The Cybersecurity and Infrastructure Security Agency (CISA) is updating the National Cyber Incident Response Plan (NCIRP) 2024, the primary strategic framework for coordinating with the federal sector in response to significant cyber incidents.
In the spirit of whole of community response and collaborative cyber defense, CISA is inviting stakeholders from across public and private sectors, academia, and individual researchers, and experts in cybersecurity and response, to attend a series of three virtual NCIRP 2024 listening sessions.
The intent of these sessions is to hear feedback about the existing NCIRP and any experience with incident response coordination with the federal government more broadly. A draft of the NCIRP 2024 is being prepared and will be posted to CISA’s NCIRP webpage for public comment this summer. Perspectives gathered during the listening sessions will inform the update which will be published at the end of calendar year 2024.
CISA is releasing a newsletter series, New and Noteworthy, to support the NCIRP 2024 update. Each newsletter will keep the public informed on planning processes, plan development, and stakeholder engagement efforts in support of the NCIRP 2024.
The first listening session was held on May 8, 2024. During this session, CISA addressed the following topics:
Overview of the NCIRP and the process for updating the 2024 Plan.
The role of Information Sharing and Analysis Centers (ISACs).
The integration of state, local, tribal, and territorial (SLTT) entities into cyber incident response.
The role of state fusion centers in the information sharing process
Cyber incident reporting, specifically, how to define who an “asset owner” is and who should be contacted during a significant cyber incident.
CISA has just announced its second listening session, which will be held on Thursday, June 27, 2024, from 1-2 p.m. EDT. See CISA’s second issue of New and Noteworthy to learn more and register.
For more information on the NCIRP, visit CISA’s NCIRP page.
We have released concept papers for the NIST Privacy Framework (PF) Version 1.1 update as well as the Data Governance and Management (DGM) Profile. These concept papers will support discussion sessions at next week’s hybrid workshop. We encourage you to familiarize yourself with the material prior to participating in the workshop. If you would like to provide informal feedback on this material in addition to or in lieu of participating in the workshop, please send it to privacyframework@nist.gov by July 31, 2024.
We have extended the deadline for in-person registrationto 11:59 PM EDT today, Thursday, June 20. Please be aware that breakout sessions are filling up quickly for in-person participants, so please register as soon as possible, if you have not already. Registration is free and required for this event.
Event registration, agenda, speakers, and other workshop information is available here.
CISA also released a related blog post, Why SMBs Don’t Deploy Single Sign-On (SSO), urging software manufacturers to consider how their business practices may inadvertently reduce the security posture of their customers.
Reported card skimming incidents increased by 40 percent from 2022 to 2023. More specifically, New Jersey is one of the top five states, accounting for nearly 50 percent of card compromise reports (CCRs). The outlook for 2024 shows an upward trend, which means increased card skimming opportunities for threat actors to capture and steal customer data and financial information through various physical and digital realms. Threat actors seek methods to conceal their attacks better and evade multiple security measures. This stolen data has severe consequences for consumers and businesses, including loss in revenue, legal damages, compliance issues, cross-site contamination, compromised personally identifiable information (PII), identity theft, fraud, and subsequent malicious activity.
Physical skimming devices are typically located at ATMs and point of sale (POS) systems, such as convenience stores, grocery stores, retail stores, gas stations, and restaurants. In addition to skimmers, hidden cameras and fake numerical keypads can capture and record keystrokes of PINS or passwords. Once the card is swiped, the skimming device stores the victim’s information, which can be physically retrieved later by the threat actors. However, the increasing use of cellular and Bluetooth technologies enables threat actors to remotely access victims’ data quickly with a low likelihood of detection.
Since the onset of 2024, physical skimmers have been identified and reported to law enforcement in New Jersey, including ATMs at Capital One Bank and Proponent Bank in Nutley, 2 ATMs at Wawa in Galloway Township, and card readers at Dollar Tree and Walmart in Bayonne and 7-Eleven in Cinnaminson and Pennsauken. Additionally, a skimmer was detected at Supremo Food Market in Pennsauken, and the latest reports of skimming devices were identified at Aldi Stores in Roselle and Union.
Furthermore, law enforcement charged a Lakehurst gas station employee with stealing customers’ information from their card purchases and making fraudulent purchases. Two men were also arrested for placing skimming devices on several Westfield ATMs to steal debit card information and use counterfeit debit cards in fraudulent cash withdrawals.
The online equivalent of physical skimming is digital or web skimming, found in POS systems such as retail stores, restaurants, financial institutions, and any online business that uses a POS provider. Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Once threat actors steal the payment card information, they can use it to make fraudulent purchases or sell on the dark web or other marketplaces.
In February, researchers discovered threat actors exploiting a critical vulnerability, CVE-2024-20720, without user interaction. Threat actors inserted malicious XML code in the “layout_update” database table on Magento servers to create a persistent backdoor to the CMS controller and automatically inject malware and additional malicious payloads, including a fake Stripe payment skimmer designed to steal information from unsuspecting online shoppers.
In April, researchers found a card skimmer embedded in a fake Facebook Pixel tracker script, typically used to track advertisement-driven visitor activity on websites. Threat actors injected malware into compromised websites through tools that allow custom code, which monitors the fraudulent overlay and captures the card information if victims encounter a checkout page.
In May, threat actors exploited a vulnerability in WordPress in the Dessky Snippets plugin used by many websites. They added malicious PHP injections in the custom code on compromised websites. They altered the WooCommerce checkout process by manipulating the billing form and adding new fields to steal financial information. To add a sense of legitimacy, the threat actors used a tactic to reduce suspicion by turning off the autocomplete feature on the billing form to prevent web browsers from suggesting previously entered sensitive information and making it appear that the fields are standard inputs to complete the transaction.
Recommendations for Consumers
When possible, use credit cards over debit cards for purchases, as credit cards often have greater consumer protections that limit a victim’s liability if fraudulent purchases are made.
Enable payment charge notifications for every transaction on an account to be alerted of a fraudulent transaction as soon as it occurs.
Before you use a POS system or ATM, check to see if there are signs of tampering.
Use tap to pay or pay with your phone, as contactless or chip payment options are safer than swiping the card’s magnetic strip.
Navigate directly to known, secure, and encrypted websites and designate or monitor one credit card for purchases, if possible.
Enable multi-factor authentication (MFA) on every account that offers it, including any online shopping websites.
Update browsers and use ad blockers.
Recommendations for Website Administrators
Ensure hardware and software are up to date.
Use strong, unique passwords for all accounts (admin, SFTP, database) and enable multi-factor authentication (MFA) on all administrative accounts at a minimum.
The NJCCIC’s email security solution observed two new phishing campaigns utilizing PowerShell scripts to drop multiple malicious payloads. One campaign, dubbed ClickFix, launched by a threat actor identified as TA571, which was also behind the recently observed DarkGate phishing campaign. ClickFix shares many similarities to a second campaign known as ClearFake, and analysts spotted a significant overlap of tactics, techniques, and procedures (TTPs) between the two campaigns.
ClearFake uses a technique called EtherHiding, which uses the blockchain of Binance’s Smart Chain contracts to host a malicious script. This script is injected into compromised websites and loads a second script once a user visits. The secondary script triggers a fake overlay warning to appear, claiming that a root certificate needs to be installed for the website to appear correctly, and includes instructions on how to copy and execute a PowerShell script as a purported solution. If the PowerShell script is executed, the following actions will take place:
Flushes the DNS cache. Clears clipboard content to remove traces of the malicious script. Runs a second PowerShell script that downloads Lumma Stealer. Lumma Stealer downloads three additional payloads. Amadey LoaderXMRig cryptocurrency miner Clipboard Hijacker
Like ClearFake, the ClickFix campaign begins with an overlay warning on a compromised website stating that a recent browser update was faulty and offers a PowerShell script as a fix. ClickFix was initially observed leading to an infection from a Vidar Stealer payload but has since changed its infection chain, leading to the same payloads as the ClearFake campaign. Researchers are still determining if the threat actors behind the two campaigns work together or if ClearFake replaced the code of the already compromised ClickFix iframes.
Recommendations
Avoid clicking links and opening attachments in unsolicited emails.Confirm requests from senders via contact information obtained from verified and official sources.Type official website URLs into browsers manually.Facilitate user awareness training to include these types of phishing-based techniques.Maintain robust and up-to-date endpoint detection tools on every endpoint.Consider leveraging behavior-based detection tools rather than signature-based tools.Phishing and other malicious cyber activity can be reported to the FBI’s IC3 and the NJCCIC.
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with US and international partners, released this Joint Report that urges organizations to move toward more robust security solutions, such as Secure Service Edge (SSE) and Secure Access Service Edge (SASE) that provide greater visibility of network activity. While this report does not cover the planning, architecture, or adaption needs for shifting to these solutions, it does call for organizations to shift away from traditional broad remote access deployments and provides best practices to help transition to modern solutions, such as SSE and SASE. Organizations are encouraged to carefully assess their security posture and perform a risk analysis before implementing any/all solutions to determine if these approaches fit their organization. Executive leadership, network defenders, and critical infrastructure organizations are provided with an overview and best practices of primarily cloud-based solutions that can support hybrid and on-premises implementation and incorporate a zero trust approach. Both information technology (IT) and operational technology (OT) network protections are provided in this report that covers a spectrum of network sensitivities and worst-case consequences of compromise. This report will help organizations better understand the vulnerabilities, threats, and practices associated with traditional remote access and VPN deployment, along with the inherent business risk posed to an organization’s network by remote access misconfiguration. Aligned with CISA’s cross-sector cybersecurity performance goals (CPGs), the best practices in this report will also help guide leaders with prioritizing the protection of their remote computing environment security while operating under the fundamental principles of least privilege.
Lure email purporting to be giving away a “free” piano. Image Source: Proofpoint
The NJCCIC recently received reports of a phishing campaign that was also identified by Proofpoint. The campaign involves malicious emails using piano or musical instrument-themed messages to lure people into advance fee fraud (AFF) scams. At least 125,000 messages associated with a piano scam campaigns have been identified since January, primarily targeting students and faculty at North American educational facilities. Proofpoint noted that some healthcare and food and beverage organizations were also targeted.
The phishing emails claim that a staff member is giving away a piano and other musical instruments for free due to downsizing or moving. When a target replies, the threat actor instructs them to arrange delivery by contacting a shipping company via a fraudulent email address managed by the threat actors. The “shipping company” then claims they will send the piano if the recipient sends the money for shipping first.
Proofpoint reported that a single Bitcoin wallet address linked to this campaign currently holds over $900,000, although it is unknown if all funds were accumulated from the “free piano” lure. Analysts assess that multiple threat actors are likely conducting different types of scams simultaneously using the same wallet address due to the volume of transactions, variation in transaction prices, and the overall amount of money associated with the account. Proofpoint analysis also revealed that one of the cybercriminals used a Nigerian IP address, suggesting that at least part of the operation is based in Nigeria.
DarkGate has spread through several phishing campaigns, including fake browser updates, the messaging feature in Microsoft Teams, and PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects. The NJCCIC recently reported on a DarkGate campaign exploiting a Windows SmartScreen vulnerability.
The NJCCIC’s email security solution has recently observed multiple attempts to spread DarkGate malware through various phishing campaigns. These emails were flagged as they included newly registered domains and uncommon senders. While the content of the emails varied, they primarily referred to charges and payments due and included malicious HTML attachments. Once opened, a fake Microsoft Word document is loaded, displaying an error message that requests the installation of a root certificate and instructions for remediation. Upon initiating the purported fix, a PowerShell script triggers and installs DarkGate on the user’s device.
A second observed DarkGate campaign used similar phishing emails with malicious HTML attachments; however, once opened, the attachments claimed the user could not connect to Microsoft OneDrive. After clicking the “How to Fix” button, either PowerShell scripts automatically downloaded DarkGate or users were instructed on how to open PowerShell to initiate the “fix” themselves, which initiated the malware download.
Recommendations
Avoid clicking links and opening attachments in unsolicited emails.Confirm requests from senders via contact information obtained from verified and official sources.Type official website URLs into browsers manually.Facilitate user awareness training to include these types of phishing-based techniques.Maintain robust and up-to-date endpoint detection tools on every endpoint.Consider leveraging behavior-based detection tools rather than signature-based tools.Phishing and other malicious cyber activity can be reported to the FBI’s IC3 and the NJCCIC.
See yourself in cybersecurity. You don’t need experience — just the passion and drive to enter a demanding and rewarding field, one that opens limitless opportunities worldwide.
As part of our commitment to help close the cybersecurity workforce gap and diversify those working in the field, ISC2 is offering FREE Certified in Cybersecurity (CC) Online Self-Paced Training and exams to one million people.
Start Your Journey To participate in the One Million Certified in Cybersecurity program, please follow these simple steps:
Complete your ISC2 Candidate application form and select Certified in Cybersecurity as your certification of interest.
Once the application is complete, you’ll become an ISC2 Candidate. It’s free to join and you’ll gain access to Official ISC2 Certified in Cybersecurity Online Self-Paced Training and the opportunity to register for the free certification exam. You will find your access on the Candidate Benefits page.
Upon passing the exam, complete the application form and pay U.S. $50 Annual Maintenance Fee (AMF). Once completed you’ll become a certified member of ISC2 – the world’s largest association of certified cybersecurity professionals – with access to a broad range of professional development resources to help you throughout your career
Your self-guided tour toward certification — now featuring adaptive learning for a streamlined experience customized to each individual. Leveraging the power of AI, the training guides learners through a self-paced learning experience adapted to their individual needs. This class will have instructor Lead class it will Be 2 Saturday in a row Dates: July 20, 27 Time: 8-4 Location: Virtual Class is Offered by ISC2 NJ chapter. You do not need to be a member but of course you can join even if your not in New Jersey. I will be teaching the Class.
Exam included.
Pay U.S. $50 Annual Maintenance Fee (AMF) upon passing the certification exam.
HOPE XV will be the fifteenth Hackers On Planet Earth event. July 12-14, 2024 at St. John University Queens, NY
This event promises to be memorable. It is open to all hackers, makers, tinkerers, experimenters, artists, educators and anyone else with an interest in exploring and improving the world we live in and sharing knowledge with others.
Virtual tickets get you all the presentations via livestream, plus access to live chat with other attendees and presenters.
HOPE is an all-ages event with multiple simultaneous sessions and many other things to do throughout the weekend. All of this is in a relaxed and comfortable university environment, with friendly and supportive conference attendees.
