Subscribe to our email list
Girls Go CyberStart Results
The NJCCIC would like to congratulate team bc-ayyy from Bergen County Academies for placing #3 in the Nation in the Girls Go CyberStart competition and winning a trip to Chicago to attend the Women in Cybersecurity Conference later this month. Congratulations, ladies!
We would also like to extend our congratulations to all the New Jersey teams that ranked in the top 100 of the Girls Go CyberStart competition. New Jersey had 15 teams place in the top 100, a great accomplishment! The teams ranked in the top 100 are as follows:
#3 bc-ayyy: 107,150 points - Bergen County Academies
#11 CyberGoats: 73,150 points - Bridgewater-Raritan High School
#12 SecondQ: 73,000 points - Bergen County Academies
#15 McGirls: 71,150 points - Communications High School
#18 Braves: 66,200 points - Absegami High School
#24 HAKS: 58,800 points - High Technology High School
#33 Cyberian Huskies: 55,300 points - Freehold Borough High School
#46 Byte Me Inc.: 46,750 points - West Windsor-Plainsboro High School North
#62 BabyGotHack: 41,500 points - Freehold Borough High School
#79 GirlsJustWannaCode: 37,900 points - Pascack Valley High School
#82 Ranks2: 37,700 points - South Brunswick High School
#84 Cypher: 37,400 points - High Technology High School
#93 KONS-XX: 35,150 points - High Technology High School
#95 Hack Slinging Slashers: 34,700 points - Jackson Memorial High School
#96 InfernoVeil: 34,400 points - Bergen County Academies
Garden State Cyber Threat Highlights
Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.
Unsecured Memcached Servers Exploited by Malicious Actors for Use in 1.7 Tbps DDoS Attacks
Two of the largest distributed denial-of-service (DDoS) attacks measured to date were recently observed when development platform GitHub and an unnamed US service provider were targeted with a flood of network traffic that reached 1.3 Tbps and 1.7 Tbps, respectively. The perpetrators of these types of reflective DDoS attacks exploit a vulnerability in the UDP protocol implementation of Memcached servers by sending specially-crafted UDP packets over port 11211, causing the Memcached server to respond with much larger packets. The perpetrators spoof the source IP address in the specially-crafted UDP packets to that of a specific target so that, when Memcached servers respond, it causes a denial-of-service condition for the target. According to Bleeping Computer, an industry source revealed that the attacks appeared to be originating from DDoS-for-hire services operating within China. Some attacks have included a ransom demand embedded within UDP packets asking victims to pay approximately $17,000 worth of Monero, a cryptocurrency popular among criminals because transactions cannot easily be traced by law enforcement. Using Shodan, a publicly available internet-of-things (IoT) search engine, NJCCIC analysts determined that nearly 2,000 Memcached servers within New Jersey have port 11211 open and exposed to the internet, greatly increasing the risk that they will be abused by the actor or group behind these attacks. Many of these appear to be virtualized servers. The images above highlight the most affected areas within the State. Additionally, two proof-of-concept utilities were publicly released, including a Python tool and source code for another tool written in the C programming language, lowering the barrier to entry for any malicious actor that wants to leverage vulnerable Memcached servers for large-scale DDoS attacks. In addition to being exploited to conduct large-scale DDoS attacks, a Corero report suggests that this vulnerability can also be used to steal and modify data on affected servers. The NJCCIC recommends all administrators of Memcached servers disable UDP support and ensure that Memcached servers reside behind a firewall as soon as possible. Memcached v1.5.6, released on February 27, disables the UDP protocol by default. For detailed instructions on securing Memcached servers and additional information about this vulnerability and exploit, please review the following publications by DigitalOcean, CloudFlare, and Rapid 7. As vulnerable systems and devices allow DDoS attacks to increase in size and capability, we recommend all organizations have DDoS mitigation services established through a managed security service provider and/or their internet service provider and have an incident response and recovery plan in place in the event of an attack. US-CERT provides additional information on UDP-based amplification DDoS attacks such as those conducted using exploited Memcached servers in Alert TA14-017A.
Virtual Kidnapping Scams Impacting New Jersey Residents 
According to officials in Bergen County, a New Jersey resident was recently targeted in a “virtual kidnapping” scam – a telephone extortion scheme in which an unidentified caller claims to be holding the call recipient’s loved one hostage and demands a ransom in exchange for his or her safe return. Criminals behind these schemes are using increasingly sophisticated tactics to manipulate their victims, performing extensive reconnaissance online, spoofing phone numbers, and even employing sound effects such as screaming or audio clips of the supposed hostage’s voice to craft convincing calls. They attempt to keep victims on the phone as long as possible until the money is wired to the criminal’s account to prevent the victim from trying to contact the hostage directly. Only after the payment is sent do victims learn that they were scammed and that their loved ones were never in any danger. The NJCCIC recommends spreading awareness of this scam and informing friends and loved ones, especially members of the senior citizen community who can be particularly trusting of others and, therefore, susceptible to social engineering. Also, limit the amount of personal information you share publicly via social media and avoid posting your personal phone number in publicly accessible online forums. If you receive this type of call, make a note of the originating phone number, gather as much information from the caller as possible, and use another means, such as text message or email, to contact your loved one and check his or her whereabouts. Report incidents to your local police department as well as to the NJCCIC.
SEC Publishes Updated Cybersecurity Guidance for Public Companies 
The Securities and Exchange Commission (SEC) published updated guidance to help public companies comply with cybersecurity disclosure requirements under the federal securities law. Published on February 21, 2018, the SEC’s guidance expands upon guidelines previously issued by the SEC Division of Corporation Finance in 2011. The recent document addresses the growing security risks and potential costs to affected companies including expenses related to litigation, employee training, and agency investigations. The SEC’s updated guidelines advise public companies to protect against insider threats, ensure cybersecurity disclosures are made in an efficient and accurate manner, and inform investors of potential costs. The NJCCIC recommends employees and managers of public companies review the Commission’s guidance for additional information concerning disclosure requirements and cybersecurity risk factors.  
Annual Industry Reports
2018 CrowdStrike Global Threat Report
CrowdStrike released their annual Global Threat Report, available here. Some key takeaways are below:
  • The distinctions between state-sponsored actors and cybercriminals are becoming blurred, as nation-state adversaries adopt eCrime TTPs such as ransomware, and criminal groups perpetrate more sophisticated targeted intrusion-type attacks.
  • Exploits continue to proliferate with threat actors using commodity tools such as penetration-testing software and poisoned update packages to breach networks.
  • Malware-based attacks continued to flourish — even when traditional antivirus products were present.
  • Coordinated, cross-agency law enforcement actions resulted in the takedowns of some major eCrime actors and networks in 2017.
  • While government, healthcare and financial organizations continued to be highly targeted, the hospitality industry emerged as a target of both eCrime and nation-state actors.
Dragos Year in Review 2017
The Dragos Year in Review 2017 is comprised of three reports, all of which are available here. Some key takeaways are below:
  • 71 percent of 2017 ICS-related vulnerabilities result in the inability to monitor or read the state of the affected system.
  • 63 percent of 2017 ICS-related vulnerabilities result in a loss of control of the affected device.
  • 63 percent of all 2017 ICS-related vulnerabilities affected hardware and software for which there was no publicly available or demonstration version.
  • Top infection vectors include phishing emails, trojanized software, and external connections such as VPNs to vendors, third-parties, and partners.
  • Active groups targeting ICS systems include Electrum (linked to Sandworm), Covellite, Dymalloy, Chrysene, and Magnallium.
Webinar: C3 Voluntary Program Law Enforcement
Don’t miss this opportunity to learn about best practices and resources from the Federal Bureau of Investigation (FBI), the US Secret Service, the Department of Homeland Security’s Hunt and Incident Response Team (DHS HIRT), and our Nation’s fusion centers.
Threat Alerts
ComboJack Malware
Palo Alto Network's Unit 42 researchers discovered a new malware variant targeting clipboard content, specifically content associated with cryptocurrency wallets, dubbed ComboJack. This malware is distributed via a malicious PDF email attachment that contains an embedded RTF file with a remote object designed to exploit the vulnerability CVE-2017-8579. Once delivered, ComboJack abuses the built-in Windows tool attrib.exe, used for setting file attributes. This effectively hides the file from the user and allows it to execute with elevated privileges. ComboJack then enters into an infinite loop, checking the contents of the user’s clipboard repeatedly to look for various cryptocurrency wallet information for a wide range of digital currencies including Bitcoin, Litecoin, Monero, and Ethereum, as well as digital payment systems such as WebMoney and Yandex Money. If a cryptocurrency wallet is found, ComboJack will change the hardcoded wallet address to an attacker’s address to trick the victim into sending money to the wrong location. The NJCCIC recommends reviewing the Palo Alto Networks report for additional information and Indicators of Compromise (IoCs). Additionally, we recommend all users and administrators of systems using Microsoft products review Microsoft’s security bulletin for more information about affected products and associated patches. 
Compromised MailChimp Accounts Exploited in Malware Distribution Campaign
Several recent open source reports indicate that a malicious email campaign attempting to deliver the Gootkit banking trojan to victims is originating from MailChimp, an email marketing platform. My Online Security suggests that MailChimp is an attractive distribution vector for these campaigns because emails originating from the platform pass authentication checks and many mail providers whitelist MailChimp by default as it is commonly used by various organizations to send legitimate mass emails. One victim reports that a malicious actor gained unauthorized access to his MailChimp account and imported a list of 250,000 subscribers, spamming them with malicious emails and subsequently deleting the evidence from the account’s “Sent” folder. He believes that, had he enabled two-factor authentication (2FA) on his MailChimp account, the compromise may have been prevented. It is not yet confirmed whether compromised account credentials or an unaddressed MailChimp vulnerability are to blame for the unauthorized account access. The NJCCIC recommends all MailChimp account users enable 2FA on their accounts as soon as possible and inspect their accounts for suspicious activity. If any accounts are suspected of sending malicious emails, report the issue to the MailChimp Abuse Desk immediately.
MoviePass App Tracks Users’ Locations
The CEO of MoviePass, a movie theater subscription company, recently admitted that the company’s mobile app collects “an enormous amount of information” about their subscribers and tracks their locations prior to and after any movies they attend. Although the company’s privacy policy does state that certain user data would be collected for purposes of enhancing and personalizing user experiences, critics argue that the extent of app’s data collection was not properly disclosed to subscribers and creates a privacy concern. The NJCCIC recommends exercising caution before downloading and using any mobile app and carefully reviewing all requested permissions and associated privacy policies, as well as reading user reviews and ratings.
Vulnerability Alerts
Exim Internet Mailer
A critical vulnerability (CVE-2018-6789) recently discovered in Exim, a mail transfer agent used to relay emails from senders to recipients, affects 56 percent of all email servers worldwide. If exploited, this vulnerability creates a buffer overflow condition that can allow a remote threat actor to execute code prior to being authenticated by the affected Exim email server. This vulnerability affects all versions of Exim prior to the patched version 4.90.1. Using Shodan, a publicly available internet-of-things (IoT) search engine, NJCCIC analysts determined that nearly 64,000 email servers within New Jersey run Exim and, out of those, only 829 are running the patched version. The NJCCIC recommends all administrators of email servers running Exim review the Exim security advisory and update to version 4.90.1 as soon as possible. More information about the Exim vulnerability is also available on the Devcore website.
Microsoft CFG
Researchers from the University of Padua discovered a flaw that exists within the Control Flow Guard (CFG) in Microsoft Windows 8.1 and all versions of Windows 10. The CFG is a countermeasure Microsoft implemented to protect Windows-based systems from memory corruption vulnerabilities that exist in some software and is designed to prevent a threat actor from hijacking a program’s control flow and directing it towards malicious code. It is estimated that more than 500 million Windows systems currently have this protection in place. However, the researchers produced an exploit, dubbed Back to the Epilogue (BATE), that calls portions of code and chains them together to bypass CFG restrictions. The researchers have disclosed the vulnerability to Microsoft and plan to demonstrate the exploit at the Black Hat Asia conference in Singapore later this month. The NJCCIC recommends all users and administrators of systems running Windows 8.1 and 10 review the Dark Reading article and apply the appropriate patch when it becomes available.
Pivotal Spring
Lgtm security researchers discovered a critical vulnerability (CVE-2017-8046) affecting various projects in Pivotal Spring, a framework used to build web applications. If exploited, this vulnerability could allow a remote threat actor to execute arbitrary code on any system running an application built using Spring Data REST. Researchers liken this vulnerability to CVE-2017-5638 that affected Apache Struts and led to the Equifax data breach. This vulnerability impacts Spring Data REST components, versions prior to 2.5.12, 2.6.7, and 3.0RC3, as well as Spring Boot versions prior to 2.0.0M4, and Spring Data versions prior to Kay-RC3. The NJCCIC recommends all developers using affected Spring products and components review the lgtm blog and update to the latest versions as soon as possible.
Breach Notifications
2,844 New Data Breaches Containing over 80 Million Records Discovered
Security researcher Troy Hunt recently discovered a collection of nearly 3,000 possible data breaches accompanied by data from previously confirmed breaches on a hacking forum located on the clear web. He states that almost all of the obtained files contain email addresses – 80,115,532 in total – and plaintext passwords. Hunt is still analyzing the data and has yet to determine where the possible breaches occurred, as there does not appear to be a direct correlation between the accounts and the associated source file at this time. Hunt owns and operates the website where users can check to see if their email addresses have been included in any previous data breaches. The NJCCIC recommends all users assume that their email addresses and passwords have been, or will be, involved in a data breach, and enable multi-factor authentication (MFA) on every account that offers it to protect themselves against credential compromise. For accounts that do not offer MFA, we recommend creating lengthy, complex passwords for those accounts and monitor them regularly for unauthorized activity. We strongly advise against password reuse.
RMH Franchise Holdings announced that diners who visited one of their 167 Applebee’s restaurants between November 23, 2017 and January 2, 2018 may have had their payment card information compromised via point-of-sale malware. RMH Franchise Holdings discovered the incident on February 13, 2018 and took steps to investigate and remediate the infection. The breach does not impact payments made online or those made using tabletop self-pay devices. The NJCCIC recommends those who have dined at one of the impacted locations monitor payment card statements for unauthorized charges, consider placing a freeze on their credit, and immediately notify banks if fraudulent activity is observed on their accounts.
Threat Profiles
Android Threat ProfileNo new or updated variants were added.
Botnet Threat Profile: No new or updated botnets were added.
Exploit Kit Threat ProfileNo new or updated exploit kits were added.
Industrial Control Systems Threat ProfileNo new or updated variants were added.
iOS Threat ProfileNo new or updated variants were added.
macOS Threat Profile: No new or updated variants were added.
Point-of-Sale Threat ProfileNo new or updated variants were added.
Ransomware Threat Profile: Three updated variants: ShifrJigsawGandCrab
Trojan Threat Profile: One new variant: FlawedAmmyy. One updated: Gozi.
Social Engineering Awareness
IBM X-Force IRIS Uncovers Active Business Email Compromise Campaign Targeting Fortune 500 Companies
Comment: IBM X-Force Incident Response and Intelligence Services (IRIS) recently identified malicious groups actively targeting Fortune 500 companies using business email compromise (BEC) scams to steal financial assets. These threat groups, believed to be based in Nigeria, employ these tactics to trick their victims into transferring millions of dollars into fraudulent bank accounts. The phishing emails are typically sent from spoofed accounts and designed to mimic legitimate correspondence from the company’s vendors or clients. However, the groups use them to request changes in payment procedures, such as asking that new payments be sent to an “updated” account number. As BEC scams can employ sophisticated tactics to fool victims, businesses are strongly encouraged to implement account security features such as multi-factor authentication, observe strict wire transfer policies, and verify vendors and clients prior to conducting any financial transactions.
Oscar Scams Ran Wild Thanks to Twitter Bots
Comment: On Sunday night during the Academy Awards, an extensive social media spam campaign ran rampant on Twitter lasting until Monday morning. Celebrities who used the platform during the ceremony to post messages were impersonated by bots that would respond to both the targeted celebrities and their fans in an effort to spread malicious URLs. Social media platforms are used by a range of malicious actors to trick unsuspecting victims into clicking malicious links. Social media users are urged to use caution when clicking on any links shared through the platform, even if they are posted by someone the user knows personally, as they could lead to phishing sites or result in the installation of malware on the user’s system.
Cyber At a Glance
Digital Copiers are Computers, Too - The Importance of Securing Physical Documents
Comment: Although often overlooked and forgotten when it comes to security, multifunction printers can pose a significant risk to data and networks when improperly configured. Printers with open and exposed ports as well as default login credentials or no user authentication requirements can allow both internal and remote threat actors to gain unauthorized access to the device and potentially sensitive data stored within its memory. Secure network-connected printers by closing unneeded ports, requiring user authentication and implementing user-based access control, and encrypting all data traveling between the printers and other devices. Clear printer memories often, especially before decommissioning them, and track and log all printer activity in the event any are discovered to be the source of a data breach.

Cryptocurrency Scams on Android: Do You Know What to Watch Out For?
Comment: Android users have recently been targeted with cryptocurrency exchange scams due to the popularity of cryptocurrency and because many exchanges do not offer a mobile app. Individuals are encouraged to treat cryptocurrency exchanges and wallets with the same level of caution as mobile banking apps. Check to make sure the mobile app is verified via the associated service’s official website before downloading. If possible, enable two-factor authentication to protect your exchange or wallet accounts. As with any mobile app, be sure to thoroughly read user reviews prior to installation to help determine its legitimacy.
Email a Cyber Liaison Officer at
Connect with us!
Twitter Facebook Instagram LinkedIn
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.
New Jersey Cybersecurity & Communications Integration Cell 
DISCLAIMER: This bulletin is provided as is for informational purposes only. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) and the Office of the Regional Operations Intelligence Center (ROIC) do not provide any warranties of any kind regarding any information contained within. The NJCCIC and ROIC do not endorse any commercial product or service, referenced in this bulletin or otherwise. Further dissemination of this bulletin is governed by the Traffic Light Protocol (TLP). For more information about TLP, see

powered by emma