Bongo International/FedEx

Kromtech security researchers discovered an Amazon S3 bucket set for public access originally belonging to Bongo International, a company that was bought by FedEx in 2014. The exposed bucket contained drivers' licenses, national ID cards, work ID cards, voting cards, utility bills, resumes, vehicle registration forms, medical insurance cards, firearms licenses, US military identification cards, and credit cards that customers used to verify their identity with the FedEx division. Kromtech contactedZDNet reporter, Zack Whittaker, who was able to get the bucket secured and removed from public access. The NJCCIC recommends administrators of Amazon S3 storage buckets review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the recommended mitigation strategies provided as soon as possible. Bongo International and FedEx customers whose information may have been exposed should closely monitor their financial banking statements and consider placing a security freeze on their credit files by contacting the three major credit bureaus.

Spam Campaign Delivers Password-Stealing Malware

Researchers with Trustwave recently detected an email spam campaign that delivers a password stealing malware to end users via a PowerShell script. The infection takes place in a multi-stage process that initiates when users open a .DOCX file which, in turn, downloads a remote rich text file (RTF) document that exploits the Microsoft Equation Editor tool (CVE-2017-11882). This malware targets email, FTP, and browser client credentials. Subject lines associated with this email campaign include “SWIFT COPY FOR BALANCE PAYMENT,” “Telex Transfer Notification,” “Request for Quotation (RFQ),” and “TNT STATEMENT OF ACCOUNT.” The NJCCIC recommends users and administrators keep their Windows OS and Microsoft Office software updated and scan their environments for the Indicators of Compromise (IoCs) provided in Trustwave’s report.

IRS Email Scam Distributes Rapid Ransomware

Emails masquerading as official correspondence from the Internal Revenue Service (IRS) are attempting to deliver a new variant of Rapid Ransomware to unsuspecting victims. According toMy Online Security, emails associated with this campaign have subject lines such as “Please Note - IRS Urgent Message-164” and notify users in the body of the email that they are overdue on their real estate taxes by several months. Recipients are instructed to review a comprehensive report contained within an attached ZIP file, labeled Notification-[number].zip. Instead of containing the report, the ZIP file contains a Word document with embedded malicious macros. If these macros are enabled, they will download Rapid Ransomware on to the system. This variant appends .rapid to the names of encrypted files and opens several ransom notes in Notepad labeledrecovery.txtThe NJCCIC strongly recommends users avoid enabling macros unless they are aware of a specific reason why a document requires macros to run, and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails. 

Cryptocurrency Miners Infect US and UK Government Sites

Over 4,000 websites, including uscourts[.]gov, ico[.]org[.]uk, and Manchester[.]gov[.]uk were affected by a supply-chain style attack when hackers compromised the BrowseAloud plugin, a TextHelp software product designed to improve website accessibility for disabled users. The hackers behind the campaign added a cryptocurrency-mining script to a file used in the BrowseAloud plugin to exploit website visitors’ browsers and use their systems’ CPUs to generate Monero cryptocurrency without their knowledge and consent. TextHelp temporarily took their BrowseAloud product offline and issueda statement regarding the attack. A list of affected websites is available hereThe NJCCIC recommends all website owners and administrators regularly examine their websites for unauthorized changes, unusual behavior, and cryptocurrency-mining JavaScript code, and remediate as soon as possible. Additionally, we recommend keeping website platforms and plugins up-to-date, close all unnecessary ports on website servers, protect administrator accounts with unique, complex passwords and two-factor authentication, and consider implementing a web application firewall. We recommend all internet users consider installing a reputable ad-blocking, script-blocking, and coin-blocking extension on their browser of choice.

Coinhive Discovered in 19 Google Play Apps

The cryptocurrency-mining script Coinhive was discovered within 19 different Google Play store apps, hidden inside HTML files in the apps’ asset folders. After the user launches the malicious app, it opens a WebView browser instance that runs the mining script in the background. Most of these apps have not been installed on many devices; however, one particular app was downloaded between 100,000 and 500,000 times. Mining activity conducted on mobile devices can result in reduced battery life, poor performance, overheating, and the risk of permanent, physical damage to internal components. The NJCCIC recommends Android users review the Sophos report for additional details and a list of the malicious apps. If users have downloaded and installed affected apps, we recommend uninstalling the apps immediately and scanning affected devices with a reputable antivirus solution. Thoroughly research apps prior to installation by reading user reviews and searching for information about the developer. Additionally, carefully monitor devices for any sudden changes in performance such as unexplained high CPU usage indicative of cryptocurrency-mining activity.

Cryptocurrency-Mining Campaign Targets Android Users

A drive-by Monero-mining cryptocurrency campaign is currently plaguing Android users. Malwarebytes reported that, although most previous drive-by mining was done automatically without users’ consent or knowledge, this new campaign requires users to perform a specific action before the mining is performed. Victims who navigate to a specially-crafted website using an Android-powered device are presented with a fraudulent message stating that their device is exhibiting suspicious behavior and prompted to solve a CAPTCHA using code w3FaSO5R. If the victim enters the code and clicks the “continue” button, the device begins the cryptocurrency-mining process, quickly monopolizing its CPU usage. Malwarebytes Labs has identified five cryptocurrency-mining domains that have generated approximately 800,000 visits per day, with an average of four minutes per victim spent on the mining page. The NJCCIC recommends users review Malwarebytes Labs report for additional details and a list of Indicators of Compromise (IoCs). We also recommend scanning devices regularly with a reputable antivirus application and monitoring your devices for any sudden changes in performance such as unexplained high CPU usage indicative of cryptocurrency-mining activity. 

Newtek Domain Hijacking Puts Customers at Risk

Newtek Business Services Corp., a major web services provider, recently had three of their core domains – webcontrolcenter[.]com, thesba[.]com, and crystaltech[.]com – hijacked and the webpage used by customers to remotely manage their sites – webcontrolcenter[.]com – replaced by a live web chat service. Confused customers used this chatroom to seek answers regarding access to their email accounts and why their websites no longer resolved correctly; these customers were actually communicating with the domain hijacker. This incident occurred five days after the hacker allegedly notified Newtek of a bug in their online operations and the company did not respond. Newtek is facing criticism for their response to the incident, including how and what they communicated to their customers. The hacker is believed to be operating out of Vietnam, as two of the hijacked domains were moved to a Vietnamese domain registrar (inet[.]vn) and the email address provided by the individual was linked to two social networking profiles in Vietnamese. It is unclear whether the individual had any malicious intent or simply intended to publicly embarrass the company for not being more diligent in its online security. The NJCCIC recommends customers of Newtek review the two notices (1, 2) on the incident and follow their recommendations, including eliminating the hijacked domains from all corporate or personal browsers and avoid clicking on them. Organizations, particularly web service providers, are recommended to track their domain registrations and set alerts for any changes to those domains. Additionally, companies are advised to have policies and procedures in place for responding to vulnerability disclosures.

Lazarus Group Targets Bitcoin Users and Financial Organizations

McAfee researchers discovered a new phishing campaign, dubbed HaoBao, targeting Bitcoin users and banks across the globe. North Korean threat actors known as the “Lazarus Group” are believed to be responsible for this campaign as well as various financially-motivated cyber-attacks that have occurred over the last few years, including the May 2017 WannaCry ransomware attack that impacted hundreds of thousands of computers around the world. Recently, the group has capitalized on the increasing interest and surging prices of cryptocurrencies. The HaoBao campaign utilizes spear-phishing emails that mimic correspondence from employee recruiters. If recipients open the attached Word document and select “enable content,” a cryptocurrency scanner will be downloaded on to their system. The scanner will then attempt to locate a Bitcoin wallet and, if successful, a secondary payload will be delivered to establish persistence and continue to gather data over an extended period of time. The NJCCIC recommends reviewing McAfee’s article for additional information on Lazarus Group’s HaoBao campaign. We also recommend cryptocurrency owners remain vigilant and maintain awareness of threats targeting cryptocurrency wallets and exchanges and avoid using links provided in emails or through social media platforms to visit cryptocurrency wallet and exchange sites.  

Olympic Destroyer

The opening ceremony of the Winter Olympics held in Pyeongchang, South Korea was disrupted by a cyber-attack caused by a malware variant designed to destroy data. The malware used in the incident, dubbed Olympic Destroyer by researchers at Cisco Talos, caused faulty Wi-Fi connections, disrupted television and internet services, and knocked the main press center offline. Olympic Destroyer is a Windows-based malware that works by dropping files onto the target system to steal computer account credentials and passwords stored in web browsers such as Internet Explorer, Chrome, and Firefox. Once these passwords are obtained from the target system, they are used by the hackers behind the campaign to move laterally through the network and destroy data. Based on the steps that Olympic Destroyer takes during the infection process, it is evident that its primary function is to destroy the target host and take the system offline, leaving the system's administrator with limited means of recovery. Although the initial distribution method of this campaign is currently unknown, the malware contains hardcoded credentials from systems associated with the Winter Olympics, suggesting that the attackers already had some form of access to these systems before this attack. Researchers also believe that the individual or group behind the campaign also knew several technical details about the Olympic Game infrastructure such as domain names and server names prior to the attack. Although this attack targeted systems used to support and promote the Winter Olympics, it highlights the risks posed by compromised credentials and emphasizes the importance of maintaining data backups. The NJCCIC would like to take this opportunity to remind members that the best way to ensure the integrity and availability of data before, during, and after a cyber-attack is by implementing a comprehensive data backup and recovery plan that includes regularly testing backups, storing them off the network, and keeping them in a secure location. Additionally, members are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and establish strong identity and access management controls, including multi-factor authentication.

WordPress Update Requires Manual Installation

WordPress has announced that users must manually apply the most recent WordPress update to version 4.9.4. The version 4.9.3 maintenance release, designed to fix an issue with auto-updates, contained a bug that prevented future updates from installing automatically. Once the update to version 4.9.4 is applied manually, future versions should resume automatic updates. WordPress has posted technical details and update instructions on their website. The NJCCIC recommends WordPress users and administrators manually apply WordPress update 4.9.4 as soon as possible and verify future updates are installed automatically. 

Monero-Mining Malware Found on SCADA Network

Recently, cryptocurrency-mining malware was discovered on five servers of a water utility company. These affected servers included the Human Machine Interface (HMI) used to control the operational processes of the utility. The malware found its way onto a server via an indirect connection to the internet. A computer used to access the HMI remotely was also used to navigate to a website that delivered the cryptocurrency miner; the malware then spread across the internal network to other servers. The malware was discovered by an intrusion detection system (IDS) monitoring the operational technology (OT) network of the utility’s customer. The utility site was subsequently disconnected from the internet and the network will be reconfigured to improve firewalling and implement better segmentation. This incident highlights the risks associated with having any internet connection, direct or indirect, to an OT network and how vital it is to properly secure remote connections to internal networks. Cryptocurrency-mining malware has become a significant problem in the last several months and can severely affect a network’s operations; however, this incident could have had more devastating impacts if the malware installed had been ransomware or other malware that could be used to maintain persistence in the company’s operational network. The NJCCIC recommends all critical infrastructure organizations review the HelpNet Security article on this incident, ensure they use a defense-in-depth approach to secure both their business and operational networks, and employ best practices including, but not limited to, deploying and properly configuring firewalls and IDS/IPS, implementing network segmentation, using multi-factor authentication for network access, and using secure methods for remotely accessing any internal networks.

MacUpdate Website Directed Users to Malicious Applications

A researcher with SentinelOne recently discovered a new Mac malware, dubbed OSX.CreativeUpdate, distributed via the MacUpdate website on or about February 1, 2018. OSX.CreativeUpdate is a cryptocurrency miner designed to generate Monero by hijacking the processing power of infected machines. Links posted on the MacUpdate website mimicked legitimate websites for Titanium Software and Firefox and directed users to download fraudulent versions of the Firefox, OnyX, and Deeper applications. Once installed, these fraudulent applications delivered the Monero-mining malware onto infected devices. The NJCCIC recommends users who installed the malicious applications uninstall them immediately and review Malwarebytes Labs analysis for detailed removal instructions. We also recommend installing applications directly from the developer’s site or official Mac App Store and checking user ratings prior to installation. 

Malicious Chrome Extensions Capture Web Browser Activity

Security researchers have detected a new group of malicious Chrome extensions capable of capturing sensitive information entered in web browsers such as names, credit card numbers, CVV numbers, and email addresses. These extensions abuse session replay, a JavaScript code commonly used by website administrators to analyze how users interact with their site. The malicious extensions have random names, such as Strawberry Daiquiri Cocktail and BrowserWatch, and inject advertisements into the webpages a user is viewing. The malicious extensions are estimated to have impacted over 400,000 users prior to their removal from the Chrome Web Store. The NJCCIC recommends users review Trend Micro’s report for a list of the malicious extensions. We also recommend users review Bleeping Computer’s article for removal instructions and consider installing a reputable ad-blocking and/or script-blocking extension.  

Monero-Mining Botnet Targets Redis and OrientDB Servers

A Monero-mining botnet, dubbed DDG, is targeting Redis servers via brute-force attacks and OrientDB servers via the CVE-2017-11467 remote code execution vulnerability. DDG’s script is easily modified by threat actors and has been observed delivering versions of the Mirai DDoS malware. The botnet is associated with three Monero wallet addresses and seeks to generate revenue for the developers by leveraging the CPU and memory of vulnerable servers. While the majority of impacted servers are located in China, approximately 11 percent are located within the United States. The NJCCIC recommends users and administrators of Redis servers update database credentials with lengthy and complex passwords. OrientDB server administrators and users are encouraged to update device software as soon as possible. 

Botnet Targets Android Devices to Mine Cryptocurrency

A security researcher with Netlab 360 discovered a new cryptocurrency-mining malware actively targeting Android devices. This malware borrows scanning code from Mirai and is designed to infect devices and join them together in a botnet, dubbed ADB.miner, for the purpose of mining Monero cryptocurrency. It scans for vulnerable Android devices including smartphones, smart TVs, and tablets that have port 5555 exposed. This port is used by Android Debug Bridge (ADB), an interface designed to enable specific user interactions with the device, such as installing and debugging applications. ADB.miner self-replicates and converts compromised devices into scanners to locate additional victims. To date, approximately 5,000 devices have been impacted, with the majority of victims located in China and South Korea. The NJCCIC recommends users and administrators of Android devices disable port 5555 (ADB) as soon as possible and carefully monitor devices for any sudden changes in performance such as unexplained high CPU usage. 

EternalChampion, EternalRomance, and EternalSynergy Modified to Exploit All Windows Versions since Windows 2000

Over the past year, an NSA exploit dubbed EternalBlue, which was released by a hacking group known as The Shadow Brokers, dominated headlines largely due to its role in the WannaCry,NotPetya, and Bad Rabbit cyber-attacks. Other exploits leaked by the hacking group did not garner as much attention because they could only be used to target a small number of outdated Windows distributions. However, RiskSense security researcher Sean Dillon recently modified the source code of three of these lesser-known exploits – EternalChampion, EternalRomance, and EternalSynergy – to affect all unpatched Windows OS versions since Windows 2000. The exploits overwrite the SMB connection session structures to gain administrative/SYSTEM access. EternalRomance and EternalSynergy are now capable of exploiting CVE-2017-0143, a type confusion vulnerability between WriteAndX and Transaction requests, and EternalSynergy and EternalChampion can now exploit CVE-2017-0146, a race condition vulnerability for Transaction requests. The NJCCIC recommends users and administrators of affected Windows distributions review Dillon’s GitHub post for additional details, including a full list of affected systems, and apply the critical updates to patch the aforementioned vulnerabilities or disable SMBv1 for those systems that cannot be updated immediately.

Internet Crime Complaint Center Impersonation Campaign

The FBI has released an alert warning citizens of a scam campaign impersonating the Internet Crime Complaint Center (IC3), a website operated by the FBI Cyber Division that allows individuals to submit cybercrime-related tips and information. The agency became aware of the campaign after receiving a number of complaints from victims who received emails masquerading as legitimate IC3 communications. These emails claimed that recipients were due restitution as a result of having been a victim of cybercrime and offered to pay them in exchange for additional personal information. The FBI has also identified at least one fraudulent IC3 social media page that may be associated with this campaign. The NJCCIC recommends reviewing FBI Alert I-020118-PSA and maintaining awareness of this and similar scams. To submit a tip or complaint to the IC3, we recommend visiting the FBI’s IC3 website directly at www.ic3.gov and refrain from submitting personal information via email or social media platforms.

WannaMine Cryptocurrency Miner Propagates via EternalBlue Exploit

A cryptocurrency-mining malware, dubbed WannaMine after the infamous WannaCry  ransomware, is stealing organizations’ CPU power to mine Monero. The malware leverages the Mimikatz credential harvester to acquire legitimate credentials and move laterally within the network or, if it is unable to obtain credentials, it will use the EternalBlue exploit for lateral movement. WannaMine then uses Windows Management Instrumentation (WMI) permanent event subscriptions to maintain persistence. The malware’s fileless nature and use of the legitimate software WMI and PowerShell make it very difficult for organizations to block without a next-generation firewall. Once cryptocurrency-mining malware infiltrates a network, it uses infected systems’ CPU resources to mine cryptocurrency. While often a nuisance to end-users, cybersecurity firm CrowdStrike has observed cases in which unauthorized mining operations impacted organizations so severely that it rendered computers unusable and halted operations for days or weeks. The NJCCIC recommends all network and security administrators review the Panda Security and CrowdStrike reports for technical details on WannaMine; proactively block outbound connections to domains known for installing cryptocurrency miners; close all unused ports; block SMB traffic into and inside of the network, if possible; and ensure all hardware and software is up-to-date. We also recommend exercising caution when downloading software or installing browser extensions and closely monitoring system activity for spikes in CPU usage.

Firefox Extension Delivers Monero Cryptocurrency Miner

A malicious Firefox extension, dubbed Image Previewer, displays popups and delivers an in-browser cryptocurrency miner to unsuspecting users. Websites masquerading as Firefox updates push the add-on to end users through persistent JavaScript alerts and user authentication prompts. Once installed, the Monero miner hijacks CPU processing power in an effort to generate revenue for the developers. The NJCCIC recommends users who installed Image Previewer remove it immediately and consider using an antivirus software that detects cryptocurrency miners. Additionally, check the Mozilla Add-on Repository before downloading browser extensions for a list of validated add-ons. 

Smominru Botnet Primarily Targets Vulnerable Windows Servers

A cryptocurrency-mining botnet, dubbed Smominru, has infected over a half million Windows machines in addition to Linux MySQL servers and MSSQL databases on Windows servers. Distributed via the ExternalBlue (CVE-2017-0144) and EsteemAudit (CVE-2017-0176) vulnerabilities, Smominru targets unpatched Windows OS servers in one of the largest cryptocurrency-mining botnet operations to date. The NJCCIC recommends users and administrators of Windows and Linux servers review the report published by Proofpoint and keep software updated with the most recent patches.