Mar 27, 2020, 1:09 PM (4 days ago)

To: Organizations Cyber Distro

Below and attached is this month’s Noise.

Important: If you need to contact me, please send an email to ilene.klein@phoenix.gov or iklein@azdps.gov. Do not use the ACTICCybersecurity@azdps.gov email address. I currently have no access to that mailbox. Thanks!

2020-03 — AZ cyber threat brief presentation

Take Action       

  • Ensure you’ve closed ports 3389 (RDP) and 445 (SMB).  Attackers are actively scanning these ports as they know we’re working from home and need to access files.  RDP is remote desktop protocol, used to access your computer remotely.  SMB is server message block, used for allowing shared access to files and other resources.
  • Warn your folks about scams with COVID-19/coronavirus themes and scams related to the upcoming federal relief package.  Also attached are documents from the Louisiana fusion center and Anomali with a collection of indicators used to push malware variants with a COVID-19 virus theme.
    References:
    https://www.ftc.gov/news-events/blogs/business-blog/2020/03/seven-coronavirus-scams-targeting-your-business
  • Learn about and implement DMARC to authenticate email to prevent email spoofing, if you haven’t already.  The Global Cyber Alliance (GCA) is offering a new installment of its DMARC Bootcamp.  Beginning May 4th, GCA will conduct five weeks of online technical training focused on what DMARC is and how to implement it.
    Reference:  https://bootcamp.globalcyberalliance.org/dmarc-bootcamp-2020

Be Aware           

  • There is a wealth of guides available to help safeguard remote workers.  Here are a couple.
    References:
    https://csrc.nist.gov/
    https://www.us-cert.gov/ncas/alerts/aa20-073a
  • Many companies are offering free tools to help employees work remotely during the outbreak.
    Reference:  https://medium.com/@kristinmwilson/all-the-companies-offering-free-remote-work-tools-96393213a885

Arizona Cyber Trends
Here are this week’s Arizona cyber trends and some related news.

COVID-19 / Coronavirus Phishing

In last week’s trends, analysts reported a large increase in phishing campaigns related to Covid-19 and targeting users working from home.  This week’s trends are all further indicative of this sudden shift in culture.   Below are some of the common subject lines.  We’re also getting reports of text messages and emails around free Netflix “since we’re stuck at home” and an HHS requirement to take an online “mandatory COVID-19 preparation test.”

  • Coronavirus (COVID-19)
  • Coronavirus Disease (COVID-19)
  • Coronavirus Disease 2019 (COVID-19)
  • Coronavirus in the US
  • COVID-19 Resources
  • FW: Corona virus
  • HIGH-RISK: New confirmed cases in your city
  • Information about COVID-19 in the United States
  • Markes International statement concerning business operations and the coronavirus (COVID-19)
  • Social distance and shop
  • We’re Here to Help, update about COVID-19

One-Line Phish Bait
Analysts noticed a large resurgence in quick, one-line emails spoofing co-worker or managers.  Examples of these emails contain content such as “Hey are you in the office?” or “Can you do me a quick favor?”  These types of emails typically make it through most filters as they do not contain links, attachments, or other malicious content.  Instead they attempt to establish a dialogue with the recipient and then lure them into a phishing trap.  With a large portion of the workforce working remotely, these types of emails tend to seem more realistic to recipients.

Intensive Package Tracking
Are you currently waiting for a package to be delivered?  Most likely the majority of us are.  It’s clear that hackers are aware that we have been ordering online more than ever these past few weeks.  Analysts noticed a surge this week in package tracking and delivery related scams spoofing services such as UPS and DHL.  While these types of scams have been common in the past, the increase this week is just another example of how attackers shift their tactics and focus with ongoing trends.

Reminders
The Arizona Counter Terrorism Information Center (ACTIC) and Urban Area Security Initiative issue this product to increase Arizona’s awareness and cyber resilience.  It’s up to you to make sure you take the proper steps to secure your networks and devices.  Although vendors, products, and/or services may be mentioned, we do not endorse any specific one.

Contact ACTICCybersecurity@AZDPS.GOV with any questions, to provide feedback, or to be added/removed from this distribution.  Please note that this email address is not monitored 24×7.

Report potential, suspected, and/or confirmed cyber threats to the ACTIC via:
https://www.azactic.gov/Tips/
ACTIC@AZDPS.GOV
(602) 644-5805 or (877) 2 S A V E A Z (272- 8329)

Ilene Klein, CISSP, CISM, CIPP/US
Cybersecurity Program Coordinator
Urban Area Security Initiative
City of Phoenix
Office of Homeland Security and Emergency Management
200 W Washington Street
Phoenix, AZ  85003
602-644-5698 (desk)
847-894-8298 (cell)

Hot Topics This newsletter contains links to online news articles and websites.  Before clicking, see “Should You Trust the Links” way below.

To paraphrase from an old Monty Python sketch, “Scam, scam, scam, scam.”  As Snippets (and everybody else) have been warning, we’re seeing all types of COVID-19/coronavirus scams.  Stimulus check scams are also kicking into high gear, as the FTC is warning.  So please, do not trust any email, text, or website sharing COVID-19 information or supplies.  Listed below are authoritative government sites for information on the pandemic and the stimulus checks.

·         https://www.azdhs.gov/ — Arizona Department of Health Services for the latest Arizona statistics and information

·         https://www.cdc.gov/ — Center for Disease Control’s website

·         https://www.cisa.gov/coronavirus — DHS Critical Infrastructure Security Agency’s website

·         https://www.coronavirus.gov/ — Federal resources with guidance and links to more info

·         https://www.fema.gov/Coronavirus-Rumor-Control — FEMA’s website to dispel rumors

·         https://www.irs.gov/coronavirus — IRS website with info about Coronavirus Tax Relief

·         https://www.nga.org/coronavirus/ — State updates and emergency declarations

Cybercrime / Hacking Beware of zoom-bombing.  That’s when an uninvited person crashes your Zoom video meeting.  Zoom bombers are sharing violent videos and images, and pictures of a man’s, um, favorite part of his anatomy.  So, don’t post the link to your video meetings on social media or public websites, and use Zoom’s host controls.

Sextortion scammers are adding the COVID-19 pandemic as a tool to scare and extort money from victims.  The new version threatens to infect victims’ families with the SARS-CoV-2 virus if the extortion demands are not met, in addition to revealing “dirty secrets.”

Home / Personal Issues There’s a new app called Quarantine Chat that may help some people who are experiencing loneliness while in isolation.  Snippets hopes you take care of your mental as well as physical health.

Are you working from home?  Are you wearing pants?  Walmart says it’s seeing increased sales of tops — but not bottoms.  This news gave Snippets a much-needed giggle.

Politics / Legislation Nothing significant to report this month.  Snippets thinks folks are busy working on other stuff.
Privacy /
ID Theft
You probably heard about the spring breakers who congregated on Florida beaches instead of practicing their physical distancing.  A company analyzed anonymized mobile devices that were active at a single Ft. Lauderdale beach during spring break to see where they went (and where COVID-19 potentially spread).  The video is pretty scary.  And from a privacy standpoint, this is also a reminder that your GPS-enabled mobile device is a tracking device.

Child identity theft is a growing problem.  And unfortunately, 60% of child identity fraud victims personally know their thief.

Best Practices /
Risk Mgmt
You know you should use strong, long, unique passwords.  But how do you remember them?  See the attached document from the Michigan Cyber Command Center that describes password managers.

You also know about phishing scams.  But how do you tell a phish from a legitimate email?  See the attached document from the Association of American Railroads Railway Alert Network that explains tell-tale phishing indicators.  This is aimed at the rail sector but applies to all.

The California Cyber Security Integration Center put out a good guide for teleworkers.  See attached.  This info is good for all computer users — not just those teleworking.

Quotes of the Month As unique as we all are, an awful lot of us want the same things. We want to shake up our current less-than-fulfilling lives. We want to be happier, more loving, forgiving and connected with the people around us.

—Brene Brown

I am confident that nobody… will accuse me of selfishness if I ask to spend time, while I am still in good health, with my family, my friends and also with myself.

—Nelson Mandela

Beginning today, treat everyone you meet as if they were going to be dead by midnight. Extend to them all the care, kindness and understanding you can muster, and do it with no thought of any reward. Your life will never be the same again.

—Og Mandino

Bonus! Here’s a list of concerts you can watch from home right now.

Heavy metal classical?  Yes, please.  This is enthralling and magical.  Seriously.

For those who prefer literature to music, here are the first lines of 10 classic novels, rewritten for social distancing.

Questions & Feedback Security Snippets is brought to you by your organization and the Arizona Counter Terrorism Information Center (ACTIC) and the Urban Area Security Initiative (UASI).  Its purpose is to increase Arizona’s cyber resilience by helping you learn more about security and privacy so you can better protect yourself and your family.

Important:  It is up to you to make sure you take the proper steps to secure your home networks and devices.  The ACTIC is not responsible for your personal devices.

Contact Snippets at ACTIC Cybersecurity with any questions, to provide feedback, or to be added/removed from this distribution.  Please note that this email address is not monitored 24×7.

Any views or opinions presented in this newsletter are solely those of the author and do not necessarily represent those of the ACTIC.  Reference to any specific commercial product, process, service, link, or the use of any trade, firm or corporation name is for the information and convenience of the reader, and does not constitute endorsement, recommendation, or disparagement by the ACTIC.

Should You Trust the Links This email contains links.  Should you trust them?  Thanks for asking!  So, let’s examine this message.  It contains the ACTIC’s standard header, states its purpose is to increase your security awareness, and doesn’t threaten or ask you to respond immediately.  The verbiage is conversational, rather than formal and attempts to be interesting and entertaining, as well as educational.  And you probably signed up to receive this newsletter.  Snippets says to trust it, but what do you think?  Send an email to ACTICCybersecurity@azdps.gov.  (Hint: Hover your mouse over any link to see where it’s really going.)