A NJ Organization has been Impacted by the CoinHive Script Embedded in the Weatherfor.us Weather Widget: 

New Jersey Cybersecurity & Communications Integration Cell today reports that a New Jersey organization recently received several security alerts generated by their endpoint protection system after employees navigated to the their organization’s intranet page using either Internet Explorer or Google’s Chrome web browser.

The alerts indicated the presence of CoinHive, a JavaScript code designed to mine cryptocurrency through the unauthorized consumption of system resources. Additional analysis conducted by the NJCCIC determined that the Weatherfor[.]us Weather Widget embedded in the organization’s intranet page attempted to deliver the CoinHive cryptocurrency-mining script to end users. The Weatherfor[.]us Weather Widget is a free service designed to deliver external dynamic content to websites in the form of local weather information and can be installed using code provided via the Weatherfor[.]us website. The NJCCIC notified Weatherfor[.]us about the offending script and the affected organization removed the widget from its intranet page. The NJCCIC recommends never embedding dynamic content generated from external sources into intranet pages to prevent the potential compromise of systems and networks resulting from malicious code injected into the content delivery network. Additionally, we recommend network administrators proactively block outbound connections to the domains coinhive[.]com and coin-hive[.]com and monitor network activity for anomalies that indicate cryptocurrency-mining activity. End users are encouraged to use web browsers that proactively block cryptocurrency-mining scripts or install a reputable ad-blocking, script-blocking, and coin-blocking extension in their current browser.

FYI: Decrypting the GandCrab Ransomware widely Distributed via Emails to New Jersey End Users

The NJCCIC has also detected a recent uptick in malicious emails attempting to deliver GandCrab ransomware to unsuspecting end users throughout the State. Messages associated with this campaign contain subject lines that include the words Payment, Your Order, Document, Invoice, or Your Ticket along with random numbers. The body of the email instructs recipients to open the attached document as soon as possible. If the attached file is opened and macros are enabled, GandCrab will download and begin encrypting files on the victim’s system. The website NoMoreRansom.org provides a free decryption tool for GandCrab victims. Although there is a free decryption tool available for this variant, the NJCCIC would like to remind members that the best way to ensure the integrity and availability of data before, during, and after a ransomware attack is by implementing a comprehensive data backup and recovery plan that includes regularly testing backups, storing them off the network, and keeping them in a secure location. Additionally, keep all systems and software updated to the latest vendor-supported patch levels to mitigate against the exploitation of known vulnerabilities. For a list of additional ransomware mitigation strategies, please download our two-page guide here. If you are targeted by this or another ransomware campaign, please report the incident to your local police department and the FBI, either directly to their local field office or through their website at www.ic3.gov. You may also report it to the NJCCIC via the Cyber Incident Report Form on our website. For additional information on GandCrab and other ransomware variants, visit the NJCCIC Ransomware Threat Profile.

Best Regards,

Ron Benvenisti