A legacy travel booking platform owned by Orbitz, the popular travel booking site, was accessed by an unauthorized party between October 2017 and December 2017. Data accessed from the company’s legacy systems includes customer information for purchases made between January 2016 to December 2017 including, names, dates of birth, postal and email addresses, gender, and payment card information. Orbitz revealed that approximately 880,000 payment cards were exposed in the hack, but there is currently no direct evidence that customers’ personal information was downloaded from the platform. Orbitz is in the process of notifying impacted customers and partners and is offering one year of complimentary credit monitoring and identity theft protection. The current orbitz[.]com site was unaffected by the breach. The NJCCIC recommends customers who made purchases through Orbitz during the impacted timeframe monitor payment card statements for unauthorized charges, consider placing a freeze on their credit, and immediately notify their banks if fraudulent activity is observed. Additionally, we recommend impacted customers take advantage of the free credit monitoring and identity theft protection services offered.
Security firm Kromtech revealed that Walmart partner MBM Company Inc., which operates Limogés Jewelry, left the personal information of 1.3 million customers exposed via an unsecured Amazon S3 bucket. The open S3 bucket, named “walmartsql,” contained customers’ names, addresses, ZIP codes, phone numbers, email addresses, IP addresses, plaintext passwords, encrypted credit card numbers, and payment details for purchases made between 2000 and early 2018. The database was left publicly available from January 13, 2018 until it was recently secured by Walmart. This latest incident follows many recent breaches resulting from unsecured or misconfigured S3 buckets. The NJCCIC highly encourages MBM Company Inc. customers immediately change their account passwords, enable two-factor authentication, and monitor their bank and credit card accounts for fraudulent activity. Additionally, we recommend administrators of Amazon S3 storage buckets review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the mitigation strategies provided as soon as possible.
Researchers at Digital Defense discovered six zero-day vulnerabilities in various ManageEngine applications including Log360, EventLog Analyzer, and Application Manager. The flaws – which include unauthorized file upload, blind SQL injection, local file inclusion, and API key disclosure – could be leveraged by threat actors to conduct remote code execution with escalated privileges and obtain sensitive information. ManageEngine was alerted to the security vulnerabilities on February 12 and issued patches on March 7. The NJCCIC recommends users and administrators of affected ManageEngine products review the Digital Defense Security Advisories (1, 2) and apply the available patches as soon as possible.
Researchers at RandoriSec discovered several high-severity vulnerabilities in the firmware of the Geutebrück-made IP security cameras Geutebrück G-Cam/EFD-2250 version 18.104.22.168 and Topline TopFD-2125 version 3.15.1. According to an ICS-CERT Advisory, the vulnerabilities include improper authentication, improper access control, SQL injection, Cross-Site Request Forgery, Server-Side Request Forgery, and Cross-Site Scripting flaws that, if successfully exploited, could allow a threat actor to conduct proxy network scans, provide database access, download full configuration including passwords, conduct remote code execution, and add an unauthorized user to the system. Additionally, these vulnerabilities could be used by threat actors to gain control of devices and add them to a botnet. Researchers at RandoriSec suspect that these firmware vulnerabilities may exist in other popular IP-based security cameras from various vendors. The NJCCIC recommends users of the affected Geutebrück products review the ICS-CERT Advisory. G-Cam/EFD-2250 camera users are highly recommended to download and update to the newest firmware version 22.214.171.124 by registering for a new WebClub account or logging into an existing account here. We recommend Topline TopFC-2125 users implement the advised workaround provided here, and apply any patches should they become available. All users and administrators of IP-based cameras are encouraged to reduce their network exposure by ensuring their devices are not accessible via the internet, use VPNs for remote access, enable two-factor authentication where available, and always keep devices updated.
The October 26, 2017 NJCCIC Weekly Bulletin contained a threat alert detailing the activity of Russia-linked APT group Sofacy, also known as APT28 or Fancy Bear, in which the group used an Adobe Flash Player exploitation framework, DealersChoice, to target users. On March 12 and 14, 2018, Unit 42 researchers at Palo Alto Networks observed Sofacy targeting a European Government Agency with an updated version of the DealersChoice framework. The threat actors sent spear-phishing emails to the target organization with a subject and attachment file name of “Defence & Security 2018 Conference Agenda.” When opened, the attached file displayed a copied agenda from the Underwater Defence & Security 2018 Conference. A malicious Flash object was embedded on the third page of the file that only loaded if the user scrolled through the document to that page, serving as an anti-sandboxing technique; the Flash object appears as a small black box in the document. While the new DealersChoice framework has only been identified targeting a European Government Agency, Sofacy has a history of exploiting Adobe Flash vulnerabilities to target US organizations. The NJCCIC recommends those that would be considered high-value targets for Russian APT groups review the Unit 42 analysis on recent Sofacy activity and Unit 42’s previous analysis on DealersChoice, and scan for the IoCs provided to determine whether malicious activity has been observed within their networks. Organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and establish strong identity and access management controls, including multi-factor authentication.
Since early 2018, a suspected Chinese cyber-espionage group, tracked by FireEye as “TEMP.Periscope" and also known as “Leviathan,” has increased targeting of US maritime, engineering, and defense organizations - many of which have a connection to disputes in the South China Sea. According to researchers at FireEye, TEMP.Periscope has been active since at least 2013, primarily conducting operations against maritime-related targets in the United States. The group uses spear-phishing emails and malicious files to compromise credentials and install malware, PowerShell to download additional tools, and Windows Management Instrumentation (WMI) for persistence. FireEye details a number of tools used by the group in their cyber operations, including China Chopper. Their ultimate goal is to collect research and development data, intellectual property information, or other data that would yield an economic advantage. The NJCCIC recommends those entities that may be considered high-value targets for Chinese cyber-espionage campaigns review the FireEye report for more information on TEMP.Periscope activity, including tactics, techniques, and procedures (TTPs) and IoCs associated with the group. Organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and establish strong identity and access management controls, including multi-factor authentication.
On March 15, the US-CERT (United States-Computer Emergency Response Team) released a joint Technical Alert (TA) outlining the analytic efforts by the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) regarding Russian government targeting of US Government and Critical Infrastructure entities, including those in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. These cyber operations, perpetrated by known advanced persistent threat (APT) group “Dragonfly,” are described as a multi-stage intrusion campaign in which the threat actors installed malware, conducted spear-phishing attacks, and gained remote access to targeted networks. The actors then conducted network reconnaissance, moved laterally on the network, and collected sensitive information, including information related to industrial control systems (ICS). Additionally, according to cybersecurity software firm Cylance, the Dragonfly group recently exploited an end-of-life Cisco core router to harvest credentials and attempt to compromise energy companies in the UK. The NJCCIC recommends those entities which could be considered targets of Russian cyber activity review the TA and scan their systems with the indicators of compromise (IoCs) provided. If your organization has been impacted by the activity outlined in the TA, the NJCCIC recommends immediately removing the affected hosts from your network and contacting the NJCCIC via the Cyber Incident Report Form or by calling 609-963-6900 ext. 7865.
Pentest.blog researcher Mehmet Ince recently discovered a remote code execution vulnerability and an SQL injection flaw in Zoho ManageEngine Applications Manager 13.5. According to Ince, Zoho plans to release a patch for these vulnerabilities within the next week. The NJCCIC recommends administrators of Zoho ManageEngine Applications Manager 13.5 review the Pentest.blog advisory and apply the patch when it is made available. Additionally, monitor network logs and intrusion detection systems for suspicious activity and limit external network access to systems running the affected software, specifically over TCP ports 9090 and 8443.
Threat actors are utilizing a PowerShell script recently posted on GitHub to generate fraudulent request prompts that attempt to steal Windows domain credentials. If a user enters their credentials, the script will attempt to validate the victim’s domain and, if successful, will transmit the username and password to a remote server. If the credentials are deemed incorrect, the script will continuously display a prompt until the process is manually terminated. Users can close the prompt by opening Task Manager and terminating the “Windows PowerShell” process. Researchers have warned that this script can be altered to display more convincing titles; however, the prompt will still display the blue ribbon and an image of a set of keys. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them to be wary of suspicious prompts requiring the input of account credentials.
Emails masquerading as responses to temporary job postings on Craigslist are attempting to deliver the Sigma Ransomware to unsuspecting victims. These emails contain a password-protected Word or RTF document that the sender claims is a resume. The body of the message references a job posting and provides a password that can be used to view the attached file. Recipients who open the attachment and enter the password will be prompted to enable macros on the document. If macros are enabled, Sigma Ransomware will download and install on the machine via an embedded VBA script. The NJCCIC strongly recommends users avoid enabling macros on any document unless they are aware of a specific reason why the document requires macros to run. Although we usually also recommend email users avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails, this campaign specifically targets people who are soliciting emails from unknown job applicants. For these users, we recommend scanning all incoming file attachments such as resumes using a reputable antivirus software solution prior to opening. Additionally, be wary of any attachment that requires a password to open or view.
A tech support scam observed in May 2016 has resurfaced, locking web browsers and displaying a fraudulent warning after a victim navigates to a malicious or compromised website. The scammers, who masquerade as the fraudulent company “GeeksHelp,” are reportedly behind the campaign and claim to provide support for either Microsoft or the antivirus vendor, Malwarebytes. If victims call the number displayed on the alert, a scammer pretending to be a technician will answer and prompt them to download remote access software. This software allows the scammer to take control of victims’ computers. Once the scammers have control of the systems, they try to bilk the unwitting victims out of hundreds of dollars to unlock the browser.The NJCCIC recommends never installing remote access software onto systems at the request of an unsolicited phone call or pop-up message on your computer. To close a locked web browser, press Alt and F4 on a Windows system or Command-Option-Esc on a Mac. If you have installed remote access software onto your system at the request of these or other malicious actors, we recommend uninstalling it immediately and performing a full system scan using a reputable and up-to-date antivirus software solution.
RMH Franchise Holdings announced that diners who visited one of their 167 Applebee’s restaurants between November 23, 2017 and January 2, 2018 may have had their payment card information compromised via point-of-sale malware. RMH Franchise Holdings discovered the incident on February 13, 2018 and took steps to investigate and remediate the infection. The breach does not impact payments made online or those made using tabletop self-pay devices. The NJCCIC recommends those who have dined at one of the impacted locations monitor payment card statements for unauthorized charges, consider placing a freeze on their credit, and immediately notify banks if fraudulent activity is observed on their accounts.
Security researcher Troy Hunt recently discovered a collection of nearly 3,000 possible data breaches accompanied by data from previously confirmed breaches on a hacking forum located on the clear web. He states that almost all of the obtained files contain email addresses – 80,115,532 in total – and plaintext passwords. Hunt is still analyzing the data and has yet to determine where the possible breaches occurred, as there does not appear to be a direct correlation between the accounts and the associated source file at this time. Hunt owns and operates the website HaveIBeenPwned.com where users can check to see if their email addresses have been included in any previous data breaches. The NJCCIC recommends all users assume that their email addresses and passwords have been, or will be, involved in a data breach, and enable multi-factor authentication (MFA) on every account that offers it to protect themselves against credential compromise. For accounts that do not offer MFA, we recommend creating lengthy, complex passwords for those accounts and monitor them regularly for unauthorized activity. We strongly advise against password reuse.
Lgtm security researchers discovered a critical vulnerability (CVE-2017-8046) affecting various projects in Pivotal Spring, a framework used to build web applications. If exploited, this vulnerability could allow a remote threat actor to execute arbitrary code on any system running an application built using Spring Data REST. Researchers liken this vulnerability to CVE-2017-5638 that affected Apache Struts and led to the Equifax data breach. This vulnerability impacts Spring Data REST components, versions prior to 2.5.12, 2.6.7, and 3.0RC3, as well as Spring Boot versions prior to 2.0.0M4, and Spring Data versions prior to Kay-RC3. The NJCCIC recommends all developers using affected Spring products and components review the lgtm blog and update to the latest versions as soon as possible.
Researchers from the University of Padua discovered a flaw that exists within the Control Flow Guard (CFG) in Microsoft Windows 8.1 and all versions of Windows 10. The CFG is a countermeasure Microsoft implemented to protect Windows-based systems from memory corruption vulnerabilities that exist in some software and is designed to prevent a threat actor from hijacking a program’s control flow and directing it towards malicious code. It is estimated that more than 500 million Windows systems currently have this protection in place. However, the researchers produced an exploit, dubbed Back to the Epilogue (BATE), that calls portions of code and chains them together to bypass CFG restrictions. The researchers have disclosed the vulnerability to Microsoft and plan to demonstrate the exploit at the Black Hat Asia conference in Singapore later this month. The NJCCIC recommends all users and administrators of systems running Windows 8.1 and 10 review the Dark Reading article and apply the appropriate patch when it becomes available.
A critical vulnerability (CVE-2018-6789) recently discovered in Exim, a mail transfer agent used to relay emails from senders to recipients, affects 56 percent of all email servers worldwide. If exploited, this vulnerability creates a buffer overflow condition that can allow a remote threat actor to execute code prior to being authenticated by the affected Exim email server. This vulnerability affects all versions of Exim prior to the patched version 4.90.1. Using Shodan, a publicly available internet-of-things (IoT) search engine, NJCCIC analysts determined that nearly 64,000 email servers within New Jersey run Exim and, out of those, only 829 are running the patched version. The NJCCIC recommends all administrators of email servers running Exim review the Exim security advisory and update to version 4.90.1 as soon as possible. More information about the Exim vulnerability is also available on the Devcore website.
Several recent open source reports indicate that a malicious email campaign attempting to deliver the Gootkit banking trojan to victims is originating from MailChimp, an email marketing platform. My Online Security suggests that MailChimp is an attractive distribution vector for these campaigns because emails originating from the platform pass authentication checks and many mail providers whitelist MailChimp by default as it is commonly used by various organizations to send legitimate mass emails. One victim reports that a malicious actor gained unauthorized access to his MailChimp account and imported a list of 250,000 subscribers, spamming them with malicious emails and subsequently deleting the evidence from the account’s “Sent” folder. He believes that, had he enabled two-factor authentication (2FA) on his MailChimp account, the compromise may have been prevented. It is not yet confirmed whether compromised account credentials or an unaddressed MailChimp vulnerability are to blame for the unauthorized account access. The NJCCIC recommends all MailChimp account users enable 2FA on their accounts as soon as possible and inspect their accounts for suspicious activity. If any accounts are suspected of sending malicious emails, report the issue to the MailChimp Abuse Desk immediately.
Palo Alto Network's Unit 42 researchers discovered a new malware variant targeting clipboard content, specifically content associated with cryptocurrency wallets, dubbed ComboJack. This malware is distributed via a malicious PDF email attachment that contains an embedded RTF file with a remote object designed to exploit the vulnerability CVE-2017-8579. Once delivered, ComboJack abuses the built-in Windows tool attrib.exe, used for setting file attributes. This effectively hides the file from the user and allows it to execute with elevated privileges. ComboJack then enters into an infinite loop, checking the contents of the user’s clipboard repeatedly to look for various cryptocurrency wallet information for a wide range of digital currencies including Bitcoin, Litecoin, Monero, and Ethereum, as well as digital payment systems such as WebMoney and Yandex Money. If a cryptocurrency wallet is found, ComboJack will change the hardcoded wallet address to an attacker’s address to trick the victim into sending money to the wrong location. The NJCCIC recommends reviewing the Palo Alto Networks report for additional information and Indicators of Compromise (IoCs). Additionally, we recommend all users and administrators of systems using Microsoft products review Microsoft’s security bulletin for more information about affected products and associated patches.
Equifax announced that an additional 2.4 million Americans were impacted by the data breach first disclosed in September 2017. The data stolen includes names and partial driver’s license numbers. Equifax will notify impacted customers and provide the same credit monitoring and identity theft protection services. The NJCCIC recommends those impacted by the Equifax breach take advantage of the credit and identity theft services offered and strongly consider placing a security freeze on their credit files in order mitigate the risk of identity theft and financial fraud.