Criminals Use Phishing Tactics to Obtain iCloud Credentials of Stolen Apple Devices

Profit-motivated criminals attempting to resell lost and stolen Apple devices on the black market are using social engineering techniques such as phishing and SMiShing (SMS phishing) to target the former device owners and obtain their iCloud credentials. The specially-crafted phishing emails and text messages are designed to appear as though they originated from an Apple representative and include wording that suggests the victim’s lost or stolen device had been located and that the victim’s iCloud login credentials are needed by the representative before the device can be returned. If the victim responds with the credentials, the criminals use them to unlock the device and restore it to factory settings in order to resell it to a new buyer. The ability to unlock Apple devices is in such high demand that hackers have begun offering iCloud fraud “as a service” to stolen device dealers. This service includes various tools such as MagicApp, Applekit, and Find My iPhone to automate phishing campaigns and unlock iCloud accounts. The NJCCIC recommends all Apple device users review the Trend Micro report and maintain awareness of this and similar social engineering tactics used to obtain sensitive information. Never divulge any account login credentials in response to an email or SMS request and have two-factor authentication (2FA) enabled on every account that offers it. If you have questions or concerns regarding any of your accounts, follow the instructions provided on the associated company’s website to contact an official representative.

Threat Actors Increasingly Exploiting Dynamic Data Exchange

As the NJCCIC has reported in several recent threat alerts, hackers are increasingly leveraging Dynamic Data Exchange (DDE) – a protocol in Microsoft Office products that establishes how applications send messages and share data through shared memory – to spread malware. In October alone, threat actors exploited DDE to spread Locky ransomware and the Hancitor trojan and it was recently leveraged by APT28 to deliver the Seduploader trojan to unsuspecting victims. The cybercrime group known as FIN7 was also observed abusing this protocol to deliver the DNSMessenger trojan. In response to these threats and the risk that this feature poses, Microsoft has issued a security advisory that details the steps users can take to properly secure their applications. The NJCCIC recommends all Microsoft Office users and administrators review the Microsoft Security Advisory and follow the recommended mitigations. Additionally, the NJCCIC encourages all email users to maintain awareness of emerging phishing campaigns and avoid clicking on links and opening attachments delivered with unexpected or unsolicited emails. We also discourage disabling Protected Mode or enabling macros in documents unless you trust and can personally verify the sender.

Malicious Chrome Extension Harvests Personal Data from Social Media Sites

Bleeping Computer founder Lawrence Abrams discovered a malicious Chrome browser extension named Browse-Secure that promotes itself as a way to make browsers “safe” but, when installed, it connects to a remote server and then harvests personal information from the unsuspecting user’s Facebook and LinkedIn accounts. Browse-Secure uses the rules contained in an included JSON file to crawl these social media pages and extract data such as names, dates of birth, gender, addresses, email addresses, and mobile phone numbers. This data is then transmitted back to the remote server. Although it is currently unknown how the developer intends to use this data, it is likely that it could be used to further target users in spear-phishing campaigns or other social engineering schemes. The NJCCIC recommends users who have downloaded the malicious Chrome extension uninstall it immediately and be on alert for spear-phishing and other social engineering attempts that incorporate the information harvested from profiles. Also, we recommend exercising caution when installing browser extensions and reading reviews prior to installation to see if other users reported a negative experience. Network administrators may want to consider blocking inbound and outbound connections to known C2 IP addresses and domains. More information about this malicious extension, including indicators of compromise, is available on Bleeping Computer.

Technical Alerts on Two North Korean/HIDDEN COBRA Trojans

US-CERT released joint Technical Alerts (TAs) detailing two trojans used by the North Korean government-associated cyber threat group HIDDEN COBRA, also known as Lazarus Group, to target organizations in various sectors. The TAs provide technical details on the capabilities of each trojan as well as detection and response guidance, including indicators of compromise (IoCs) and mitigation strategies. The impacts of successful network intrusion using either trojan could lead to the loss of sensitive or proprietary information, disruption of operations, financial losses from restoring systems, and reputational damage. The NJCCIC recommends all users and administrators review the TAs detailing FALLCHILL and Volgmer, scan their networks for malicious activity associated with these trojans using the IoCs provided, and apply the suggested mitigation strategies.

Verticalscope

Verticalscope, a Canadian company responsible for managing hundreds of different online discussion forums, has been breached for the second time in just two years. The company was initially hacked in 2016 and, as a result, over 45 million user account records were compromised. The information contained in these records include email addresses, usernames, IP addresses, and primary and secondary passwords. According toKrebsonSecurity, approximately 2.7 million user accounts have been affected as a result of Verticalscope’s most recent breach. Hackers infiltrated the company’s websites by installing a backdoor known as a web shell, which allowed intruders to gain unauthorized remote access to millions of sensitive account credentials. The NJCCIC recommends users immediately change their passwords to any online forums associated with Verticalscope, as well as to any accounts that share the same login credentials.

Multiple USB Vulnerabilities in the Linux Kernel

Google security researcher Andrey Konovalov discovered 79 USB-related vulnerabilities in the Linux kernel using Syzkaller, a tool developed by Google that uses afuzzing technique to find security bugs. Fourteen of the vulnerabilities were found in the USB subsystem and can be exploited via a specially crafted malicious USB device, allowing a local threat actor to run untrusted code and take control of systems running a Linux-based operating system. Several of the other vulnerabilities can result in a denial-of-service condition if exploited, while others could allow threat actors to elevate privileges or execute code. Many of the USB-related vulnerabilities found in the Linux kernel can be attributed to the widespread adoption of devices with USB interfaces, requiring Linux to support a wide range of drivers that may not have been properly or thoroughly tested. The NJCCIC recommends all Linux users and administrators review Konovalov’s research, consider utilizing a reputable software tool designed to protect systems against rogue USB devices, and whitelist approved USB drives. Additionally, we recommend only inserting trusted USB devices into Linux-based systems and configuring the kernel module loading system to prevent automatic loading of the USB storage driver if the feature is unneeded.

Misconfigured Amazon S3 Buckets Vulnerable to Man-in-the-Middle Attacks

Threat actors can leverage misconfigured Amazon S3 buckets that allow public write access to perform Man-in-the-Middle (MitM) attacks. This attack vector, dubbed GhostWriter by Skyhigh researchers, can provide a threat actor with the opportunity to replace original files stored in the misconfigured bucket with modified or malicious versions, replace code and redirect revenue to the threat actor’s account, or intercept and redirect subscription payments. Bucket administrators who store JavaScript code on publicly accessible cloud servers run the risk of having their code overwritten with scripts designed to conduct malicious activity such as drive-by attacks and cryptocurrency mining operations. As GhostWriter can be used to gain access to an organization’s internal network, these bucket misconfigurations potentially expose sensitive employee and customer data to unauthorized access and leave the organization liable for the costs and reputational damage resulting from a data breach. This vulnerability exists due to human error rather than a software or hardware vulnerability; researchers found that more than 1,600 S3 buckets are accessed from within enterprise networks and about 4 percent of those were exposed to GhostWriter due to misconfiguration. Financially-motivated actors and state-sponsored advanced persistent threat (APT) groups have begun targeting Amazon S3 buckets and other cloud storage containers to gain access to private networks and valuable data. It is vital that S3 buckets are properly configured using the most secure settings available to avoid this and similar attacks. The NJCCIC recommends Amazon cloud storage customers review both Skyhigh’s report on GhostWriter and Amazon’s resource guide, apply the recommended configurations, and regularly audit their security settings to maintain the confidentiality and integrity of their data. To help administrators quickly locate and secure misconfigured and publicly accessible Amazon S3 buckets, Kromtech Security has released a free tool, dubbed the Kromtech S3 Inspector. More information about this tool, including a link to download it, is available here. The NJCCIC makes no claim as to the effectiveness of this tool and users are advised to exercise caution when downloading and installing any software from the internet. Additionally, Amazon has just released new S3 security features including default encryption, permission checks, and an update to the AWS dashboard that warns administrators of exposed buckets.

Brother Printers Vulnerable to Denial-of-Service Attacks

Trustwave researchers discovered a vulnerability in Brother printers that, if exploited, could result in a denial-of-service (DoS) condition. The vulnerability is associated with an HTTP server embedded within these printers called Debut. If an attacker sends a single malformed HTTP POST request to the targeted printer, the printer will respond with a 500 Internal Server Error code, causing the printer’s web interface to become inaccessible and print jobs sent over the network to fail. Although a single attack may only interrupt printing services for a short period of time, extended downtime could occur if attackers continuously send malformed requests to a targeted device. Attempts by Trustwave to contact Brother about this vulnerability returned no response, resulting in a public release of the findings and the proof-of-concept code.The NJCCIC recommends organizations using Brother printers review Trustwave’s Security Advisory and restrict web access to the devices or isolate them from the public internet, if possible. Additionally, review the threat alert titled “Hundreds of Brother Printers Exposed Online” included in the October 19 edition of the NJCCIC Weekly Bulletin for more insight into the risks posed by exposing Brother printers to the public internet.

Russian APT Group Fancy Bear (APT28) Citing NYC Terror Attack in Phishing Campaign

McAfee researchers identified a new phishing campaign citing the recent terror attack in New York City to deliver Seduploader, a trojan used by nation-state actors to conduct reconnaissance, to unsuspecting victims. These emails contain a malicious Word document namedIsisAttackInNewYork.docx that leverages the Microsoft Dynamic Data Exchange (DDE) protocol and PowerShell to deliver the trojan. Seduploader is capable of capturing screenshots, exfiltrating data, and executing arbitrary code. Despite the change in attack vector, the indicators of compromise (IoCs) and the analysis of the payload led McAfee analysts to attribute this campaign to Fancy Bear, also known as Group 74, APT28, Tsar Team, and Sofacy. The NJCCIC recommends network administrators review the McAfee report and scan their networks for associated IoCs. We also strongly recommend that all email users maintain awareness of emerging phishing campaigns and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails. If any end users have taken action on emails from this campaign, isolate the affected system from the network immediately and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Crunchyroll Website Redirected Visitors to Malicious Server via DNS Hijacking

On November 4, anime site Crunchyroll became a victim of a DNS attack when hackers accessed the site’s Cloudflare configuration and altered it to redirect visitors to a malicious server programmed to infect systems running Windows OS with malware. This malware, namedCrunchyViewer.exe to masquerade as a video application, was determined by some analysts to be a remote access trojan with keylogging capabilities. Crunchyroll administrators resolved the issue and issued a notice to alert potential victims. The NJCCIC recommends all Crunchyroll visitors who accessed the site during the affected timeframe and downloaded the malicious file review the CrunchyRoll notice and follow the malware-removal instructions provided if their antivirus software did not detect and remove the malware. We also recommend that website owners and administrators maintain awareness of various DNS attacks and properly configure and secure their DNS infrastructure and applications, including configuring forwarders to only process recursive queries from internal IP addresses, to reduce their risk.

SEO Poisoning Used to Distribute Panda Banker Trojan

Since approximately mid-2017, threat actors have been using Search Engine Optimization (SEO) poisoning techniques to manipulate search engines into ranking malicious links above legitimate search results when users search specific banking and finance-related keywords with the intent of delivering the Panda Banker trojan to unsuspecting victims. The actors leverage compromised web servers to change the search engine output and, in some cases, display the malicious link multiple times within the first page of returned results. The actors also exploit compromised websites that have previously established positive ratings and reviews to appear legitimate to end users. Upon visiting one of these malicious links, a multi-stage malware infection is initiated on the user’s system beginning with a redirection to an intermediary server via JavaScript. This server responds to an HTTP GET request with HTTP status code 302, redirecting the user to yet another compromised site modified to deliver a malicious Word document to the user’s system, a technique known as “302 cushioning” that is used by severalexploit kits. If the user opens and enables macros on the malicious document, the user’s system is infected with the Panda Banker trojan. The NJCCIC recommends all users review both the Cisco Talos report and the NJCCIC profile on Panda Bankerand avoid downloading and opening files delivered unexpectedly after visiting a website. Additionally, never enable macros on unsolicited Microsoft Office documents. If a Panda Banker infection is suspected, isolate the affected system from the network immediately and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable two-factor authentication (2FA) where available.

New Netflix Phishing Scheme Uses Sophisticated Tactics to Steal Credentials

In January of this year, cybersecurity firm FireEye discovered a phishing campaign heavily targeting US-based Netflix users. It now appears that this campaign has resurfaced, using a more sophisticated approach to steal Netflix login credentials. The phishing emails targeting Netflix customers contain no obvious spelling or grammatical errors and employ Netflix-style templates, even addressing targets by name in the body of the email. They entice recipients into clicking on the embedded link by suggesting there are problems with their memberships such as billing issues or account suspensions. If clicked, the embedded link leads victims to a convincing phishing page, designed with much of the same HTML code used on the legitimate Netflix website. The hackers behind this campaign use compromised websites, such as WordPress blogs, to host the Netflix phishing pages, helping them evade detection by security scanners. Once login credentials are entered into the associated fields on the phishing sites, hackers can then use them to gain access to the victim’s Netflix account as well as any other personal account that shares the same credentials. Netflix and other login credentials are often sold and traded on underground forums and the dark web to other malicious actors. The NJCCIC recommends users that have questions or concerns regarding their accounts log into Netflix directly through the company’s legitimate URL and avoid accessing their accounts by clicking on links sent in emails, text messages, or through social media platforms.

Online Banking Customers Targeted by Sophisticated Social Engineering Scheme

Proofpoint researchers reported observing phishing attacks targeting Austrian banking customers since the beginning of 2017. These customers received emails they believed to have originated from their banks containing a URL provided by Bitly, a URL-shortening service and link management platform. This shortened URL resolved to a phishing site masquerading as the legitimate bank’s website. To appear authentic, the domain name of the phishing site included the bank’s name. However, to log into the fraudulent site, customers needed to enter their account numbers and associated PINs, followed by their email addresses and phone numbers. The site then prompted customers to download a mobile application to proceed. If customers downloaded the application, their mobile devices were infected by Marcher, a banking trojan designed to capture additional sensitive information by creating overlays above legitimate applications already installed on devices. This campaign is one of the few observed that uses a multi-pronged approach to gather a range of sensitive information from victims and demonstrates a possible shift towards more sophisticated tactics as both technology and end users become increasingly capable of detecting phishing attempts. Although this threat is only believed to be targeting customers of Austrian banks at this time, it is important to note that these same tactics could easily be used to target victims within the US. The NJCCIC recommends all mobile device users and online banking customers educate themselves on these types of social engineering tactics, only download trusted applications from official app stores, and refrain from downloading mobile applications from third-party sources. Additionally, we strongly recommend never using links provided in unsolicited emails to visit websites that require the input of account credentials. Users who have questions regarding the status of any of their online accounts should visit the associated websites by typing the legitimate address directly into the URL field of their web browsers.

Fraudulent WhatsApp Chat Application Discovered in Google Play Store

A malicious app designed to mimic the popular chat messaging application WhatsApp was available for download in the Google Play Store late last week. It has since been removed, but not before it was downloaded by over a million unsuspecting Android users. The copycat app, named Update WhatsApp Messenger, was designed to trick users into thinking they were downloading an update for the legitimate WhatsApp messaging application. Once downloaded, however, the app installed adware to generate revenue for the developer through advertisements. While this is not the first time a fraudulent and malicious app has made its way into an official app store, this attempt was one of the most successful, highlighting the need for additional scrutiny by those who download and review new applications for mobile devices. The NJCCIC recommends all users who downloaded the fraudulent WhatsApp messaging application uninstall it immediately and ensure their mobile device software is up-to-date. Although we recommend never downloading apps from third-party sources, we also want to remind mobile device users to exercise caution even when downloading apps from official app stores, as these marketplaces have been increasingly targeted by these types of campaigns.

Chinese APT Group KeyBoy Targeting Western Organizations

PwC researchers recently observed a reemergence of malicious activity attributed to KeyBoy, a Chinese Advanced Persistent Threat (APT) group. KeyBoy previously targeted organizations in Southeast Asia, including members of the Tibetan parliament, as reported by CitizenLab in November 2016. However, a new malware campaign linked to the group was detected via files uploaded to VirusTotal with analysts noting that the files appeared to originate from western organizations, suggesting a possible shift in targets. KeyBoy’s new campaign uses spear-phishing emails containing malicious documents designed to exploit the Dynamic Data Exchange (DDE) protocol touted as a feature in Microsoft Word. If the document is opened and permitted to retrieve data from the linked external source, a payload in the form of a DLL file will be downloaded to the user’s system using PowerShell, moved to the user’s temp folder, and executed. This file, named InstallClient.dll, acts as a dropper and, after performing a series of system checks, downloads the final payload, a DLL file masquerading as the legitimate system file, rasauto.dll. The final payload can perform the following actions on an infected system: take screenshots, determine the public WAN IP address, gather system information, perform a shutdown or reboot of the system, launch interactive shells for communication, download and upload data, and hide C2 traffic using custom SSL libraries. Researchers believe that the purpose of this campaign is to conduct corporate espionage. The NJCCIC recommends users and administrators review the PwC report and scan for the associated Indicators of Compromise (IoCs) provided in Appendix A to determine whether malicious activity attributed to KeyBoy has been observed within their networks. To reduce the risks associated with APTs and other cyber threats, organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege across all user accounts, and establish strong identity and access management controls, including multi-factor authentication.

T-Mobile

T-Mobile has notified a few hundred customers who were targeted by cybercriminals attempting to transfer their phone numbers to new SIM cards. In early October, Motherboard reported that a security researcher discovered a flaw within T-Mobile’s website that allowed hackers unauthorized access to customers’ data, such as email addresses, billing account numbers, and phones’ International Mobile Subscriber Identity (IMSI) numbers. According to a T-Mobile spokesperson, no financial information, passwords, or Social Security numbers were compromised as a result of this targeted attack. The NJCCIC recommends T-Mobile customers change their online account passwords to this and any other sites that share login credentials, set-up a SIM lock, and create a phone password or passphrase that is required when you call T-Mobile support.

Vulnerabilities in Maritime SATCOM System

Researchers at IOActive discovered two vulnerabilities in Stratos Global’s satellite communications (SATCOM) email client platform AtmosConnect 8: a backdoor account that could allow full system access and a SQL injection flaw that could reveal database credentials. Stratos Global’s parent company, Inmarsat, claims the vulnerabilities would be difficult to exploit as a threat actor would require direct physical access to the system used for the platform – a platform they claim is “no longer in service.” Nonetheless, the presence of these vulnerabilities in a popular SATCOM system highlights the need for enhanced cybersecurity efforts by the maritime sector to prevent unauthorized access to sensitive networks. The NJCCIC recommends managers, security personnel, and system administrators within the maritime sector review the associatedIOActive report and US-CERT alert, as well as this blog post from Pen Test Partners on maritime cybersecurity and unsecure SATCOM systems and take steps to properly secure SATCOM boxes.

ANSI X9.31 RNG Static Keys in Source Code Result in DUHK Vulnerability

Three cryptography experts discovered a vulnerability that exists within ANSI X9.31, a random number generator (RNG) that was deprecated by NIST in 2011 and by FIPS in 2016. This vulnerability, dubbed DUHK for “Don’t Use Hard-coded Keys,” exists within the products of at least a dozen vendors. In order for systems using ANSI X9.31 to remain secure, the static key used to generate random numbers needs to remain a secret; however, some companies implemented this RNG with the static key hard-coded into their products, providing the opportunity for unauthorized users to obtain the key and use it to decrypt encrypted communications generated or facilitated by the affected products. This includes data traveling through virtual private network (VPN) connections as well as encrypted web browser sessions. Affected products include the BeCrypt Cryptographic Library, Cisco Aironet, DeltaCrypt FIPS Module, Fortinet’s FortiOS, MRV Communications’ LX-4000T/LX-8020S, Neoscale’s CryptoStor, Neopost’s Postal Security Devices, Renesas’ AE57C1, TechGuard’s PoliWall-CCF, Tendyron’s OnKey193, ViaSat’s FlagStone Core, and the Vocera Cryptographic Module. Many of these vendors have since removed ANSI X9.31 from their products and there are currently no known instances of DUHK being exploited in the wild. Products certified after January 2016 are not vulnerable. The NJCCIC recommends users and administrators of the affected products review the DUHK attack website, read the associatedpaper, and apply updates to affected products when available.

Facebook Phishing Campaign Attempts to Steal User Credentials

A Facebook phishing scam is proliferating across the globe, attempting to trick users of the social media platform into divulging their Facebook account credentials. Researchers at F-Secure first detected messages targeting Swedish users on October 15 and, a few days later, observed the active targeting of Finnish and German users. The malicious actors behind the campaign use compromised Facebook accounts that lack two-factor authentication (2FA) protection to post shortened URLs on Facebook pages and send direct messages to other users via Facebook Messenger. The shortened URLs masquerade as links to YouTube videos; however, when clicked, they redirect users to a fraudulent Facebook login page designed to collect the login credentials to additional accounts. The NJCCIC recommends Facebook users review the F-Secure report, educate themselves on similar tactics, and avoid clicking on links in unexpected messages until their legitimacy has been verified by the message sender. In addition, users should remain cautious of shortened and obfuscated links, as they can be used to effectively mask malicious sites, and ensure that 2FA is enabled for all accounts that offer it to prevent unauthorized access resulting from compromised credentials. Those users who have entered their credentials into the phishing page are advised to change their passwords and enable 2FA immediately.

Cryptocurrency Mining Script Coinhive Discovered in Android Apps

Since September 21, the NJCCIC has been alerting members to a new and rapidly growing threat – cryptocurrency mining JavaScript code embedded in websites, draining system resources of unsuspecting visitors and causing web browsers to freeze and crash. Until recently, this threat only affected laptop and desktop computer users. However, researchers at Trend Micro are warning that this threat is now impacting mobile devices as the cryptocurrency miner Coinhive was discovered in Android applications that had previously been available in the Google Play Store. Identified by Trend Micro as ANDROIDOS_JSMINER andANDROIDOS_CPUMINER, these scripts were detected in apps such as Recitiamo Santo Rosario FreeSafetyNet Wireless App, and Car Wallpaper HD: Mercedes, Ferrari, bmw, and audi [sic]. When launched, these apps drain mobile device resources while generating profit for the apps’ developers, often without the knowledge or permission of the users. Mining activity conducted on mobile devices can result in reduced battery life, poor performance, overheating, and the risk of permanent, physical damage to internal components. The NJCCIC assesses with high confidence that this malicious activity will increasingly impact mobile device users as profit-motivated actors seek to generate revenue by embedding these scripts in seemingly legitimate apps and making them available for download via official app stores. We recommend all mobile device users exercise caution when installing mobile apps. Users who notice a negative impact on device performance after the installation of an app should immediately remove it from the device and report the issue to the associated app store.