Mar 27, 2020, 1:09 PM (4 days ago)
To: Organizations Cyber Distro
Below and attached is this month’s Noise.
Important: If you need to contact me, please send an email to email@example.com or firstname.lastname@example.org. Do not use the ACTICCybersecurity@azdps.gov email address. I currently have no access to that mailbox. Thanks!
2020-03 — AZ cyber threat brief presentation
- Ensure you’ve closed ports 3389 (RDP) and 445 (SMB). Attackers are actively scanning these ports as they know we’re working from home and need to access files. RDP is remote desktop protocol, used to access your computer remotely. SMB is server message block, used for allowing shared access to files and other resources.
- Warn your folks about scams with COVID-19/coronavirus themes and scams related to the upcoming federal relief package. Also attached are documents from the Louisiana fusion center and Anomali with a collection of indicators used to push malware variants with a COVID-19 virus theme.
- Learn about and implement DMARC to authenticate email to prevent email spoofing, if you haven’t already. The Global Cyber Alliance (GCA) is offering a new installment of its DMARC Bootcamp. Beginning May 4th, GCA will conduct five weeks of online technical training focused on what DMARC is and how to implement it.
- There is a wealth of guides available to help safeguard remote workers. Here are a couple.
- Many companies are offering free tools to help employees work remotely during the outbreak.
Arizona Cyber Trends
Here are this week’s Arizona cyber trends and some related news.
COVID-19 / Coronavirus Phishing
In last week’s trends, analysts reported a large increase in phishing campaigns related to Covid-19 and targeting users working from home. This week’s trends are all further indicative of this sudden shift in culture. Below are some of the common subject lines. We’re also getting reports of text messages and emails around free Netflix “since we’re stuck at home” and an HHS requirement to take an online “mandatory COVID-19 preparation test.”
- Coronavirus (COVID-19)
- Coronavirus Disease (COVID-19)
- Coronavirus Disease 2019 (COVID-19)
- Coronavirus in the US
- COVID-19 Resources
- FW: Corona virus
- HIGH-RISK: New confirmed cases in your city
- Information about COVID-19 in the United States
- Markes International statement concerning business operations and the coronavirus (COVID-19)
- Social distance and shop
- We’re Here to Help, update about COVID-19
One-Line Phish Bait
Analysts noticed a large resurgence in quick, one-line emails spoofing co-worker or managers. Examples of these emails contain content such as “Hey are you in the office?” or “Can you do me a quick favor?” These types of emails typically make it through most filters as they do not contain links, attachments, or other malicious content. Instead they attempt to establish a dialogue with the recipient and then lure them into a phishing trap. With a large portion of the workforce working remotely, these types of emails tend to seem more realistic to recipients.
Intensive Package Tracking
Are you currently waiting for a package to be delivered? Most likely the majority of us are. It’s clear that hackers are aware that we have been ordering online more than ever these past few weeks. Analysts noticed a surge this week in package tracking and delivery related scams spoofing services such as UPS and DHL. While these types of scams have been common in the past, the increase this week is just another example of how attackers shift their tactics and focus with ongoing trends.
The Arizona Counter Terrorism Information Center (ACTIC) and Urban Area Security Initiative issue this product to increase Arizona’s awareness and cyber resilience. It’s up to you to make sure you take the proper steps to secure your networks and devices. Although vendors, products, and/or services may be mentioned, we do not endorse any specific one.
Contact ACTICCybersecurity@AZDPS.GOV with any questions, to provide feedback, or to be added/removed from this distribution. Please note that this email address is not monitored 24×7.
Report potential, suspected, and/or confirmed cyber threats to the ACTIC via:
(602) 644-5805 or (877) 2 S A V E A Z (272- 8329)
Ilene Klein, CISSP, CISM, CIPP/US
Cybersecurity Program Coordinator
Urban Area Security Initiative
City of Phoenix
Office of Homeland Security and Emergency Management
200 W Washington Street
Phoenix, AZ 85003