sign in sign up
<<
Home , Citrio, Opera Mail, Sleipnir (web browser), Sputnik (search engine), Tencent, WinSCP

Security Threat Intelligence Report

September 2020

In this issue Trickbot malware targets Explorer script-based malware emerges Business compromise attacks bypass MFA Zoom phishing campaign harvesting Office 365 credentials Agent Tesla RAT adds new features Security Threat Intelligence Report

About this report Message from Mark Hughes Fusing a range of public and proprietary information feeds, The shift to remote work has seen a including DXC’s global network considerable uptick in targeting remote access of security operations centers and cyber intelligence services, solutions. A new Zoom phishing campaign this report delivers an overview is harvesting Office 365 credentials while of major incidents, insights into new business email compromise attacks can key trends and strategic threat awareness. bypass multifactor authentication. We must ensure identity and access management are tight, and cyber This report is a part of DXC Labs | Security, which provides insights hygiene is an ongoing focus. We also must continue to educate and thought leadership to the teams to keep a diligent eye on ongoing phishing schemes and security industry. malware. Intelligence cutoff date: August 24, 2020 Mark Hughes Senior Vice President and General Manager of Security DXC Technology

Threat Updates Table of TrickBot’s Anchor malware platform targets Linux Multi-industry 3 contents devices Business email compromise attacks bypass MFA Multi-industry 6 Zoom phishing campaign harvesting O365 Multi-industry 7 credentials Agent Tesla RAT adds new features Multi-industry 9

Vulnerability Updates scripting malware emerges Multi-industry 12

Incidents/breaches Carnival Corporation suffers ransomware attack Travel Industry 15

Nation State and Geopolitical U.S. Justice Department seizes Multi-industry 16 accounts of 3 suspected terrorist groups

2 Security Threat Intelligence Report

Threat Updates TrickBot’s Anchor malware platform targets Linux devices

Discovered by Stage 2 researcher Waylon Grange, TrickBot’s Anchor malware is still in the early stages of development. Intel is limited at this time. Updates will be reported as they become available.

TrickBot is a multipurpose Windows malware platform that uses different modules to perform various malicious activities, including information stealing, password stealing, Windows domain infiltration and malware delivery.

TrickBot is rented by threat actors who use it to infiltrate a network and harvest anything of value. It is then used to deploy ransomware such as Ryuk and Conti to encrypt the network’s devices as a final attack.

Anchor_Linux will configure itself to run every minute using the following crontab entry: */1 * * * * root [filename]

Figure 1. Setting up persistence via CRON Source: Vitali Kremez

Attack Vector

According to Stage 2, this malware is often delivered as part of a ZIP file and is a lightweight Linux backdoor. Upon execution it installs itself as a cron job, determines the public IP for the host and then begins to beacon via DNS queries to its C2 server.

Dropper functionality includes:

• The ability to drop other malware on Linux devices and execute it

• An embedded Windows TrickBot executable

• A Linux embedded binary that serves as new lightweight TrickBot malware

• Code connections to older TrickBot tools

This malware can be used to infect Windows machines on the same network. This is the Windows infection process:

• Anchor_Linux will copy the embedded TrickBot malware to Windows hosts on the same network using SMB and $IPC

3 Security Threat Intelligence Report

• When successfully copied to a Windows device, Anchor_Linux will configure it as a Windows service using: ATM makers address illegal cash withdrawals ––The Service Control Manager Remote protocol ATM manufacturers Diebold Nixdorf ––SMB SVCCTL named pipe and NCR have fixed a number of vulnerabilities that have allowed attackers to execute arbitrary code with or without system privileges. Hackers made illegal cash withdrawals by committing deposit forgery and manipulating underlying systems by issuing valid commands to dispense currency.

Figure 2. Copying a file via SMB Source: Waylon Grange

Upon startup, the Windows machine will connect to the C2 for instructions. Linux version

The Linux version allows threat actors to target non-Windows environments with a backdoor. If successful, attackers can pivot to Windows devices on the same network.

It uses an attack vector outside of email phishing for Windows infection. The Linux backdoor has a persistence mechanism as seen in the cron job. It functions in the UNIX environment and targets devices in the UNIX environment, including:

• Routers

• VPN devices

• NAS devices run on Linux operating systems

IoT devices also require security controls and monitoring to detect Anchor_Linux.

Figure 3. TrickBot’s Anchor framework Source: SentinelOne

4 Security Threat Intelligence Report

Hunting

Anchor_Linux will create a log file at: /tmp/anchor.log

There is a high probability that the name of the log file will change as the malware development progresses. If this file exists, a complete audit of the system for the presence of the Anchor_Linux malware should be conducted. It is expected that TrickBot will continue its development to make it a full-featured addition to its Anchor framework. IoCs – Courtesy of Stage 2 Security

Hashes:

55754d178d611f17efe2f17c456cb42469fd40ef999e1058f2bfe44a503d877c C721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc 7686a3c039b04e285ae2e83647890ea5e886e1a6631890bbf60b9e5a6ca43d0

Domains:

*.biillpi[.]com

IPs:

23.95.97[.]59

Yara: rule anchor_linux_dns { meta: author = “Stage 2 Security” description = “Trickbot anchor_linux” strings: $hdr = {7f 45 4c 46} $x1 = {80 74 0? ?? b9} $x2 = “anchor_l” $x3 = “getaddrinfo” $x4= “IPC$” $x5 = {48 ?? 2f 74 6d 70 2f 00 00 00} $x6 = “test my ip” $x7 = {73 6d 62 32 5f [4–7] 5f 61 73 79 6e 63 20} $x8 = “Kernel32.dll” $x9 = “libcurl” $x10 = “/1001/” condition: $hdr at 0 and 7 of ($x*) }

5 Security Threat Intelligence Report

Impact iOS SDK breach surfaces Trickbot was first detected in 2016 and has developed its capabilities extensively over Researchers discovered malicious the years. Trickbot can disable antivirus systems, propagate throughout a network, functionality within the iOS perform man-in-the-middle attacks and drop other malware. The latest Trickbot MintegralAdSDK (aka SourMint) update means the malware has a completely new attack vector targeting Linux and distributed by Chinese company Unix devices. Based on its success with Windows machines, the impact rating to Mintegral. The malicious functionality organizations should be considered critical. enabled ad fraud on hundreds of iOS apps and brought major privacy TrickBot has been seen in the wild dropping Ryuk and GlobeImposter ransomware. concerns to consumers. It allows Multiple malware infections greatly complicate the remediation process. It has spying on user link click activity successfully disabled endpoint antivirus applications, allowing the infection to spread within thousands of iOS apps that across the network, compromising over a hundred systems. use the SDK, tracking requests performed by the app and reporting Note that Trickbot began as a banking trojan and is proficient at harvesting and it back to Mintegral’s servers.. exfiltrating data from infected systems prior to deploying ransomware, which is a tactic adopted by most ransomware groups in 2020. DXC perspective

Trickbot is used by multiple threat actor groups due to its success rate and its ability to propagate throughout the environment and drop other malware. Groups using Trickbot are financially motivated, and successful intrusions will result in the exfiltration of data. Security controls should be tuned to alert on abnormal outbound traffic. It may also deliver disruptive malware such as ransomware and system-wiping malware.

The recent addition of this new Trickbot attack vector will require security teams to tune security monitoring tools to detect intrusions as well as hunt for existing network presence of previous non-detected intrusions.

Sources: Stage 2 Security Intezer Labs Sans

Business email compromise attacks bypass MFA

Business email compromise (BEC) campaigns are increasing in frequency, and compromise success rates are up, with reports of email accounts being taken over despite multifactor authentication (MFA) and conditional access.

It is not possible to enforce MFA when a user signs into an account using legacy email protocols, including IMAP, SMTP, MAPI and POP. Office 365 licenses provide the ability to configure conditional access policies, which block access from legacy applications. However, attackers are bypassing conditional access controls by obscuring (renaming) the app being used. Credential stuffing campaigns have been seen in the wild using legacy applications in attempts to bypass MFA.

6 Security Threat Intelligence Report

Impact

The motivation behind BEC attacks is financial and can impact organizations at various levels:

• Credential harvesting and data exfiltration

• Financial losses from company fund transfer requests

• GDPR fines associated with PII data being exfiltrated

• Reputational damage resulting from any of the above

DXC perspective

Even the most highly trained and vigilant employee will get fooled by the variety of tactics that threat actors use. Security controls such as secure email gateways (SEGs) should be used to prevent such from reaching the legitimate users. SEGs are helpful in filtering out inbound emails containing malicious files, URLs and known abusive senders. However, SEGs will not help with well-planned and -crafted social engineering tactics.

Internal controls should be in place to limit or completely avoid a single point of failure within all departments. Special emphasis should be placed on requiring multiple signoffs on sending company funds externally.

Organizations should consider the following:

• Secure email gateways

• A privileged access management solution

• Endpoint protection that detects and stops abnormal behavior

Sources: Proofpoint FBI InfraGard: Membership Distribution

Zoom phishing campaign harvesting Office 365 credentials

Attackers sending phishing emails to Zoom users aimed at credential harvesting. The contain a meeting invitation that includes a file to download to access details about a meeting invitation and start the meeting.

The email messages originated from hijacked accounts and newly purchased domain names (zoomcommuncations.com and zoomvideoconfrence.com), with identification information appearing to be legitimate:

7 Security Threat Intelligence Report

RDP used by Iranian actors in international Dharma ransomware attacks

Iranian actors leveraged the remote desktop protocol (RDP) as part of an international campaign to target companies with Dharma ransomware. Artifacts found by the investigating organization, Group-IB, indicated that the group attempted to distribute Dharma on an affected company’s networks in Russia, Japan, and India. The attackers used Advanced Port Scanner to map the compromised network for available hosts moving laterally by abusing RDP. Ransomware demands ranged from 1 to 5 BTC.

Figure 4.

Instead of harvesting Zoom credentials, the main goal of the campaign is to harvest Office 365 credentials by redirecting users to a Office 365 or Outlook login page. HTML, JavaScript and PHP code is encoded on the page and unreadable to humans and automated security tools. It remains undetectable and evades URL reputation checkers.

Figure 5.

8 Security Threat Intelligence Report

Impact

The Zoom platform has seen a dramatic increase in traffic due to the increase in remote workers. This exploit gives attackers the ability to enter organization meetings and steal proprietary information as well as credentials. DXC perspective

No single security control is enough to stop a well-crafted attack such as this one. Key tactics include secure email gateways and timely threat intelligence combined with user education on what to expect from various virtual meeting vendors.

Source: INKY – Bukar Alibe

Agent Tesla RAT adds new features

Agent Tesla is emerging as an inexpensive and easy-to-use malware aimed at stealing information. It is attractive to low-skilled threat actors, and many versions now exist based on the original code.

The malware first appeared on the agenttesla.com site, which is now closed. Varying levels of code were sold for $12 to $35:

Figure 6.

Agent Tesla is delivered via email, and those attacked were observed spreading it via COVID-19-themed messages, often masquerading as information or updates from the World Health Organization.

Recent Agent Tesla upgrades include:

• More robust spreading and injection methods

• Discovery and theft of wireless network details and credentials

• Harvest configuration data and credentials from:

––VPN clients

––FTP and email clients

––Web browsers

––Extract credentials from the registry and related configuration files

9 Security Threat Intelligence Report

List of targeted software Russia’s GRU military unit behind Linux malware attacks 360 Browser CoreFTP Liebao SeaMonkey

Russia’s GRU military unit is Apple CyberFox Microsoft IE & Edge 6 suspected to be behind Drovorub, Becky! Internet Privacy SmartFTP a Linux malware toolset consisting of an implant coupled with a kernel BlackHawk Elements module rootkit, a file transfer and FileZilla Mozilla port forwarding tool, and a C2 Thunderbird QQBrowser server. Identifying this malware CentBrowser FlashFXP Elements The Bat! Email is difficult. Packet inspection at network boundaries is useful in CFTP OpenVPN detecting Drovorub on networks, Chedot Chrome Trillian Messenger including probing, security products, IceCat UCBrowser live response, memory analysis and (general) media (disk image) analysis. IceDragon Orbitum Uran IncrediMail PaleMoon Coccoc Iridium KMeleon QIP WinSCP CoolNovo Kometa Qualcomm

The harvested data is transmitted to the C2 via SMTP or FTP. The transfer method is hardcoded in the malware’s internal configuration and includes credentials (FTP or SMTP) for the C2. New variants can drop or retrieve secondary executables.

Samples of this malware have been seen creating hidden folders and processes in %temp%. The persistent process set via Registry:

/c copy “C:/Users/admin1/Desktop/tes_10.exe” “%temp%\FolderN\name.exe” /Y

Figure 7.

Execution

This malware gathers local system information, installs the keylogger module, and initializes routines for discovering and harvesting data. This process includes basic WMI queries. Examples include:

• start iwbemservices::execquery - select * from win32_operatingsystem

• start iwbemservices::execquery - select * from win32_processor

10 Security Threat Intelligence Report

For wireless network settings and credential discovery, the malware launches an instance of netsh.exe. The syntax utilized initially is:

• Netsh.exe wlan show profile

Upon launch, an instance of the malware is dropped into %temp% as a hidden file, in a hidden folder:

• /c copy “C:/Users/admin1/Desktop/tes_10.exe” “%temp%\FolderN\name.exe” /Y

The following command is then used to create the autorun registry key:

• /c reg add “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows” /v Load /t REG_SZ /d “%temp%\FolderN\name.exe.lnk” /f

MITRE ATT&CK mapping:

• Modify registry (T1112)

• Subvert trust controls: Install root certificate (T1553.004)

• Hide artifacts: NTFS file attributes (T1564.004)

• Hijack execution : DLL search order hijacking (T1574.001)

• Process injection: Process hollowing (T1055.012)

• Data from information repositories (T1213)

• Boot or logon autostart execution: Registry run keys/startup folder (T1547.001)

• Process injection (T1055)

• Unsecured credentials: Credentials in files (T1552.001)

• System information discovery (T1082)

• Query registry (T1012)

• OS credential dumping (T1003)

• Scheduled task (T1053)

Impact

Agent Tesla was first seen in the wild in 2014. It is a .NET-based keylogger and remote access trojan (RAT) that beacons data back to a C2 server. Recent developments have increased its capabilities extensively. Current versions have improved persistence and the ability to harvest data from more services.e DXC perspective

Agent Tesla is easily accessible and is used by many threat actor groups due to its success rate and ability to exfiltrate data without notice. Groups using Agent Tesla are both financially and espionage motivated, which means successful intrusions will result in the exfiltration of data. Expect to see more malspam campaigns that will

11 Security Threat Intelligence Report

attempt to distribute Agent Tesla. Cyber defense security controls should be tuned to alert on abnormal outbound traffic.

Sources: Malpedia Check Point Bleeping Computer

Vulnerability Updates Internet Explorer scripting malware emerges

Recent samples of script-based malware through the Internet Explorer (IE) browser exploits Windows OS users. Observed in the wild over the past 2 months, two distinct samples have been obtained from compromised machines:

Sample 1:

• JScript Remote Access Trojan (RAT)

• Persistence mechanism enabled

• Uses encoded network connection to connect to the attacker

• Attackers execute arbitrary commands on the target machine

Sample 2:

• AutoIT downloader

• Uses network connection and script functions to download and execute malware

• Capable of loading a variety of malware types

Based on the c.js JScript RAT downloaded from the assurancetemporaireenligne. com domain on April 18, the PowerShell command used to exploit the CVE-2019-0752 vulnerability is:

Figure 8.

Persistence mechanism

The c.js script creates and sets a new value for the registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This value, named loaderName, is set with a path to a certain loader.jse file.

12 Security Threat Intelligence Report

Figure 9.

The run key causes programs to run each time a user logs on. The loader.jse script, which is not created yet, will run automatically each time the Windows OS boots. For the next step of the persistence process, the c.js creates the actual loader.jse file.

The following image shows the loader.jse script is created in the AppData folder. This is a hidden folder by default on Windows OS:

Figure 10.

When the loader.jse is run, it opens the registry key HKCU\Software\loaderName and runs the code contained in the data value.

The packed code in the registry key loaderName contains function (p,a,c,k,e,d) pattern, which indicates the Dean Edwards packer was used to obfuscate the code. This packer is outdated now but was commonly used in the past by benign scripts and therefore whitelisted by many kinds of detection technologies.

The attacker can perform the following tasks on the target system:

• Execute commands

• Download files

• Reboot the Windows OS

• Terminate processes

• Shut down Windows OS

13 Security Threat Intelligence Report

AutoIT downloader

This is the 2.exe file downloaded from the dark.crypterfile.com domain using the same vulnerability CVE-2019-0752:

Figure 11. Command used to download and launch the AutoIT downloader sample.

The AutoIT code retrieves the system information, which is stored in the $asysinfo array. Then there is a check on the sixth element of this array, which corresponds to the number of logical processors.

The check verifies whether the number of logical processors is greater than or equal to four, and then malicious files download. Using the InetGet and Run AutoIT functions, the malicious script downloads and executes multiple files on the target system.

The last file downloaded is stored in the Current User Startup folder. The file will execute each time the user logs in to the Windows OS.

Figure 12.

Impact per Microsoft

CVE-2020-1380 has received a CVSS score of 7.5,\ according to Microsoft. A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. DXC perspective

Patching vulnerabilities of this nature needs to be a high priority for all organizations. This exploit that contains multiple facets — including a remote access trojan, a downloader and an effective persistence mechanism — have the potential to cause extensive damage within an IT environment. Patching or other mitigation techniques, although difficult at times, is the best option.

According to Microsoft, in a web-based attack scenario, an attacker could host a specially crafted that is designed to exploit the vulnerability through Internet

14 Security Threat Intelligence Report

Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised , including those that accept or host user- provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

Sources: Microsoft Mitre Trend Micro

Investment scam sites shut down Incidents/breaches

The National Cyber Security Centre Carnival Corporation suffers ransomware (NCSC) has shut down more than attack 300,000 URLs found to be linked to investment scams in a four- Carnival disclosed a ransomware attack that impacted one of its subsidiaries. month period. Many of these ruses Carnival has not disclosed which division was the target of that attack or if other began with fake news articles that divisions were subsequently affected. promoted investment advice from celebrities. As most common with Carnival’s brands include Princess Cruises, Holland America Line, P&O Cruises, Costa phishing, the news articles sought Cruises, AIDA Cruises and Cunard. to trick readers into visiting hoax websites claiming methods to help The attack appears to have exfiltrated customer and employee data. In a Form 8-K the user “get rich quick.” regulatory filing, Carnival said its investigation so far shows no other systems were impacted. Source: Tripwire “While the investigation of the incident is ongoing, the company has implemented a series of containment and remediation measures to address this situation and reinforce the security of its information technology systems,” Carnival stated.

The Prevailion company was tracking C2 activity across the internet and observed suspicious activity to and from Carnival’s network between February and early June of this year.

During that period, an IP address belonging to Carnival was observed regularly communicating with malicious C2 servers outside the company. High levels of communication were observed between April 11 and June 5.

Prevailion tracked over 46,000 attempted connections from the Carnival IP address to the C2 servers.

Prevailion identified the activity as associated with Ramnit malware, which most recently was used for credential theft.

The above C2 activity cannot be definitely linked to the August 2020 ransomware attack, but it should be noted that ransomware groups have changed their tactics from encrypting data upon entry to maintaining a stealth presence within the

15 Security Threat Intelligence Report

compromised environment. The goal is to exfiltrate sensitive and proprietary data and use that as leverage to obtain the requested ransom Other news • Utah Gun Exchange breached - Impact Security Boulevard Details regarding this attack, the second successful breach this year at Carnival, • Canada revenue agency discloses are limited. Carnival did initiate an internal investigation that included notifying law credential stuffing attack - enforcement and engaging an external security firm. Security Boulevard

• Nine leaky GitHub repos affecting Reports note that Carnival’s internal security team and controls were able to prevent 200K U.S. residents - Security the entire network from being compromised. The ransomware encryption process Boulevard was halted but the impact on customer and employee data is not known, nor has the attack vector been disclosed. Carnival has indicated that it expects to see claims arising from customers’ data being exposed. DXC perspective

Ransomware attacks are on the rise and will continue given how lucrative such attacks are. Financially motivated threat actors have no reason to stop attacks that have such a high success rate.

Preparation and planning are key components to stopping ransomware attacks. It is highly recommended that all organizations obtain a copy of the U.S. Secret Service’s “Preparing for a Cyber Incident – A Guide to Ransomware.” The document contains valuable information that can be useful in combatting all types of malware attacks.

Another factor to consider is that this was the second successful attack at Carnival in a matter of months. It is not uncommon for threat actors to initiate secondary attacks to test if the environment is still vulnerable.

Sources: Prevailion Security Affairs

Nation State and Geopolitical U.S. Justice Department seizes cryptocurrency accounts of three suspected terrorist groups

The U.S. Justice Department announced it has seized a record $2 million in cryptocurrency intended to the activities of al-Qaida, the al-Qassam Brigades and the Islamic State.

U.S. authorities obtained warrants to seize the money and to dismantle 300 cryptocurrency accounts. Warrants also took down four websites and four Facebook pages the three terror groups used as part of their cyber campaigns to generate funds.

16 Security Threat Intelligence Report

Impact

Federal prosecutors said the three campaigns relied on sophisticated cyber tools to generate cryptocurrency donations to finance their operations.

Officials also noted that donations were not anonymous. Agents with the Internal Revenue Service, Homeland Security Investigations and the FBI tracked and seized 150 cryptocurrency accounts that laundered funds for the terrorist groups. Agents also executed criminal search warrants for the people and organizations that donated money from within the . DXC perspective

The Department of Homeland Security has an ongoing campaign called, “If You See Something, Say Something.”

As information technology and cybersecurity professionals, we are in a unique position to come across intelligence that may be valuable in preventing a terrorist attack. Share the intel.

Sources: United States Department of Justice Department of Homeland Security – Membership distribution

17 Security Threat Intelligence Report

Learn more

Thank you for reading the Security Threat Intelligence Report. Learn more about security trends and insights from DXC Labs | Security. DXC in Security

Recognized as a leader in security services, DXC Technology helps clients prevent potential attack pathways, reduce cyber risk, and improve threat detection and incident response. Our expert advisory services and 24x7 managed security services are backed by 3,000 experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of specialization in Cyber Defense, Digital Identity, Secured Infrastructure and Data Protection. Learn how DXC can help protect your enterprise in the midst of large- scale digital change. Visit www.dxc.technology/security.

Stay current on the latest threats at www.dxc.technology/ threats.

Get the insights that matter. www.dxc.technology/optin

About DXC Technology DXC Technology (NYSE: DXC) helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability across public, private and hybrid clouds. With decades of driving innovation, the world’s largest companies trust DXC to deploy our enterprise technology stack to deliver new levels of performance, competitiveness and customer experiences. Learn more about the DXC story and our focus on people, customers and operational execution at www.dxc.technology.

©2020 DXC . All rights reserved. September 2020