Potential Equifax Data Breach Phishing and Vishing Scams

The Federal Trade Commission (FTC) has issued a warning to consumers to be on alert for fraudulent phone calls and emails masquerading as official communications from Equifax or their employees. These calls or emails may request recipients’ personal or account information for “verification purposes” but are actually attempts by scammers to lure them into divulging sensitive information. Equifax will never place unsolicited calls or send unsolicited emails to consumers asking to verify their information. The NJCCIC recommends never sharing sensitive personal or financial information via unsecured, unencrypted email or over the phone unless you have initiated the call and verified the number before calling. Please see the FTC Alert for more information.

Malicious Phishing Campaign Masquerading as Dropbox Notifications Designed to Steal Email Account Credentials

On Tuesday, September 12, the NJCCIC detected a phishing campaign attempting to deliver malicious emails. These emails, sent from legitimate but compromised accounts, masquerade as fraudulent Dropbox notifications. The body of the email suggests that there are documents from the sender waiting to be downloaded by the recipient and contains a link obfuscated by a URL shortener. If clicked, the recipient is taken to a compromised website where they are lured into entering their email account credentials in order to view and download the supposed documents. It gives the recipient the option of logging in using one of the following accounts: Office365, Google, Outlook, Yahoo!, and AOL. It also provides an option to log in with an account not listed on the phishing website’s landing page. If the recipient enters his or her account credentials, they are sent to the hacker or group behind the campaign who can then use the credentials to log into the recipient’s email account as well as any other accounts linked to, or associated with, that email address. Additionally, they can use the recipient’s account to further perpetuate the phishing scheme to that person’s contact list to create the illusion that the emails are legitimate. As this campaign has initially managed to bypass some email security filters, the NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, be sure to have them proactively change the passwords to their accounts and any account associated with those email addresses.

ExpensiveWall Malware Affects Android Devices

Researchers at Check Point discovered a new Android malware variant dubbed "ExpensiveWall" that is believed to have infected up to 21 million Android devices. The researchers warn users that the malware sends fraudulent premium SMS messages and charges for fraudulent services. ExpensiveWall collects data about the infected device, including location and IP address. Similar to the Android malware variant Judy, it can force users to click on online advertisements, another tactic threat actors use to make money. According to Check Point, infected apps that were installed before they were removed from the Google Play Store will remain installed on users’ devices. BleepingComputer provides a list of infected apps hereThe NJCCIC recommends Android users and administrators review Check Point's report and our ExpensiveWall Threat Profilefor more information, enable Google Play Protect, and conduct research on the developers before downloading apps on the Google Play Store.

Display Widgets WordPress Plugin Version Installs Backdoor on WordPress-Powered Websites

The WordPress plugin Display Widgets was discovered to be creating a backdoor on WordPress-powered websites that had the plugin installed. The backdoor code was found in Display Widgets versions 2.6.0 through 2.6.3 released from June through September of this year. Multiple versions of this plugin were removed from the WordPress plugin repository when users and others kept noticing suspicious and malicious behavior such as downloading code from a third-party server and collecting sensitive data such as user IP addresses, user-agent strings, and webpages visited. Additionally, this plugin would create additional pages connected to the host site that were hidden from the website administration panel, use them to publish spam, and link them to other webpages created by the malicious code. After multiple infringements, WordPress finally removed Display Widgets from its plugin depository for good.The NJCCIC recommends users and administrators of WordPress websites currently using the Display Widgets plugin read the Wordfence security report and promptly uninstall the plugin from their websites.

Compromised LinkedIn Accounts Used in Phishing Scheme

Analysts at the security software company Malwarebytes recently detecteda phishing campaign that uses compromised LinkedIn accounts to spread malicious links to other LinkedIn members listed in the compromised accounts’ “connections” lists. Additionally, compromised accounts that have LinkedIn’s InMail activated, a feature available to Premium account subscribers, are being used in the same campaign to send direct messages to members who are not listed as connections. The malicious links are obscured by a URL shortener and advertised as a shared Google Doc to avoid raising suspicion but, once clicked, they redirect the recipient to a phishing page hosted on a hacked website. The phishing page is a clone of a Google account, Yahoo!, or AOL login page designed to trick victims into entering their usernames, passwords, and other identifying information. Once that information is entered, the hacker behind the campaign can use it to compromise victims’ email accounts, as well as any other online accounts that are linked to those emails or share the same login credentials. Since LinkedIn is a social media platform primarily designed for business networking, this type of campaign has the potential to be very effective, especially as connections on LinkedIn are often people who users have physically met or know personally, unlike those on other social media platforms. Additionally, phishing campaigns masquerading as lucrative contracts or job offers could easily entice unsuspecting LinkedIn members to click on a malicious link. The NJCCIC recommends LinkedIn members treat unsolicited LinkedIn messages as they would unexpected emails and verify any messages containing obfuscated URLs with the sender through another means of communication prior to clicking on any links or downloading any attachments.

RouteX Malware Actively Targeting Unpatched Netgear WNR2000 Routers

A Russian-speaking hacker known as “Links” is reportedly targeting Netgear WNR2000 series routers running outdated, vulnerable firmware with a botnet-creating malware variant dubbed RouteX. This malware exploits the CVE-2016-10176 vulnerability to gain access to the device, install a SOCKS proxy, and add iptables rules to prevent additional exploitation by other malware variants. It also restricts access to a few IP addresses controlled by the hacker. The infected Netgear routers are then used to perform credential stuffing attacks against Fortune 500 companies. Because this campaign is powered by a botnet, these credential stuffing attacks use various IP addresses to circumvent any IP-based brute-force protection solution the target may have in place. The size of the botnet is currently unknown as the infected routers do not maintain persistent connections to their command and control servers. The NJCCIC recommends owners and administrators of Netgear WNR2000 series routers review the Forkbombus Labs report and update routers with the latest available firmware version. Targets of web stuffing attacks can implement several defense measures to prevent such attacks from being successful. These include implementing a WAF with bot detection and rate throttling for logins, multi-factor authentication, multi-step login processes, and device fingerprinting.

New Bashware Vector Bypasses Security Solutions in Windows 10

According to a report from the cybersecurity firm Check Point, a new technique dubbed “Bashware” reportedly allows any malware to leverage the Subsystem for Linux (WSL) feature in Windows 10 to bypass security software. Threat actors with admin-level access can enable the WSL feature, turn on the Windows 10 Development Mode, install Linux, and then installWine, a Windows emulator for Linux, to execute malicious activities. Check Point indicates that security software vendors will need to take action to modify their security solutions to detect this type of activity. The NJCCIC recommends Windows 10 users and administrators review Check Point’s analysis, implement both the Principle of Least Privilege and strict management of administrative accounts, and coordinate with security vendors and managed security service providers to determine the appropriate controls to address this technique.

Equifax - UPDATE

Update: Equifax Data Breach

On Wednesday, Equifax updated its information webpage related to the data breach announced last week involving the compromise of sensitive personal information of 143 million consumers. According to Equifax, the Apache Struts 2 vulnerability disclosed on March 10, 2017, CVE-2017-5638, was exploited within a US-based web application and led to the data breach. It is unclear what other vulnerabilities and tactics were used to exploit Equifax's network and exfiltrate the large number of records involved. It also remains unclear whether this incident was carried out by a nation-state or a profit-motivated criminal actor. The company also addressed questions raised about the arbitration clause and class action waiver language that was in the terms of use for the TrustedID Premier credit file monitoring and identity theft protection products. The language was removed from the Terms of Use and will not apply to the free products offered in response to the data breach, including consumers who signed up before the language was removed. Additionally, Equifax indicated that it experienced technical difficulties and a one hour system outage on Wednesday due to the high volume of security freeze requests. In the wake of this and many other recent data breaches, the NJCCIC strongly encourages our members to place security freezes on their credit files in order mitigate the risk of identity theft and financial fraud. A security freeze, or credit freeze, does not affect one's credit score and does not prevent an individual from obtaining their annual credit report. A security freeze restricts access to your credit report, which makes it more difficult for identity thieves to open new accounts or obtain loans in your name. If applying for credit or a new job, you can temporarily lift the freeze with the credit reporting company that the creditor or business needs to contact. Consumers must contact and place security freezes with all three credit reporting companies. More information on credit freezes is provided by the FTC.

For more information on the risk associated with insecure web apps and mitigation recommendations, please review our Threat Analysis published on June 21, 2017 titled, "Web Apps: Vulnerable to Common Threats, Firewalls Recommended." Additionally, administrators of Apache Struts should review the Apache Security Bulletin published on September 7 regarding a new critical vulnerability, CVE-2017-9805, in Struts versions 2.5 to 2.5.12 and upgrade to 2.5.13.

Equifax

Yesterday, Equifax, one of the three largest consumer credit reporting and financial services providers in the United States, released a statement announcing a data breach that involves the personal information of an estimated 143 million US consumers. The company stated that it discovered the breach on July 29 and further forensic analysis revealed it resulted from the exploitation of a web application vulnerability that was used to gain unauthorized access to files containing sensitive consumer information. This access reportedly occurred from mid-May through July 2017. The information accessed includes names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers. Credit card numbers for 209,000 US consumers and dispute documents with personally identifying information for 182,000 US consumers, were also accessed. Rick Smith, the Chairman and CEO of Equifax, released a YouTube video and a FAQ sheet regarding the breach and is asking consumers to contact their call center at 866-447-7559, which the company set up to assist consumers who have additional questions. Equifax also launched the website www.equifaxsecurity2017.com, which outlines the details of the data breach and provides additional resources for consumers. Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents were impacted. Equifax is offering free credit monitoring and identity theft protection for one year through TrustedID Premier to those affected by the breach.

It is unclear who is responsible for this breach and whether this was profit-motivated theft by a non-state, criminal actor or espionage collection activities carried out by, or on behalf of, a hostile nation-state. However, an anonymous actor has created a website on the dark web, badtouchyonqysm3[.]onion, claiming responsibility for the breach and is currently demanding a ransom payment of 600 Bitcoins (approximately $2.8 million) from Equifax. According to this website, if the payment is not received by September 15, the actor will publicly release the stolen data. Additionally, an anonymous twitter user, 1x0123 @real_1x0123, posted a screenshot and is purporting to sell access to various Equifax data repositories via a web shell for 1 Bitcoin (approximately $4,451). Neither of these claims have been confirmed and should not be considered as legitimate unless proven otherwise.

Recommendations

The NJCCIC recommends all of our members assume their sensitive personal information was compromised in this breach or one of the many incidents that have occurred in recent years and take immediate action to protect themselves against identity theft. If you were affected by a recent data breach, we strongly urge you to enroll in the free credit monitoring service provided by the victim organization. While credit monitoring is helpful in detecting suspicious or malicious activity, consumers should also consider identity theft insurance, which covers losses incurred as a result of successful fraud. The NJCCIC also recommends our members consider placing a security freeze on their credit, closely monitor bank and credit card accounts using SMS or email alerting options, and report any fraudulent activity to the Federal Trade Commission and your local law enforcement agency as soon as possible. While it may be an inconvenience, a credit freeze will prevent unauthorized loans and lines of credit from being opened in your name and it can be lifted whenever legitimate credit inquiries are necessary.

Additionally, the NJCCIC encourages all organizations that use web applications to access and manage sensitive data review the NJCCIC threat analysis titled, "Web Apps: Vulnerable to Common Threats, Firewalls Recommended," consider deploying a web application firewall, and regularly perform security audits of all web applications.

Symantec Dragonfly 2.0 Report Details Targeting of Energy Sector

On Wednesday, Symantec released a report detailing the targeting of North American and European energy sector entities by a hacking group known as Dragonfly and Energetic Bear, an Advanced Persistent Threat (APT) actor that is believed to act on behalf of, or supported by, Russian Intelligence Services. This latest operation, dubbed “Dragonfly 2.0,” has been ongoing since at least December 2015 with a noteworthy increase in activity in the first half of 2017. According to Symantec, the group has successfully exploited several energy companies in the United States, collecting sensitive network and system data, acquiring legitimate credentials, and gaining access to the target’s operational network, in some cases taking screen captures of files and human machine interfaces (HMIs). When successful, these activities could provide the threat actors with information necessary to prepare for disruptive or destructive attacks against US infrastructure in the future. The group gained access to these networks through various infection vectors, including phishing emails, watering hole attacks, and trojanized software. The phishing emails varied from broad targeting—emails that included an attachment of a supposed invitation to a New Year’s Eve party—to tailored emails related to the energy sector. All emails received by targets contained malicious attachments meant to obtain the user’s network credentials. Some of these email-based exploits used a toolkit called “Phishery,” activity previously reported by Cisco in July, in which the threat actors attempt to steal credentials via template injection attacks. The group also harvested network credentials via watering hole attacks, compromising websites often visited by those in the energy sector. The stolen credentials were used in subsequent attacks against the target organizations, including the installation of trojans for remote access to the victim’s system. Additionally, files disguised as Adobe Flash updates may have been used to install malicious backdoors onto the targeted network. Some backdoors installed on these systems include Goodor, Karagany.B, Dorshel, and HeriplorThe NJCCIC recommends all organizations within the energy sector, as well as other critical infrastructure asset owners and operators, review Symantec’s Dragonfly 2.0 report, scan for the indicators of compromise (IoCs) provided, and apply the best practices detailed in the report, including implementing adefense-in-depth strategy and strong password policy. Additionally, refer to the NJCCIC's ICS Threat Profile for a comprehensive set of recommendations and resources for securing critical infrastructure networks.

Android Messages App

Trend Micro discovered a denial-of-service vulnerability, CVE-2017-0780, in the Android Messages application for mobile devices. The vulnerability has been confirmed for Nexus and Pixel devices, but likely affects other mobile devices running the Android operating system. A remote threat actor can send a target a malformed multimedia message (MMS) that causes the app to crash. The user will be incapable of recovering from the crash even after a device or system reboots in safe mode; the user will be forced to reset their device to its factory settings or use an alternative, unaffected messaging app to remove the malicious MMS file manually. The NJCCIC recommends Android mobile device users review the Trend Micro report and consider disabling the Android Messages app and using an alternative messaging app until the user has applied the September 2017 Android operating system update.

Microsoft Edge

Cisco Talos researchers discovered a vulnerability in the Microsoft Edge browser within the Content Security Policy enforcement functionality. A threat actor can create a malicious webpage to trigger this vulnerability and bypass the content security policy, which could allow the threat actor to collect information from users’ cookies or log keystrokes entered into forms on websites. This vulnerability was also present in Apple Safari (CVE-2017-2419) and Google Chrome (CVE-2017-5033), but both vendors have already deployed patches. Microsoft has not yet released a patch to address this vulnerability. The NJCCIC recommends all users and administrators of the Microsoft Edge browser review the Cisco Talos Report and apply the necessary update if it is released by Microsoft.

Google Chrome

Google released updates to address several vulnerabilities in Chrome. Successful exploitation of the most severe vulnerabilities could allow a remote threat actor to execute arbitrary code, access sensitive data, bypass security restrictions and perform unauthorized actions, or cause a denial-of-service condition. These vulnerabilities can be exploited if the targeted user visits or is redirected to a specially crafted web page. The NJCCIC recommends all users and administrators of Google Chrome review the Chrome Releases page and apply the necessary update to version 61.0.3163.79.

Over 26,000 MongoDB Servers Reportedly Targeted in Ongoing Extortion Campaign

On January 3 and January 11, 2017, the NJCCIC released alerts warning members that MongoDB servers were being actively targeted in a cyber extortion campaign and that those open to external connections and lacking an administrator account password could be easily accessed by hackers via TCP port 27017. Once hackers gain access, they either export or delete any data stored on the server and replace it with a ransom note demanding payment for its return. Over this past weekend, security researcher Victor Gevers reported seeing a new surge of attacks by three new hacking groups who have, so far, hijacked over 26,000 vulnerable MongoDB servers. On Tuesday, September 5, we released an alert to our members to warn them about this threat. The NJCCIC recommends administrators of MongoDB servers review the NJCCIC Cyber Alert and implement the mitigation strategies provided as soon as possible.

Google Android

Google released updates to patch multiple vulnerabilities, including several critical, in the Android operating system. Successful exploitation of the most severe vulnerabilities could allow a remote threat actor to execute arbitrary code and, depending on the user account privilege level, take control of the affected system. In addition to these patches, Google has integrated new security enhancements, most notably Google Play Protect, which warns users of potentially harmful applications. The NJCCIC recommends all Android users and administrators review the Android Security Bulletin and apply the update to their device as soon as it is available.

JBoss EAP 5

Red Hat released an advisory to address a high severity vulnerability,CVE-2017-12149, in JBoss Enterprise Application Platform (EAP) 5. Successful exploitation of this vulnerability could allow a remote threat actor to execute arbitrary code. Depending on the targeted user’s privileges, a threat actor could install programs; view, change, or delete data; or create new user accounts. The NJCCIC recommends users and administrators of JBoss EAP 5 review the Red Hat Advisory and either apply the workaround provided or update to JBoss EAP 6 or 7.

Apache Struts

Apache Software released a security update to address a criticalvulnerability in Struts versions 2.5 to 2.5.12. Successful exploitation of this vulnerability, CVE-2017-9805, could allow a remote threat actor to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The NJCCIC recommends all users and administrators review the Apache Security Bulletin and the NJCCIC Cyber Alert and upgrade to Struts 2.5.13.

SUSE Linux Enterprise

An update was released for the SUSE Linux Enterprise 12 SP3 kernel to address multiple vulnerabilities. If exploited, these vulnerabilities could result in unauthorized privilege escalation, a buffer overflow condition, or a denial-of-service condition. The NJCCIC recommends users and administrators of affected Linux products review the SUSE Security Update page and update the kernel to version 4.4.82 as soon as possible.

SAP POS

SAP POS Xpress Server does not perform authentication checks for critical functions that require user identity, according to ERPScan. This could allow a threat actor to obtain administrator and privileged access, providing them the ability to change the price of retail merchandise, among other functions. SAP POS reportedly serves 80 percent of retailers in the Forbes Global 2,000. The NJCCIC recommends all administrators of SAP POS review the Security Patch Day Security Notes and visit theSupport Portal to update as soon as possible.

PHP

Multiple vulnerabilities have been discovered in PHP 7.0 prior to 7.0.23. Successful exploitation of the most severe vulnerabilities could allow a threat actor to execute arbitrary code in the affected application; failed exploitation could cause a denial-of-service condition. The NJCCIC recommends users and administrators review the PHP 7 ChangeLogand update to the latest version of PHP as soon as possible after verifying no unauthorized modifications have been made to the system.