sign in sign up
<<
Home , Digga D, Ryuk (ransomware)

August 2019

Threat Intelligence Report

- MAN - UFACTUR ING/PUBLIC SECTOR

IN THIS ISSUE • New records in fines, demands • Magecart exploits Amazon Cloud S3 buckets • Can hackers sit in on your next teleconference? • Think twice before scanning QR codes on mobile devices • “What you gonna do, phone the [] police?” August 2019

About this report

Fusing a range of public and proprietary information feeds, including DXC’s global network of Mark Hughes security operations centers and Senior Vice President and General Manager of Security cyber intelligence services, this DXC Technology report delivers a overview of major The cost of cyber incidents is growing, as evidenced by recent substantial fines for data incidents, insights into key trends breaches and increasing ransomware demands. In addition to immediate financial losses and strategic threat awareness. from business disruption, victims face longer-term reputational damage, such as the This report is a part of recent takeover of the London police account by hacktivists. DXC Labs | Security, which provides insights and thought leadership to This month it’s clear that the threat landscape is continuing to evolve. For example, the security industry. we’re seeing new twists on familiar threats, such as campaigns that use Quick Response (QR) codes to target mobile devices, and the latest Magecart exploit of using Intelligence cutoff date: poorly configured cloud buckets to inject the group’s notorious card-skimming code. 24 July 2019

Table of Contents Threat Ransom payments nearly double in second Multi-industry updates quarter

QR codes used to evade mailbox protections Multi-industry

Magecart card skimmer hits thousands of Amazon Web Services S3 buckets Multi-industry

Suspected developer arrested by Dutch National Police Unit Multi-industry

Nation state DNS infrastructure hijacking campaigns Public Sector, & geopolitical continue Energy updates Linux desktop malware has suspected Russian links Vulnerability Substantial vulnerabilities in Zoom Multi-industry updates videoconferencing application

Critical vulnerability discovered in ProFTPD Multi-industry Incidents/ Huge fines and settlements follow British Travel and Breaches Airways and Equifax breaches Transportation, Financial Services London police suffer social media hijacking Public Sector

2 August 2019

Threat updates Ransom demands nearly double in second quarter The average payment demand related to a ransomware infection has almost doubled, largely as a result of several organizations, including two Florida cities, falling victim to Ryuk ransomware the Ryuk and Sodinokibi ransomware strains. Who? Impact Sole operation by Eastern European cybercriminal group Grim Spider Data from ransomware incident response company Coveware shows that in the second quarter of 2019 the average ransom payment increased by 184 percent to $36,295. The What? analysis also showed that, although public and private sector entities were targeted, public sector victims paid an average of 10 times more in ransom. This dynamic is possibly “Big game hunting” ransomware campaigns, which focus on the largest enterprise fueled by increased media scrutiny of public sector entities and their requirement for environments system availability.

How? Increasing ransom demands are likely due to threat actors focusing deployment of Ryuk A combination of automated infection with and Sodinokibi in large enterprise environments. This trend is seen in other prominent manual and expansion strands of ransomware, including LockerGoga, MegaCortex and GandCrab. of access typically using or trojans via malspam for initial access Deployment methods for these strains vary. Ryuk’s operators use common banking Trojans to gain initial access to corporate environments before expanding network access Notable example? and deploying the ransomware binary, normally exploiting Active Directory. Sodinokibi Gained more than $1 million in ransom from has focused on compromising managed services providers (MSPs) and deploying Riviera Beach and Lake City in Florida during attacks in May ransomware to managed endpoints to maximize the scale of the infection.

DXC perspective The widely reported decline in ransomware since 2017 is deceptive. The ransomware threat is evolving. There may be fewer total events, but those that occur are often more serious. For example, Ryuk ransomware garnered more than $1 million in ransom from Riviera Beach and Lake City in Florida during attacks in May.

Increased sophistication in deployment tactics and a renewed focus on “big game hunting” means the threat has never been greater to enterprise environments. Attacks now seek to infect entire organizations in a single incident rather than a handful of hosts or individual network segments.

Denial of initial access is key to prevention. Effective identity and access management controls, network access controls, phishing mail protections and training, and next- generation endpoint solutions can all help prevent account compromise and the delivery of malware. Source: Bleeping Computer

QR codes used to evade mailbox protections Among the June 2019 Windows updates, Microsoft released patches for CVE-2019-1040, a vulnerability in the NT LAN Manager (NTLM) message integrity code (MIC) protection mechanism.

Impact A phishing campaign was detected using QR codes to avoid detection by URL analysis. Individuals received spam emails posing as a SharePoint notification with an embedded QR code to scan and view an associated document. 3 August 2019

Impact Using a QR code successfully bypasses most traditional mailbox protections and avoids URL sandboxing. The phishing site is optimized for mobile browsers, highlighting the focus on mobile devices. This targeting enables adversaries to bypass the corporate security Most-attacked industries in July zone while retaining a high likelihood of obtaining user credentials. Stolen credentials • Financial services will subsequently be used to achieve initial access to corporate networks by the phishing • Professional services/consulting actor or may be sold to third-party criminal groups for use in further campaigns. • Telecommunications • Manufacturing DXC perspective • Insurance The prevalence of bring-your-own-device (BYOD) policies provides adversaries with an expanded attack surface. Credential phishing remains a prominent attack vector for a range of sophisticated criminal- and state-sponsored actors. We are likely to witness continued efforts to achieve credential compromise outside of the traditional corporate security zone. Targeting of mobile devices is on the increase beyond credential phishing, with several campaigns deploying new mobile-specific malware.

The innovative use of QR codes to bypass protections demonstrates the importance of layered security and visibility into access of cloud applications. A well-configured cloud access security broker (CASB) can enable security analysts to highlight suspicious Notable Magecart groups login activity in the event of Office 365 credential theft, enabling swift response and remediation. The use of multifactor is also an effective method of Groups 1 and 2 Use extensive automation to breach and mitigating credential-phishing risk. skim sites. Include a wide target array and Source: Cofense complex, bespoke reshipping infrastructure for monetization. Magecart card skimmer hits thousands of Amazon Web Group 3 Services S3 buckets Focuses on high-volume targeting, often The notorious payment-card skimming tool Magecart has hit another 17,000 websites, in Latin America, using unique skimmers to check web pages to display payment according to RiskIQ. The latest twist is the exploitation of improperly configured change information. to Amazon Simple Storage Services (S3). Group 4 Sophisticatedly blends into “normal” web Impact traffic by mimicking ad providers, analytic Magecart is divided into groups that focus on different targets and employ different modules or victim domains. Realized 3,000+ tactics. The latest campaign is a new spin on a familiar tactic. Card details are still stolen possible compromises by malicious JavaScript skimming code, but this time the injection occurs via storage Group 5 buckets for open public hosting sites with “write” access enabled. Targets third-party suppliers to compromise multiple websites. Was implicated in 2017 Magecart uses open source web-scanning tools, such as Shodan, to identify vulnerable Ticketmaster breach. buckets. Once attackers find a misconfigured bucket, they scan it for any JavaScript Group 6 files, append their skimming code and overwrite the script on the bucket. If these files are Only focuses on largest organizations to loaded onto a payment-processing page, card details will be copied and sent to a system secure high number of transactions. Respon- sible for 2018 British Airways and Newegg under Magecart control. This scattershot approach to the injection is likely to return a breaches. low success rate, which suggests a degree of automation and differing from some of the Group 11 highly targeted Magecart campaigns of 2018. Adds skimmer capabilities for credential or sensitive information theft. Responsible for DXC perspective December 2018 Vision Direct breach. Visibility and secure configuration in the cloud are essential to mitigating a range of Group 12 threats. For this Magecart threat, simply disabling public access to sensitive cloud Targets third parties to inject card-skimming storage will suffice. When S3 buckets are accessible to the internet, “write” permissions code into multiple sites. Responsible for 2018 must be strictly controlled. Adverline breach. Source: RiskIQ

4 August 2019

Suspected malware developer arrested by Dutch National Police Dutch National Police Team High Tech Crime (THTC) recently arrested a resident of Utrecht who is suspected of being a developer of the well-known Rubella malware.

Impact The Rubella Office Macro Builder is a toolkit available for $500 in Dark Web forums and markets since at least April 2018. The toolkit permits authors of spam and phishing campaigns to package their contents in evasive macro-enabled files in hopes of increasing malware campaign infection rates.

Threat researchers investigating the toolkit noticed Dutch-language artifacts in Rubella advertisements, enabling them to pass along some username correlations to THTC investigators.

DXC perspective Malware as a service continues to grow as a profitable activity.

Enterprises should ensure that warnings are in place, enforced by a security policy that prevents macros from running automatically. Users should receive two or more warnings about running macros in documents from unknown and untrusted sources. Awareness programs should include training to help users spot and avoid malicious macros, driving home the message about opening only trusted files. Source: McAfee Nation state and geopolitical updates DNS infrastructure hijacking campaigns continue Despite several national Computer Emergency Response Team (CERT) alerts and public intelligence reports, large organizations and their users continue to fall victim to threat actors that use illicit access to DNS records in their attacks.

Impact The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security Centre (NCSC) warned of compromises to DNS records in early 2019. A compromise could enable threat actors to capture and reuse organizations’ certificates. Further reporting in April by an intelligence vendor designated one of these campaigns “Sea Turtle,” attributing the activity to an unnamed but advanced state-sponsored cyber threat group.

Sea Turtle is suspected to be behind the top-level domain compromise of Greece’s GR and EL country codes in April. Since then, new victims in Sudan, Switzerland and the United States have emerged. Victims include government and policy entities, energy companies and nongovernmental organizations.

DXC perspective Organizations should treat DNS records access as a highly privileged resource. Security features such as multifactor authentication and Domain Name System Security Extensions (DNSSEC) can aid in the prevention of illicit records access. 5 August 2019

A combination of internal and external DNS record monitoring can quickly alert security teams to unauthorized record modifications. Source: Cisco Talos, US-CERT and UK-NCSC

Linux desktop malware has suspected Russian links In early July 2019, security researchers discovered malware designed for Linux desktop distributions. There is correlation in this malware with other malware attributed to Russian intelligence organizations.

Impact The Linux , now dubbed “EvilGnome,” was observed in the VirusTotal malware repository. At the time of discovery, none of the automated antivirus scanning engines in the repository detected it as malicious. EvilGnome is a full- featured backdoor with multithreaded modules capable of file system access, desktop screenshot, microphone audio capture and . All captured content is RC5-encrypted and uploaded to the Command and Control (C2) server.

The C2 IP address is the same as other malware belonging to the Gamaredon Group, a threat group believed to be a Russia government or military cyber intelligence unit.

DXC perspective EvilGnome demonstrates that any desktop operating system is a target for intrusion, not solely . This highlights the need for organizations to maintain complete endpoint inventories and use multiplatform or multivendor solutions to protect those endpoints.

Malware repository research can yield valuable threat intelligence. As in the example of EvilGnome, sometimes this intelligence is gained even prior to the start of a threat campaign. Source: Intezer

Vulnerability and Resource Updates Substantial vulnerabilities in Zoom videoconferencing application Major flaws in the Zoom client for macOS have been discovered by a security researcher. The vulnerabilities allow a remote attacker to join a vulnerable videoconference without user approval. The vulnerability is also being used to cause a denial-of-service attack.

Impact The vulnerability potentially affects all macOS devices with the Zoom application installed. The source of the vulnerability lies in Zoom’s use of a local web server on the macOS device.

Zoom runs the local web server on TCP port 19421, which is used for connecting to calls and providing application updates. Security researcher Jonathan 6 August 2019

Leitschuh discovered that any website a user visits can interact with the local server on the host system. Through specifically crafted GET requests, attackers can drop users into a call and force video and audio content to be turned on. Attackers can also cause a denial of service through the delivery of many requests to the local web server.

Zoom’s subsequent patching only partially fixes the problem. It prevents an adversary from forcing automatic video enablement and sign-in requests to the server. However, the vulnerability can still be remotely exploited to join calls or deny service. Proof-of-concept code is already available.

DXC perspective Adversaries may already be using proof-of-concept code to actively exploit this vulnerability. Users should ensure that the latest patches are applied and the setting to turn off video when joining a meeting is selected.

To successfully uninstall Zoom, users must perform additional manual actions. For example, the process ID must be found using `lsof -i :19421`, and then the ~/.zoomus directory removed to prevent the application from being reinstalled. Source: ZDNet

Critical vulnerability discovered in ProFTPD Details of a remotely exploitable vulnerability in ProFTPD that may allow an attacker to execute arbitrary code on a vulnerable system were released in July by security researcher Tobias Mädel.

Impact ProFTPD is a common FTP server included by default with many Linux distributions. A vulnerability in the mod_copy module, enabled by default in most distributions, can be exploited to allow users without WRITE access to the server to copy files to vulnerable servers. This can potentially lead to arbitrary code execution on the vulnerable server in the context of the application. Failed attempts at exploitation can fill up the system and could be used by attackers in a denial-of-service condition.

All ProFTPD versions up to and including 1.3.6 are affected by the vulnerability.

DXC perspective There are currently no reports of this vulnerability being exploited in the wild. However, because it’s possible to remotely trigger this vulnerability without credentials or user interaction, it has the potential to be widely exploited — especially given its position as a default service on many Linux distributions.

Server admins who want to prevent potential attacks can disable the mod_copy module in the ProFTPD configuration file as a workaround. Blocking TCP Ports 20 and 21 and at perimeter firewalls provides protection from external threat sources. Source: Bleeping Computer and Security Affairs

7 August 2019

Incidents and breaches Huge fines and settlements follow British Airways and Equifax breaches Credit score agency Equifax agreed to pay up to $700 million as part of its settlement with the U.S. Federal Trade Commission (FTC) following a high-profile 2017 breach. British Airways, which suffered a Magecart card-skimming attack in 2018, was fined $226 million for the loss of customer payment card data. The fine was the largest ever issued by the United Kingdom’s Information Commissioner’s Office.

Impact The Equifax breach saw personal details of 147 million people and payment card details of some 209,000 users stolen due to a vulnerable database. Despite $700M warnings of the existence of a critical vulnerability on the Automated Consumer Cost of Equifax settlement Interview System, Equifax failed to verify that patches were applied. According to the FTC, this allowed multiple adversaries to exploit the system. The fine is the largest in FTC history and the latest cost implication following the breach. The money will be split, with at least $300 million used to provide identify theft services to victims and the remainder distributed between 50 U.S. states and territories.

British Airways faced a targeted and sophisticated attack that saw card-skimming group Magecart inject malicious code onto the company’s web application, enabling the theft of payment card data in nearly 500,000 transactions. The $226 million fine is notable because it was the first to be made public following the introduction of the European Union’s General Data Protection Regulation (GDPR). The fine was substantially less than the potential GDPR maximum fine of 4 percent of annual revenues. $226M British Airways fine under GDPR for DXC Perspective payment card data loss These profit-sapping fines highlight the criticality of security to businesses, which must ensure their information safeguards are appropriate to the nature of the data they store and process. More large GDPR fines are likely to be witnessed in 2019 and beyond. Source: BBC and

London police suffer social media hijacking A series of bizarre tweets were posted from London’s Metropolitan Police Service Twitter account in July. Posts included: “What you gonna do phone the police?” and “No comment get my lawyer.” Other posts linked to false press releases expressing anti-police sentiments and called for the release of UK “drill” music artist Digga D.

Impact The Metropolitan Police stressed there had been no breach of its IT infrastructure. The agency’s Twitter account was managed through an account with a third- party supplier, MyNewsDesk. It appears that only the MyNewsDesk account had been compromised.

Although no data was lost, the incident was something of a public relations 8 August 2019

embarrassment for the police. Senior officers were forced to apologize for the incident, and the use of obscenities on the official account drew public dismay. Securing corporate social media DXC perspective Tips for protecting high-value targets Mainstream media were quick to dub the perpetrators as “pranksters,” but this include: incident should more accurately be described as the work of hacktivists. The • Ensure multifactor authentication is attackers clearly harbor a political agenda against the Metropolitan Police and enabled sought to use their access to highlight their opposition. • Log, monitor and audit accounts and their configurations Hacktivists regularly target social media accounts of organizations opposed to their political or social agenda. Hacktivists typically have lower levels of • Designate an individual accountable technical sophistication, and social media accounts offer a soft target that for social media account security allows them to project their disruptive effect to a wide audience. • Reserve all appropriate handles on platforms, even if they are not in use On their social media platforms, organizations should carefully consider security basics such as monitoring, auditing and incorporating complex password • Monitor for third-party vulnerabilities enforcement and multifactor authentication. on hosting applications Source: Huffington Post and BBC • Enforce a complex password policy

• Train social media staff on security threats

Learn more Thank you for reading the Threat Intelligence Report. Learn more about security trends and insights from DXC Labs | Security.

DXC Labs | Security

DXC Labs delivers thought leadership technology prototypes to enable enterprises to thrive in the digital age.

DXC Labs | Security brings together our world-class advisors to develop strategic and architectural insights to reduce digital risk. DXC’s Cyber Reference Architecture is at the heart of our research, providing clients with detailed guidance on methods to efficiently resolve the most challenging security problems. We help clients minimize risk while taking maximum advantage of the digital commons.

Lean more at www.dxc.technology/securitylabs August 2019

DXC in Security Recognized as a leader in security services, DXC Technology helps clients prevent potential attack pathways, reduce cyber risk, and improve threat detection and incident response. Our expert advisory services and 24x7 managed security services are backed by 3,500+ experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of specialization in Intelligent Security Operations, Identity and Access Management, Data Protection and Privacy, Security Risk Management, and Infrastructure and Endpoint Security. Learn how DXC can help protect your enterprise in the midst of large-scale digital change. Visit www.dxc.technology/security.

Stay current on the latest threats www.dxc.technology/threats

About DXC Technology As the world’s leading independent, end-to-end IT services company, DXC Technology (NYSE: DXC) leads digital transformations for clients by modernizing and integrating their mainstream IT, and by deploying digital solutions at scale to produce better business outcomes. The company’s technology independence, global talent, and extensive partner network enable 6,000 private and public-sector clients in 70 countries to thrive on change. DXC is a recognized leader in corporate responsibility. For more information, visit www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for changemakers and innovators.

9 © Copyright 2019 DXC Technology Company. All rights reserved.