Month: June 2025

The NJCCIC continues to receive reports of fraudulent phone calls in vishing scams. Typically, threat actors acquire publicly available information found online and impersonate specific organizations or individuals. They contact the recipient to extort money or convince their targets to divulge sensitive information, grant access to their accounts or devices, or purchase fraudulent goods or services. In one report, an educational institution received repeated suspicious phone calls from different phone numbers, including spoofed official ones, to appear legitimate. The threat actors claimed to be “Online IT Training” and asked for the head of the information technology department. When questioned, the threat actors could not respond “off script.”

Threat actors are increasingly leveraging voice cloning and artificial intelligence (AI) technologies to carry out impersonation and extortion scams. They can find and capture snippets of a person’s voice online, through social media platforms, in outgoing voicemail messages, or when the recipient caller answers a call. They can weaponize AI technology with the captured audio to clone a person’s voice and create fraudulent schemes, such as family emergencies, kidnappings, robberies, or car accidents. In one reported vishing scam, the threat actors impersonated the target’s daughter, claiming to be involved in a car accident. A male voice was also on the line, claiming to be a local law enforcement officer and reporting that the daughter supposedly admitted to using her cell phone while driving. He indicated that she was being held for charges of injuring the other driver, who was pregnant. The purported officer stated that a bail bond agent would contact them to post bail. Minutes later, a male caller posing as a bail bond agent contacted the target to indicate bail was set at $15,000 cash only and threatened not to tell anyone because it would go on the daughter’s permanent record. After hanging up with the threat actors, the target called their daughter to confirm the call’s legitimacy before going to the bank. The daughter revealed she was not on the call or involved in a car accident.

Over the last year, cybersecurity researchers and analysts reported that ransomware groups have adopted a tactic of impersonating IT support and using email bombing to convince users to provide the threat actors with access to the targeted organization’s network. In a recent incident reported by Sophos, the 3AM ransomware group spoofed a targeted organization’s official IT department phone number to call one of the organization’s users. Just before the call, the threat actors initiated email bombing, sending the user 24 unsolicited emails in just a few minutes. When the threat actors called the user using the spoofed number, they referenced the email bombing and convinced them to open Microsoft Quick Assist and grant remote access. In this incident, the threat actors were able to steal over 800GB of data, though many additional actions were mainly blocked due to the company’s strict multi-factor authentication (MFA) policies and security software. However, in other incidents, once remote access is obtained, the threat actors could install malware, steal data, move laterally, elevate privileges, and encrypt data in a ransomware attack.

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, threat actors could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Google is aware that an exploit for CVE-2025-5419 exists in the wild.

Systems Affected

Chrome prior to 137.0.7151.68/.69 for Windows and Mac Chrome prior to 137.0.7151.68 for Linux

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.

Reference Google: https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html

NIST invites comments on the initial public draft (ipd) of Special Publication (SP) 800-18r2 (Revision 2), Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems.

The system security plan, privacy plan, and cybersecurity supply chain risk management plan consolidate information about the assets and individuals being protected within an authorization boundary and its interconnected systems. These system plans serve as a centralized point of reference for information about the system and risk management decisions, including data being created, collected, disseminated, used, stored, and disposed of; the individuals responsible for system risk management efforts; details about the internal and external environments of operation, system components, and data flows; and controls that are planned or in place to manage risks.

The major changes for this revision include:

• Expanded guidance to address the development of system plans within the context of the NIST Risk Management Framework, the NIST Privacy Framework, and SP 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
• Insights into the development of a consolidated system plan that encompasses security, privacy, and cybersecurity supply chain risk management plan elements
• Updated descriptions of system plan elements
• Considerations for automating the development and maintenance of system plans using information management tools, such as governance, risk, and compliance (GRC) applications

Additionally, the following supplemental materials are available:

• Security Plan Example Outline
• Privacy Plan Example Outline
• C-SCRM Plan Example Outline
• System Plan Related Roles and Responsibilities

The comment period is open through July 30, 2025. See the publication details for a copy of the draft, supplemental files, and a comment template. Commenters are encouraged to use that template and submit feedback to sec-cert@nist.gov with “SP 800-18r2 ipd comments” in the subject.

Read More

June 4, 2025   NJCCIC Public/Private Sector IT-Security Professional Members,      The Cybersecurity and Infrastructure Security Agency (CISA), Region 2, in coordination with the National Cybersecurity Preparedness Consortium (NCPC), is sponsoring a four-day Malware Prevention, Discovery, and Recovery (MPDR) training course. The course is being offered at no cost to you or your organization. The in-person training course will be held Tuesday, August 19, through Friday, August 22, at Kean University.   Course Description MPDR aims to provide technical personnel with the hands-on expertise necessary to prevent, discover, recognize, and recover from modern malware, which is often a fundamental element of many computer network breaches and data theft incidents. MPDR will expose participants to analysis of malicious software used by cybercriminals and cyber-terrorists. After an introduction to modern malware, participants will learn how to prevent a malware outbreak, discover and identify malware through active network traffic analysis, prepare for dynamic analysis of malware samples of various types and intent, and how to isolate, remediate, and recover from a malware outbreak. The course will conclude with a review of dynamic malware analysis and a look at emerging trends in using malicious software in network intrusions and data theft.   Prerequisites Participants should have some experience as a cybersecurity professional and a good understanding of network concepts, and computer operating systems. Two years’ experience as a system or network administrator, or as an IT security specialist is preferred.   Registration Space is extremely limited, and registration is required. You must register using your agency/organization email address. Personal email addresses will not be considered. Additionally, you will be required to attend all 4 days of the training course. NOTE: When registering, you will be asked for a FEMA Student Identification Number (SID). To obtain a SID, click here.

Over the last year, cybersecurity researchers and analysts reported that ransomware groups have adopted a tactic of impersonating IT support and using email bombing to convince users to provide the threat actors with access to the targeted organization’s network. In a recent incident reported by Sophos, the 3AM ransomware group spoofed a targeted organization’s official IT department phone number to call one of the organization’s users. Just before the call, the threat actors initiated email bombing, sending the user 24 unsolicited emails in just a few minutes. When the threat actors called the user using the spoofed number, they referenced the email bombing and convinced them to open Microsoft Quick Assist and grant remote access. In this incident, the threat actors were able to steal over 800GB of data, though many additional actions were mainly blocked due to the company’s strict multi-factor authentication (MFA) policies and security software. However, in other incidents, once remote access is obtained, the threat actors could install malware, steal data, move laterally, elevate privileges, and encrypt data in a ransomware attack.

The NJCCIC continues to receive reports of fraudulent phone calls in vishing scams. Typically, threat actors acquire publicly available information found online and impersonate specific organizations or individuals. They contact the recipient to extort money or convince their targets to divulge sensitive information, grant access to their accounts or devices, or purchase fraudulent goods or services. In one report, an educational institution received repeated suspicious phone calls from different phone numbers, including spoofed official ones, to appear legitimate. The threat actors claimed to be “Online IT Training” and asked for the head of the information technology department. When questioned, the threat actors could not respond “off script.”

Threat actors are increasingly leveraging voice cloning and artificial intelligence (AI) technologies to carry out impersonation and extortion scams. They can find and capture snippets of a person’s voice online, through social media platforms, in outgoing voicemail messages, or when the recipient caller answers a call. They can weaponize AI technology with the captured audio to clone a person’s voice and create fraudulent schemes, such as family emergencies, kidnappings, robberies, or car accidents. In one reported vishing scam, the threat actors impersonated the target’s daughter, claiming to be involved in a car accident. A male voice was also on the line, claiming to be a local law enforcement officer and reporting that the daughter supposedly admitted to using her cell phone while driving. He indicated that she was being held for charges of injuring the other driver, who was pregnant. The purported officer stated that a bail bond agent would contact them to post bail. Minutes later, a male caller posing as a bail bond agent contacted the target to indicate bail was set at $15,000 cash only and threatened not to tell anyone because it would go on the daughter’s permanent record. After hanging up with the threat actors, the target called their daughter to confirm the call’s legitimacy before going to the bank. The daughter revealed she was not on the call or involved in a car accident.

A cryptographic accordion is a tweakable block cipher mode that is itself a cipher on variable-length input. NIST proposes to develop three general-purpose accordions:

• Acc128 to support typical usage (birthday bounds) with the Advanced Encryption Standard (AES)
• Acc256 to support typical usage with a 256-bit block cipher (possibly Rijndael-256)
• BBBAcc to support extended usage (beyond-birthday-bound) with AES

In particular, NIST proposes to develop variants of the HCTR2 technique for these accordions.

NIST invites public comments through August 6, 2025. Please submit them to ciphermodes@nist.gov with the subject line “Comments on Accordion Development.” Comments received in response to this request will be posted on the publication page for a future NIST Special Publication (SP) 800-197A. Submitters’ names and affiliations (when provided) will be included, though contact information will be removed.

Read More