THE WEEKLY BULLETIN

April 9, 2020

TLP: WHITE

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious

activity directly targeting New Jersey networks.

COVID-19 Cyber Threats

As the COVID-19 pandemic continues, cyber threat actors continue to use the crisis to

victimize individuals, businesses, and organizations. The NJCCIC has observed various

phishing campaigns attempting to deliver malicious emails to NJ state employees. These

emails use various tactics to trick recipients to click links, open attachments, divulge

sensitive information such as account credentials, or donate to fraudulent causes. These

tactics include extortion, pleas for charity, impersonation of known individuals or

organizations, and claims to have personal protective equipment. The NJCCIC’s email

security solution blocked four times more malicious emails referencing COVID-19 in the

month of March than in February, as shown in the graph above. As the crisis develops, we

also see changes in the tactics and topics used in these emails. For example, as states and

healthcare facilities began expressing a critical need for more personal protective

equipment and other necessary medical devices, malicious emails claiming to have access

to this equipment began circulating. Additionally, when Congress was working to pass a

stimulus package, we saw an increase in the number of malicious emails referencing the

stimulus, with a peak on the day of and day after the president signed the stimulus into

law, as shown below.

The NJCCIC recommends users and organizations educate themselves and others on

these continuing threats and tactics to reduce victimization. Users are advised to avoid

clicking links, opening attachments, or providing personal or financial information in

response to emails from unknown senders and exercise caution with emails from known

senders. Users are encouraged to research legitimate organizations for monetary or item

donations. If you are unsure of an email’s legitimacy, contact the sender via a separate

means of communication.

Below are some examples of malicious emails referencing COVID-19 that targeted NJ

state employees.

Description: Impersonation of the WHO Director-General

Description: Claims of a Catalog to Order Medical Equipment

Description: Claims of Financial Relief Payment

In addition to phishing campaigns referencing COVID-19, cyber threat actors are targeting

virtual-teleconferencing (VTC) platforms in VTC-hijacking incidents, such as Zoom-

bombing, and continuing to launch ransomware attacks, with healthcare sector entities and

small and medium-sized businesses (SMBs) as recent victims. These attacks are even more

damaging during this time as it is vital for healthcare entities to have access to resources,

though any SMBs were forced to halt or limit operations due to COVID-19, which has

negatively impacted revenue. The NJCCIC recommends reviewing our resource,

“Ransomware: Risk Mitigation Strategies” for guidance on how to reduce the risk of a

ransomware infection and associated impacts, and apply the recommendations within.

Additionally, please report cyber incidents to the NJCCIC via the Cyber Incident

Reporting Form . The US DHS Cybersecurity and Infrastructure Security Agency and

the UK’s National Cyber Security Centre (NCSC) released the joint alert “ COVID-19

Exploited by Malicious Cyber Actors,” which includes information on various tactics,

indicators of compromise (IOCs), and recommendations.

Announcement

FBI PSA: Cyber Criminals Conduct Business Email Compromise Through Exploitation of Cloud-Based Email Services,

Costing US Businesses More Than $2 Billion

The Federal Bureau of Investigation (FBI) has announced threat actors are targeting

organizations with cloud-based email services to conduct business email compromise

(BEC) scams. BEC scams are specifically crafted through phishing kits to compromise

business email accounts and request or misdirect transfers of funds. More information and

recommendations for users and IT administrators can be found in the FBI Public Service

Announcement.

Industry Report

Europol

Europol released the report “Catching the Virus: Cybercrime, Disinformation, and the

COVID-19 Pandemic,” which details scams, attacks, and tactics that have occurred in the

past few months as the COVID-19 pandemic has proliferated. Below are some key

takeaways:

• In ransomware incidents, there has been a shorter timeframe between initial

infection and activation of the ransomware, indicating there is less focus on waiting

for the “ideal moment.”

• While distributed denial-of-service (DDoS) attacks have only risen slightly, it is

expected that DDoS campaigns will increase in the short to medium term due to the

increased reliance on various online services.

• Vendors on the dark web have added products such as test kits and masks to their

marketplaces.

• There may be an upcoming increase in the number of drug-related items sold on the

dark web if there is a disruption in the supply chain that makes it more difficult to

purchase these items elsewhere.

• Demand for items on the dark web will likely mirror that of in-demand items on the

surface web.

• State actors spread disinformation to sow distrust, destabilize governments, and

advance geopolitical interests.

Threat Alerts

IRS Warning for Coronavirus-Related Scams for Economic Impact Payments

In response to recent economic impact payments, the Internal Revenue Service (IRS) is

warning taxpayers of Coronavirus-related scams, which may lead to tax-related fraud and

identity theft. There have been attempts through phishing emails, vishing, websites, and

social media. Retirees and seniors are among those targeted — particularly if they have

not previously provided direct deposit account information on tax returns. The NJCCIC

recommends users educate themselves and others on this and similar scams to prevent

future victimization. We also advise users who believe their information may have been

compromised to notify the IRS, their banking institution, and the credit reporting

bureaus. Please review the IRS news release for more information.

New Dark_Nexus Botnet Targets IoT Devices

Image Source: Bitdefender

A new aggressive botnet, dubbed Dark_Nexus by Bitdefender researchers, has been

identified targeting various Internet of Things (IoT) devices ranging from ASUS and D-

link routers to video recorders. The botnet appears to borrow code from both Mirai and

Qbot, though researchers believe that much of its core functions are original. Dark_Nexus

was first identified in December 2019 and is frequently updated, with over 30 versions

discovered in a three-month period. Additionally, payloads are customized for 12 different

CPU architectures and are spread using Telnet credential stuffing and other exploits. A

new persistence tactic observed disables the infected device from rebooting by removing

restart permissions. Compromised devices could be used in distributed denial-of-service

(DDoS) attacks. The NJCCIC recommends users ensure IoT devices are routinely

updated, default passwords are changed, and multi-factor authentication is enabled

where available. Additionally, disable Telnet or, if necessary to manage devices, add an

access list to routers to prevent unauthorized access. Technical details and IOCs can be

found in the Bitdefender whitepaper.

Kinsing Cryptocurrency-Mining Malware Campaign Targets Docker Containers

Image Source: Aqua

Researchers at security firm Aqua detailed a malware operation targeting Docker container

environments. Threat actors are scanning for and accessing Docker containers running API

ports exposed to the internet to install a cryptocurrency-mining malware known as Kinsing.

Using the API port, the threat actors can run an Ubuntu container to download and install

Kinsing. Secondary functions of the malware include stealing local SSH credentials.

Attacks began at the end of 2019 and are ongoing. The NJCCIC recommends

administrators of Docker containers refrain from exposing API ports to the internet and

review the Aqua blog post.

Vulnerability Advisory

Many Microsoft Exchange Servers Still Vulnerable After Patches Released

Researchers at Rapid 7 discovered that very few organizations have applied Microsoft’s

February 11, 2020 security updates for vulnerable Exchange mail servers. The

vulnerability could allow threat actors to compromise the entire Exchange environment

and potentially all of Active Directory, depending on server implementation. The patch

needs to be installed on any server with Exchange Control Panel (ECP) enabled, which

typically has a Client Access Server (CAS) role allowing Outlook Web App (OWA)

access. The NJCCIC recommends administrators patch systems as soon as possible after

appropriate testing and inspect systems for signs of compromise. Technical details can

be found in the Rapid 7 blog post.

Breach Notification

Key Ring

Researchers at vpnMentor discovered misconfigured Amazon Web Services (AWS) S3

buckets owned by Key Ring that publicly exposed over 44 million various images to

include forms of identification, credit and debit cards, and membership cards. Key Ring ,

a popular digital wallet, was designed to store scanned images of typical wallet contents to

provide its 14 million users a “One-Stop Shopping Solution.” Exposed information also

included CSV files containing various businesses’ customer listings that stored personally

identifiable information (PII). The breach was discovered in January and fixed February

20, 2020, though researchers cannot confirm how long the buckets were exposed. Breached

information may be used in various crimes ranging from account takeovers to identity theft

and fraud. Potentially affected Key Ring patrons are advised to monitor all financial

accounts for fraudulent charges and report any suspicious activity immediately to both

your financial institution and local police station. Additionally, report signs of identity theft

to the Federal Trade Commission and consider placing freezes on credit profiles. Cyber

incidents can be reported via the NJCCIC Cyber Incident Report Form and the FBI’s

Internet Crime Complaint Center (IC3) website.

Threat Profiles

Android | ATM Malware | Botnet | Cryptocurrency-Mining | Exploit Kit

Industrial Control Systems | iOS | macOS | Point-of-Sale | Ransomware | Trojan

ICS-CERT Advisories Advantech WebAccess/NMS

Fuji Electric V-Server Lite

GE Digital CIMPLICITY

HMS Networks eWON Flexy and Cosy

KUKA.Sim Pro

Rockwell Automation RSLinx Classic

Synergy Systems & Solutions HUSKY RTU (Update A)

Patches

Android | Chrome

Grandstream | Mozilla (1, 2)

Pixel

Throwback Thursday

Don’t Get Harpooned by a Whaling Attack

Social Engineering Awareness

Simple Steps to Protect You Against COVID-19 Social Engineering Attacks

Comment: As we are keeping socially distant during the current pandemic, threat actors

are using this social engineering opportunity to trick or manipulate users into divulging

sensitive information or giving them access to systems. Attacks can occur though phishing,

spear-phishing, social media deception, pretexting, waterholing, smishing, and vishing. It

is important to keep our cyber distance from attackers by exercising caution with

suspicious communications, enabling multi-factor authentication where available, creating

strong and unique passwords for each account, and keeping systems updated.

Cyber at a Glance

COVID-19 Response: Following Best Telehealth Security Practices

Comment: The telehealth trend has quickly transformed in response to COVID-19;

however, security and privacy concerns remain, as sensitive and medical data are subjected

to HIPAA and other regulations. There has been an increase in coronavirus-based phishing

campaigns and the healthcare sector may not be able to manage vulnerabilities in their IT

infrastructure. Recommended security practices include using a reputable telehealth app,

determining what data is collected and how it is used, and ensuring the app is following all

HIPAA regulations.

Increase in Small DDoS Attacks Could Take Down VPNs

Comment: Entire companies, including security and IT administrators, are connecting

through Virtual Private Networks (VPNs) which, if attacked, disrupt the ability to work

and can be hard to mitigate. There may be an increase in small distributed denial-of-service

(DDoS) attacks, disrupting overloaded VPNs meant for a small number of remote workers.

Threat actors are also targeting mobile and IoT devices as an intermediate service to

amplify attacks since these devices are usually on and serve as a primary form of

communication.

The information contained in this product is marked Traffic Light Protocol (TLP):

WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE

information may be distributed without restriction.

TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.

The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect

Share

This email was sent by:

New Jersey Cybersecurity & Communications Integration Cell

DISCLAIMER: This product is provided as is for informational purposes only. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) does not provide any warranties of any

kind regarding any information contained within. The NJCCIC does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is

governed by the Traffic Light Protocol (TLP). For more information about TLP, see https://www.us-cert.gov/tlp.