security Centre (NCSC) released the joint alert “ COVID-19
Exploited by Malicious Cyber Actors,” which includes information on various tactics,
indicators of compromise (IOCs), and recommendations.
Announcement
FBI PSA: Cyber Criminals Conduct Business Email Compromise Through Exploitation of Cloud-Based Email Services,
Costing US Businesses More Than $2 Billion
The Federal Bureau of Investigation (FBI) has announced threat actors are targeting
organizations with cloud-based email services to conduct business email compromise
(BEC) scams. BEC scams are specifically crafted through phishing kits to compromise
business email accounts and request or misdirect transfers of funds. More information and
recommendations for users and IT administrators can be found in the FBI Public Service
Announcement.
Industry Report
Europol
Europol released the report “Catching the Virus: Cybercrime, Disinformation, and the
COVID-19 Pandemic,” which details scams, attacks, and tactics that have occurred in the
past few months as the COVID-19 pandemic has proliferated. Below are some key
takeaways:
• In ransomware incidents, there has been a shorter timeframe between initial
infection and activation of the ransomware, indicating there is less focus on waiting
for the “ideal moment.”
• While distributed denial-of-service (DDoS) attacks have only risen slightly, it is
expected that DDoS campaigns will increase in the short to medium term due to the
increased reliance on various online services.
• Vendors on the dark web have added products such as test kits and masks to their
marketplaces.
• There may be an upcoming increase in the number of drug-related items sold on the
dark web if there is a disruption in the supply chain that makes it more difficult to
purchase these items elsewhere.
• Demand for items on the dark web will likely mirror that of in-demand items on the
surface web.
• State actors spread disinformation to sow distrust, destabilize governments, and
advance geopolitical interests.
Threat Alerts
IRS Warning for Coronavirus-Related Scams for Economic Impact Payments
In response to recent economic impact payments, the Internal Revenue Service (IRS) is
warning taxpayers of Coronavirus-related scams, which may lead to tax-related fraud and
identity theft. There have been attempts through phishing emails, vishing, websites, and
social media. Retirees and seniors are among those targeted — particularly if they have
not previously provided direct deposit account information on tax returns. The NJCCIC
recommends users educate themselves and others on this and similar scams to prevent
future victimization. We also advise users who believe their information may have been
compromised to notify the IRS, their banking institution, and the credit reporting
bureaus. Please review the IRS news release for more information.
New Dark_Nexus Botnet Targets IoT Devices
Image Source: Bitdefender
A new aggressive botnet, dubbed Dark_Nexus by Bitdefender researchers, has been
identified targeting various Internet of Things (IoT) devices ranging from ASUS and D-
link routers to video recorders. The botnet appears to borrow code from both Mirai and
Qbot, though researchers believe that much of its core functions are original. Dark_Nexus
was first identified in December 2019 and is frequently updated, with over 30 versions
discovered in a three-month period. Additionally, payloads are customized for 12 different
CPU architectures and are spread using Telnet credential stuffing and other exploits. A
new persistence tactic observed disables the infected device from rebooting by removing
restart permissions. Compromised devices could be used in distributed denial-of-service
(DDoS) attacks. The NJCCIC recommends users ensure IoT devices are routinely
updated, default passwords are changed, and multi-factor authentication is enabled
where available. Additionally, disable Telnet or, if necessary to manage devices, add an
access list to routers to prevent unauthorized access. Technical details and IOCs can be
found in the Bitdefender whitepaper.
Kinsing Cryptocurrency-Mining Malware Campaign Targets Docker Containers
Image Source: Aqua
Researchers at security firm Aqua detailed a malware operation targeting Docker container
environments. Threat actors are scanning for and accessing Docker containers running API
ports exposed to the internet to install a cryptocurrency-mining malware known as Kinsing.
Using the API port, the threat actors can run an Ubuntu container to download and install
Kinsing. Secondary functions of the malware include stealing local SSH credentials.
Attacks began at the end of 2019 and are ongoing. The NJCCIC recommends
administrators of Docker containers refrain from exposing API ports to the internet and
review the Aqua blog post.
Vulnerability Advisory
Many Microsoft Exchange Servers Still Vulnerable After Patches Released
Researchers at Rapid 7 discovered that very few organizations have applied Microsoft’s
February 11, 2020 security updates for vulnerable Exchange mail servers. The
vulnerability could allow threat actors to compromise the entire Exchange environment
and potentially all of Active Directory, depending on server implementation. The patch
needs to be installed on any server with Exchange Control Panel (ECP) enabled, which
typically has a Client Access Server (CAS) role allowing Outlook Web App (OWA)
access. The NJCCIC recommends administrators patch systems as soon as possible after
appropriate testing and inspect systems for signs of compromise. Technical details can
be found in the Rapid 7 blog post.
Breach Notification
Key Ring
Researchers at vpnMentor discovered misconfigured Amazon Web Services (AWS) S3
buckets owned by Key Ring that publicly exposed over 44 million various images to
include forms of identification, credit and debit cards, and membership cards. Key Ring ,
a popular digital wallet, was designed to store scanned images of typical wallet contents to
provide its 14 million users a “One-Stop Shopping Solution.” Exposed information also
included CSV files containing various businesses’ customer listings that stored personally
identifiable information (PII). The breach was discovered in January and fixed February
20, 2020, though researchers cannot confirm how long the buckets were exposed. Breached
information may be used in various crimes ranging from account takeovers to identity theft
and fraud. Potentially affected Key Ring patrons are advised to monitor all financial
accounts for fraudulent charges and report any suspicious activity immediately to both
your financial institution and local police station. Additionally, report signs of identity theft
to the Federal Trade Commission and consider placing freezes on credit profiles. Cyber
incidents can be reported via the NJCCIC Cyber Incident Report Form and the FBI’s
Internet Crime Complaint Center (IC3) website.
Threat Profiles
Android | ATM Malware | Botnet | Cryptocurrency-Mining | Exploit Kit
Industrial Control Systems | iOS | macOS | Point-of-Sale | Ransomware | Trojan
ICS-CERT Advisories Advantech WebAccess/NMS
Fuji Electric V-Server Lite
GE Digital CIMPLICITY
HMS Networks eWON Flexy and Cosy
KUKA.Sim Pro
Rockwell Automation RSLinx Classic
Synergy Systems & Solutions HUSKY RTU (Update A)
Patches
Android | Chrome
Grandstream | Mozilla (1, 2)
Pixel
Throwback Thursday
Don’t Get Harpooned by a Whaling Attack
Social Engineering Awareness
Simple Steps to Protect You Against COVID-19 Social Engineering Attacks
Comment: As we are keeping socially distant during the current pandemic, threat actors
are using this social engineering opportunity to trick or manipulate users into divulging
sensitive information or giving them access to systems. Attacks can occur though phishing,
spear-phishing, social media deception, pretexting, waterholing, smishing, and vishing. It
is important to keep our cyber distance from attackers by exercising caution with
suspicious communications, enabling multi-factor authentication where available, creating
strong and unique passwords for each account, and keeping systems updated.
Cyber at a Glance
COVID-19 Response: Following Best Telehealth Security Practices
Comment: The telehealth trend has quickly transformed in response to COVID-19;
however, security and privacy concerns remain, as sensitive and medical data are subjected
to HIPAA and other regulations. There has been an increase in coronavirus-based phishing
campaigns and the healthcare sector may not be able to manage vulnerabilities in their IT
infrastructure. Recommended security practices include using a reputable telehealth app,
determining what data is collected and how it is used, and ensuring the app is following all
HIPAA regulations.
Increase in Small DDoS Attacks Could Take Down VPNs
Comment: Entire companies, including security and IT administrators, are connecting
through Virtual Private Networks (VPNs) which, if attacked, disrupt the ability to work
and can be hard to mitigate. There may be an increase in small distributed denial-of-service
(DDoS) attacks, disrupting overloaded VPNs meant for a small number of remote workers.
Threat actors are also targeting mobile and IoT devices as an intermediate service to
amplify attacks since these devices are usually on and serve as a primary form of
communication.
The information contained in this product is marked Traffic Light Protocol (TLP):
WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE
information may be distributed without restriction.
TLP: WHITE
Questions?
Email a Cyber Liaison Officer at [email protected].
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
Connect
Share
This email was sent by:
New Jersey Cybersecurity & Communications Integration Cell
DISCLAIMER: This product is provided as is for informational purposes only. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) does not provide any warranties of any
kind regarding any information contained within. The NJCCIC does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is
governed by the Traffic Light Protocol (TLP). For more information about TLP, see https://www.us-cert.gov/tlp.