Threat Intelligence Summary

Home , BlackEnergy, DarkHotel, Lazarus Group

Fidelis Threat Research Team May 2020

www.fidelissecurity.com

Table of Contents Executive Summary ...... 3 Fidelis TRT Assessment and Probability Statements ...... 3 Key Vulnerabilities ...... 5 Malware, Tools, and Attack Trends ...... 8 Threat Actor Trends ...... 11 Business Vertical Updates ...... 16 References ...... 19

Executive Summary The Fidelis Threat Research Team (TRT) monitors and collects information on external threats which may pose a risk to Fidelis customers. Collection and analysis efforts are driven by criticality and relevance as prescribed by TRT’s Priority Intelligence Requirements and Specific Intelligence Requirements (SIRs).

The purpose of the monthly Fidelis Threat Intelligence Summary is to provide readers timely information and situational awareness of ongoing relevant threats and an overall intelligence assessment of the potential risk from these threats. The information and intelligence presented also contributes to the overall threat landscape as observed by Fidelis TRT collection and analysis efforts and telemetry data pertaining to threat actor and adversary activity, tools, tactics, techniques, and procedures (including malware, infrastructures, and vulnerabilities exploited), and observed or assessed impact to organizations and business verticals being targeted.

The below trends and observations summarize the threat landscape in terms of vulnerabilities, threat actors, malware developments, and other significant activity and events.

Key Findings and Recommendations:

1. Exploit attempts against unpatched vulnerabilities in VPN products as well as against unpatched vulnerabilities in older, popular software packages remain common and at elevated levels. Aside from detection support from Fidelis for many of these vulnerabilities, enterprises and end-users must ensure software is patched and updated.

2. Over 29,000 CoVID-19 themed domains were registered in April and May 2020. Many of these sites could potentially be used to support phishing and malware campaigns. Due to the large number of indicators, enterprises and end-users should take business risk tolerance and available resources into consideration to determine whether these domains should be added to your email/web gateways or firewall sinkhole/indicator lists.

3. Ransomware, commodity malware and exploit kits remain popular malware leveraged by cyber-criminals and nation-state sponsored groups. Popular strains observed include Maze Ransomware, Dridex, and RIG Exploit Kit. Fidelis TRT strives to ensure updated indicators of compromise and protocol behaviors are up to date to protect customers, however proper security awareness and hygiene should be followed to limit a successful attack.

4. Nation-State sponsored APT adversaries are leveraging critical browser vulnerabilities in Mozilla Firefox, Internet Explorer, and Linux-based email servers. Ensuring that browsers are up to date and patched will help limit adversaries from gaining a foothold in your environment via browser-based exploits and plugins.

5. Risk of impact of attacks against healthcare, transportation, retail, and municipal government verticals assessed by TRT to be elevated, given current global political and economic events.

Fidelis TRT Assessment and Probability Statements This section presents Fidelis TRT’s assessment of cyber adversary and threat activity going forward. Assessments are presented as Most Likely Course of Action (MLCOA) and Most Dangerous Course

of Action (MDCOA) statements. MLCOA focuses on the expected and probable tactics, techniques, or actions taken by adversary groups, while MDCOA considers tactics, techniques, or actions that could result in a worst-case scenario outcome regardless of likelihood.

Most Likely Course of Action TRT assesses that exploitation of older, common vulnerabilities in popular services and software will continue to be popular attack vectors for initial access and lateral movement. As more employees are working from home, attractive targets may include products and services being used by these employees including VPN clients and software, web browsers, consumer-grade routers, networked and cloud storage, and even specific software like OWA, Microsoft Sharepoint, and video conferencing/communication software (e.g.: Zoom, WebEx, RingCentral, etc.). These vulnerabilities will be leveraged to deliver commodity malware like remote access tools and spyware as well as ransomware. Exploitation of browser and browser extension vulnerabilities in web browsers will also increase risk as the popularity in Internet Explorer wanes and the end of support and use of Adobe Flash sets in after 31 December 2020. Adversaries will pivot efforts towards targeting code- execution and memory corruption weaknesses in browsers like Mozilla Firefox and Google Chrome. The anonymizing Tor Browser is also built on Mozilla Firefox ESR, which could compromise the purpose and intent of using Tor in the first place. Therefore, it is imperative to ensure browsers remain up to date and patched when available, and browser extensions and plug-ins are downloaded from reputable sources and patched when available.

Commodity malware will remain at elevate levels regardless of global events, including older and well-document remote access malware and exploit kits. Exploit kits, like RIG, Fallout, and Spelevo may continue to be updated with newer capabilities to exploit different vulnerabilities to deliver follow-on payloads like ransomware, spyware, and coin-miners.

Ransomware operators will continue to focus on targeting large enterprises due to potentially larger attack surface and higher ransom amounts that can be demanded from higher-revenue organizations. GDPR regulations may also put organizations operating in Europe in a difficult situation as they deal with not only a ransomware infection but also the data-leak component of the attack, resulting in stiff fines under GDPR rules. The most active ransomware campaigns and strains include Sodinokibi/REvil, Maze, Ryuk, DoppelPaymer, and Nemty; however, less common and emerging ransomware campaigns also remain a threat to organizations. These include Robbinhood, NetWalker, Eris, Ako, Ragnarok, and Buran/VegaLocker.

Cyber-criminals and nation-state actors will continue to leverage the CoVID-19 situation in phishing attempts; however, they will begin to utilize new topics and events as they arise including government stimulus programs, vaccine and treatment developments, unemployment concerns (using fake job postings or career site lures and government employment and welfare schemes), and fake retail and shopping lures as major retailers face bankruptcy and businesses begin to reopen.

Most Dangerous Course of Action TRT assesses that a resurgence or use of wiper malware against organizations in critical business verticals like healthcare, transportation, government, or retail could cause a short-term disruption to supply-chain, public service/safety, and consumer retail operations. The risk of this type of disruption remains elevated given the current situation related to CoVID-19 and with local and national economies slowly beginning to reopen.

In regards to code execution vulnerabilities in browsers, government agencies of oppressive countries will also adapt to the shift from targeting Internet Explorer to Google Chrome and Firefox

(and consequently, the Tor Browser), which not only can jeopardize the privacy of citizens but also allow local law enforcement of these repressive regimes to expand their surveillance programs by exploiting these vulnerabilities.

The recent protests/rioting as a result of the death of George Floyd also provides ransomware operators an opportunity to exploit the ongoing events and sentiment, and local and municipal Government entities may be viewed as potential targets. Protest-related phishing themes may include news and updates related to Black Lives Matter movement, riot tracking apps, or police support/brutality. As emotions run high during times like this, it is imperative to maintain vigilance against opportunistic threats.

Key Vulnerabilities This section discusses the emergence of critical new vulnerabilities that may impact a significant portion of Fidelis customers, as well as the status of countermeasures against the vulnerabilities. The Vulnerabilities section also extends to exploitation attempts against older vulnerabilities that continue to be leveraged in recent campaigns and attacks.

Vulnerability Events Observed The following charts show the top vulnerability threats as observed by the Fidelis Threat Research Team. During the period 1 - 31 May 2020, the top vulnerability threats consisted of vulnerability exploit attempts against high-profile VPN vulnerabilities in Citrix Gateway (CVE-2019-19781), Pulse Secure (CVE-2019-11510) VPN products, and Fortinet Fortigate (CVE-2018-13379). Threats also show attempts against older vulnerabilities in popular software and services from at least two years ago, including Apache Struts (CVE-2017-5638, CVE-2017-12611, CVE-2018-11776), Microsoft Office (CVE-2017-11882). Less common vulnerabilities assessed as high-impact by Fidelis TRT that were targeted also include a deserialization vulnerability in Oracle WebLogic (CVE-2019-2725) and a popular WordPress plugin, InfiniteWP (CVE-2020-8772).

Fidelis Customer Event Data, Vulnerability Threats, May 2020

Fidelis TRT Comments and Recommended Action: Top Priority Vulnerabilities ▪ Vulnerabilities in VPN services The following are the top vulnerabilities that are observed and have been leveraged by nation- assessed as posing current risks to enterprises and end users. The state and cyber-criminal top Trending Vulnerabilities are based on current observations adversaries for espionage or to and ongoing trends of commonly targeted and exploited deliver ransomware to targeted vulnerabilities. The Emerging Vulnerabilities are vulnerabilities victims. that are assessed by Fidelis TRT, based off criticality and potential ▪ Fidelis TRT previously reported impact, to pose a high risk to enterprises and end users, but are and assessed1, 2 that older less active than Trending Vulnerabilities. These vulnerabilities have vulnerabilities in widely-used the potential to gain more popularity in the future or result in a high- software like Microsoft Office, impact incident, even if active scanning or exploitation has not yet Internet Explorer, Adobe Flash, been observed. The Emerging Vulnerabilities also serves as a “be- Apache frameworks, and content- on-the-lookout” list for patching and countermeasures purposes. management system (e.g.: Drupal, WordPress, Joomla, SiteCore, etc.) will continue to remain attractive attack vectors for threat actors. ▪ TRT recommends ensuring positive terrain visibility and that all software and products are patched and updated.

Trending Vulnerabilities Active Vulnerability Product Associated Threats Exploitation or Scanning APT3, APT27, WannaCry, MS17-010 Series Microsoft Windows SMB Yes NotPetya, BuleHero SideWinder, APT27, Kimsuky, DarkHotel, CVE-2017-11882 Microsoft Office Cobalt Group, Yes FareIT/Pony, Agent Tesla, AsyncRAT Fin7, APT27, APT34, CVE-2019-0604 Microsoft Sharepoint ChinaChopper, Yes ZeroCleare Sodinokibi/REvil, APT33, CVE-2019-11510 Pulse Connect Secure VPN Yes APT34, Fox Kitten Maze Ransomware, CVE-2019-19781 Citrix ADC Gateway VPN Sodinokibi/REvil, Yes Ragnarok Ransomware BuleHero, Cerber CVE-2017-5638 Apache Struts Yes Ransomware, PerlBot

Emerging Vulnerabilities Active Vulnerability Product Associated Threats Exploitation or Scanning Sodinokibi/REvil, CVE-2019-2725 Oracle Weblogic Yes BuleHero, Muhstik Bot

Microsoft Windows Error CVE-2020-1088 No Reporting

CVE-2020-8772 InfiniteWP WordPress Plug-In Yes

CVE-2019-17026 Mozilla Firefox/Firefox ESR DarkHotel Yes

CVE-2020-11651/11652 SaltStack Framework Yes

CVE-2019-7192/7194/7195 QNAP NAS Devices QSnatch, eCh0raix No

CVE-2020-1056 Microsoft Internet Explorer No

CVE-2019-13693 BBPress WordPress Plug-in No

Malware, Tools, and Attack Trends This section discusses new observations or updates to trending tools, attack patterns, and malware campaigns/families that may potentially pose a threat to Fidelis customers. TRT strives to track and update key malware trends and tools for potential countermeasures and detection efforts.

Malware Events Observed The following chart shows the top malware threats as observed by the Fidelis Threat Research Team. During the month of May 2020, the top malware threats consisted of popular and well- document malware strains including Gh0stRAT, njRAT, Trickbot, and Fareit/PonyLoader.

Fidelis Customer Telemetry by Malware Threats, May 2020

COVID-19 Leveraged in Crimeware and Suspicious Domain Creation On 14 March, a domain tracker was set up to detect and list new domains with a CoVID/Coronavirus typo-squatting theme3. During the months of April and May 2020, the tracker identified 18,398 and 11,624 new domains respectively. These are simply domains registered and available and the list does not confirm/deny any suspicious activity or malice associated with the domains. While it is important to note that not all of these domains may be actively used for malicious purposes, organizations are advised to consider the acceptable risks and business purpose requirements to decide whether defensive measures, such as enterprise or internal blocking and blacklisting, are appropriate for their environment.

RIG Exploit Kit Remains Active, Continues to Deliver Ransomware and Stealer Malware In late April 2020, external research observed and analyzed RIG Exploit Kit (EK) delivering the well- known Dridex banking Trojan4. The software or vulnerability exploited during the initial infection via the RIG EK landing page was not specified or reported.

RIG EK also remained active throughout the month of May. On 11 May 2020, researchers observed drive-by malvertising redirecting site visitors to a RIG EK landing page, which resulted in the downloading of the Amadey botnet malware as the second-stage payload5. The following week, researchers observed RIG Exploit Kit (EK) delivering an unspecified ransomware strain. The RIG EK landing page was observed as makemoneywith[.]me. The ransomware appended infected files with *.corona-lock extension and the contact email in the ransom not ended included *@covidworldcry.com as the email domain, suggesting continued use of the CoVID-19 topic in campaigns6. Additionally, on 27 May 2020, researchers observed RIG EK delivering the Socelars stealer malware. The RIG EK landing page was again observed as makemoneywith[.]me7.

Fidelis TRT Comments and Recommended Action: RIG EK is a well-known exploit kit that has been active for several years. RIG EK often is mistaken as being an obsolete and inactive malware, although the proliferation of exploit kits in general peaked during 2016 - 2017. RIG EK is frequently seen delivering multiple other malware, including ransomware, banking Trojans, and spyware. The landing page observed, makemoneywith[.]me, is a historic domain that has been observed being used as a landing page for RIG EK for several years. Fidelis TRT has linked RIG EK to the exploitation of 20 different vulnerabilities as well as 12 different malware families including several strains of ransomware. Fidelis currently has detections in place to detect for potential RIG EK related events, including recent and trending indicators of compromise (IOCs) and protocol rules.

Notable Ransomware Campaigns Target Victims in Multiple Verticals, April – May 2020 DoppelPaymer Ransomware Hits Los Angeles Co

On 21 April 2020, the city of Torrance in Los Angeles County, California was reported to have been compromised by operators of the DoppelPaymer Ransomware8. The infection initially occurred earlier, possibly around 1 March 2020 per local media reporting. The operators posted a directory on the Doppel Leaks page for City of Torrance, which contained numerous leaked file archives allegedly stolen during the ransomware attack. The attackers demanded 100 BTC for keys to decrypt systems and files that were also encrypted. DoppelPaymer also impacted Mexico's state- owned oil company, Pemex, in November 2019 in which the operators' ransom demanded over $4M.

Nemty Ransomware Developer Creates New Ransomware Strain, Toll Group Impacted

On 5 May 2020, logistics and transportation firm, Toll Group, was infected by a new ransomware strain known as the Nefilim Ransomware9. Nefilim was developed by a creator of the Nemty Ransomware along with other malware distributors. On 28 May, Toll Group confirmed that “the ransomware attackers had accessed Toll corporate server files which contain information relating to past and present employees, we have established that the information includes details such as name, residential address, age or birthdate, and payroll information (including salary, superannuation and tax file number)”10. In January 2020, Toll Group was exposed as running Citrix ADC Gateway clients which were vulnerable to RCE exploitation, a popular vulnerability recorded as CVE-2019-19781, which has previously been exploited by multiple other ransomware strains and exploit kits.

Snake Ransomware Campaign Infects Fresenius Medical Care Group

Snake Ransomware reemerged in a new global campaign in early May 2020. One of the more high- profile victims was Europe-based Fresenius Medical Group, a large private hospital and dialysis care provider11. A French architectural company is also a reported victim of Snake Ransomware's recent campaign. Snake also developed the data-leak capability in addition to encrypting files and systems. The files stolen are held at ransom and published if payment is not made. On 20 May, a small set personally identifiable patient information from Fresenius was leaked to a paste site which contained “less than 200 records that include first and last names, gender, birth date, the nationality of the patient, profession, postal address, phone number”12.

Fidelis TRT Comments and Recommended Action: Snake Ransomware first emerged in January 2020 and was observed targeting ICS software, including General Electric-made processes and software. It was initially attributed to Iran by an Israel-based cybersecurity company, however that analysis and conclusion has not been confirmed or proven. TRT assesses, given the current global political and economic situation, that industries that will be of high value to criminal and ransomware operators include healthcare and transportation due to the critical role companies in these industries will play in response to ongoing conditions.

TRT recommends ensuring all VPN software and clients as well as web browsers and plugins are patched and up to date. Unnecessary internet-facing ports and other high-risk protocols, including RDP and SMB, should also be secured if possible as these is frequently leveraged as an initial access point for ransomware and other malicious campaigns.

Maze Ransomware Crew Leaks Sensitive Documents of Victims

In an 8 April “press release”, members of the Maze Ransomware group announced the posting of sensitive internal corporate information exfiltrated from Bouygues, a French construction company13. Bouygues was initially compromised on 30 January 2020. It is suggested that 200GB of sensitive data was obtained and leaked by the group. Maze Ransomware gang also claimed access to Bougyues’ business partners via their internal network (lateral movement). Additionally, on 4 April, the Maze Ransomware group leaked internal corporate data of Sonatrach, the national state-owned oil company of Algeria week. Sonatrach was initially compromised by ransomware on 1 April 2020. Maze Ransomware was also identified as the strain in the compromise of IT services company Cognizant14 and medical research company, Hammersmith Medicines Research15, on 17 and 20 April respectively.

Fidelis TRT Comments and Recommended Action: The Maze Ransomware Crew/Gang is among the most active ransomware affiliate programs, alongside the affiliate network, distributers, and users of Sodinokibi/REvil, DoppelPaymer, and Ryuk. Maze was one of the first ransomware gangs to adopt a data breach component to their attacks, in which data on systems were not only encrypted, but also siphoned off with threats of leaking the data if the ransom was not paid. Operators behind the Maze Ransomware strain are known to exploit insecure remote desktop protocol (RDP) ports, and Maze-attributed infections have also been tied to vulnerabilities in VPN clients, Adobe Flash, and MS Internet Explorer. To reduce the impact of a compromise via ransomware, Fidelis TRT recommends that enterprises ensure and maintain proper security awareness and vigilance in handling emails (do not click or open links or attachments from unknown or suspicious senders), turn off or secure ports and services that are not essential to business functionality including SMB (445) and RDP (3339), and ensure proper asset management and segmentation wherever possible to reduce lateral movement and network propagation. Below is Fidelis TRT’s Adversary Risk Matrix for the Maze Group.

The graphic to the left is the Adversary Risk Matrix calculated for the Maze Ransomware Crew. The Adversary Risk Matrix is a qualitative intelligence- based risk scoring system developed by TRT members that serves to represent the overall risk presented by an adversary based off specific and observed attributes. The score is out of a maximum 100, representing the highest risk. Adversary Risk Matrices are also provided for threat actors discussed later in this report.

Threat Actor Trends This section discusses developing Threat Actors or Groups that TRT will maintain manual focus and collection against. This section will primarily concentrate on actors or groups that are not often reported in highly publicized releases but have demonstrated the capability and intent to mature into priority threats that may impact Fidelis customers.

DarkHotel APT Group Targets VPN Provider; Leverages Firefox and IE Vulnerabilities As of April 2020 In a report published in April 2020, an adversary group, later attributed as the DarkHotel APT group (aka: APT-C-06), was observed targeting servers running the Sangfor SSL VPN service/provider16. Sangfor’s VPN service is known to include Chinese government entities among its customers. The attackers used a 0-day vulnerability to gain control over Sangfor VPN servers, where they replaced a file named SangforUD.exe with a boobytrapped version. This real/benign file is an update for the Sangfor VPN desktop app, which employees install on their computers to connect to Sangfor VPN servers (and consequently, to their employer/enterprise networks). Qihoo researchers said that when workers connected to compromised Sangfor VPN servers, they were provided with an automatic update for their desktop client, but received the boobytrapped SangforUD.exe file, which later installed a backdoor on their devices.

During a separate campaign, CVE-2019-17026 was reported as being exploited in activity attributed to the DarkHotel APT group17,18. DarkHotel was also reported to exploit this vulnerability in February 2020. CVE-2019-17026 is an arbitrary code execution vulnerability in Mozilla Firefox and Mozilla Firefox Extended Support Release (a version of the Firefox web browser for large organizations). The attacker can leverage local user’s privileges to install programs or software; read, write, edit, or

delete data; and even create new accounts with full user rights. This vulnerability effects Mozilla Firefox versions prior to 72.0.1 and Firefox ESR versions prior to 68.4.1.

Fidelis TRT Comments and Recommended Action: Sangfor VPN is not limited to use strictly within China, and enterprises with operations or remote offices in East Asia and the Middle East should confirm or deny whether this product is in use in their environment and ensure it is patched and updated. The compromise of a legitimate service and using it to push fake updates and software to unsuspecting users is a type of supply-chain compromise previously leveraged by Adversaries in the compromise/hack of CCleaner (2017) and Asus’ Live Update Utility (2019). DarkHotel has been active since 2014 and has evolved into a sophisticated threat group. Earlier campaigns leveraged phishing techniques to compromise victims however over the past two years the groups has been reported to quickly adapt and exploit multiple 0-day vulnerabilities as part of their campaigns. DarkHotel has been geographically attributed to the Korean peninsula, however it is not confirmed whether it is associated with North (DPRK) or South (ROK) Korea.

Fidelis TRT assesses the potential risk of code execution vulnerabilities in Mozilla Firefox as high because threat actors will likely pivot to and focus efforts against this vulnerability as Internet Explorer and Adobe Flash become less popular and unsupported in future months. Additionally, DarkHotel has been observed targeting CVE-2019-17026 alongside a remote code execution (RCE) vulnerability in MS Internet Explorer (CVE-2020-0674) simultaneously, which was announced around the same time as the Firefox vulnerability. Qihoo 360 Security has dubbed the vulnerability pair as “Double Star”.

Fidelis TRT Adversary Risk Matrix Score, DarkHotel

Lazarus Group Using Job-Posting Lures to Target Victims From late April through early May 2020, multiple phishing emails with malicious attachments were observed and attributed to the North Korean nation state-sponsored entities, including Lazarus Group19,20,21. The attachment lures included job postings from Lockheed Martin, Boeing, Korea Hydro & Nuclear Power, as well as Office attachments using the topic of US- ROK diplomacy. One sample was analyzed to be Destover wiper malware, known to be previously used by North Korean adversaries, notably against Sony Entertainment in 2014 (screenshots of Microsoft Office lures shown below, as identified by researchers).

Sample of lures used in recent Lazarus Group phishing campaign

Fidelis TRT Adversary Risk Matrix Score, Lazarus Group

Russian APT Campaign Targeting Email Servers via Vulnerable Transfer Agents On 27 May 2020, the US National Security Agency (NSA) released a detailed report on a campaign perpetrated by Russian nation-state APT group, Sandworm aka BlackEnergy22. The vulnerability, CVE-2019-10149, exists on the Linux/Unix Exim Mail Transfer Agent (MTA), which receives, routes and delivers email messages from local users and remote hosts. Exploitation of this wormable vulnerability allows an unauthenticated remote attacker to execute commands with root privileges on an Exim mail server, allowing the attacker to install programs, modify data and create new accounts.

The report suggests that once Sandworm compromises a targeted Exim server, it subsequently downloads and executes a shell script from a Sandworm-controlled domain to establish a persistent backdoor that can be used for reconnaissance, spying on mail messages, lateral movement and additional malware implantation.

Fidelis TRT Comments and Recommended Action: TRT assessed the Exim transfer agent vulnerability to be a Key Vulnerability in Jun 2019, when it was first announced. On 6 and 13 June, multiple researchers began reporting observations of active exploitation against vulnerable Linux email servers with the intent to install and initiate cryptocurrency miners. On 24 June, TRT Intelligence observed a member (0x00Lord) on the top-tier Russian forum, Exploit.in, posting what appeared to be a proof-of-concept (PoC) script for exploiting CVE-2019-10149. In the subsequent days this PoC appeared on multiple GitHub repositories. This vulnerability can be mitigated by updating/patching Exim instances to version 4.93 or later. Sandworm has been behind some of the most high-profile cyber attacks over the last several years, going back to 2014. These include interference in the 2017 French election, the Olympic Destroyer malware campaign during the 2018 Winter Olympics in South Korea, targeting Ukrainian critical infrastructure which resulted in blackouts in December 2015 and December 2016, and the NotPetya ransomware campaign in 2017. Sandworm group has also been behind quieter campaign attacks, including uploading malicious Android mobile applications to the Google Play Store over the years.

POC for CVE-2019-10149 on Exploit.in, 24 June 2019

TRT Adversary Risk Matrix, Sandworm aka BlackEnergy

Business Vertical Updates

Monthly Total Events by Vertical The below chart illustrates the top Fidelis customer business verticals by unique malware event count in May 2020. The chart shows that the largest number of unique malware events were observed in Fidelis customers within the Healthcare/Pharma/Biotechnology sector followed by Technology and Government.

Fidelis Total Event Data by Business Vertical, May 2020

Based on the current political and economic situation from the fallout of the CoVID-19 pandemic as well recent protests/rioting in many cities, Fidelis TRT assesses that any disruption or compromise of confidentiality, integrity, and availability of data and services provided by organizations in healthcare, retail, and transportation may likely aggravate local and domestic stress. Government systems and assets are also at risk of being targeted by hacktivists as a result of the ongoing protests and unrest following the death of George Floyd. Companies and organizations in these verticals play a particularly crucial role in ensuring the health and safety of the public as well as ensuring supply lines and products remain open and available. Because of this, cyber-criminals may find these verticals as attractive targets for ransomware demands as well as opportunities for nation-state actors for espionage due to potential ongoing vaccine and disease research. Additionally, the threat from ransomware campaigns, often resulting in a data-breach situation, also remains elevated across all industries, as illustrated by the Maze Ransomware group discussed previously in this report.

City of Minneapolis Systems Temporarily Impacted by DDoS Attacks On the morning of 28 May 2020, systems owned and operated by the City of Minneapolis (no further information) were unavailable and inoperable for several hours as a result of a distributed denial of service (DDoS) attack23. City officials claimed no evidence of data leak or compromise was evident.

Fidelis TRT Comments and Recommended Action: It is likely, although not confirmed, that the DDoS attack against municipal government systems in Minneapolis coincided with ongoing protests and rioting since 25 May 2020. It was not specified which departments, services, or organizations within the City of Minneapolis government were targeted or impacted. Anti-police hacktivist campaigns have been common, yet relatively ineffective, for many years. Recent events related to

the police killing of George Floyd may cause a temporary rise and resurgence in high-level (low complexity) cyber-attacks by hacktivists and sympathizers including DDoS, SQLi, and XSS attempts against law enforcement and municipal government sites, even outside of Minneapolis. Counter- protest hacktivism may target websites of activist groups as well. Cyber-criminals may even use recent events as a reason or excuse for ransomware attacks against government entities in the near term.

References

1. https://fidelissecurity.com/threatgeek/threat-hunting/vulnerability-exploitation-trends-to-watch/

2. https://fidelissecurity.com/threatgeek/threat-detection-response/vulnerability-exploitation- trends-to-watch/

3. https://1984.sh/covid19-domains-feed.txt

4. https://twitter.com/FaLconIntel/status/1255492053204598784

5. https://twitter.com/FaLconIntel/status/1259835767733604353

6. https://twitter.com/nao_sec/status/1263752152255565830

7. https://twitter.com/nao_sec/status/1265653922011557888

8. https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-hits-los- angeles-county-city-leaks-files/

9. https://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second- time-deliveries-affected/

10. https://www.tollgroup.com/toll-it-systems-updates

11. https://www.bleepingcomputer.com/news/security/large-scale-snake-ransomware-campaign- targets-healthcare-more/

12. https://www.bleepingcomputer.com/news/security/snake-ransomware-leaks-patient-data- from-fresenius-medical-care/

13. https://www.cybersecurity-insiders.com/maze-ransomware-hits-bird-constriction-and- bouygues-construction/

14. https://nakedsecurity.sophos.com/2020/04/20/maze-ransomware-hits-us-giant-cognizant/

15. https://www.bluvector.io/threat-report-maze-ransomware/

16. https://www.zdnet.com/article/darkhotel-hackers-use-vpn-zero-day-to-compromise-chinese- government-agencies/

17. https://blogs.jpcert.or.jp/en/2020/04/ie-firefox-0day.html

18. https://blogs.360.cn/post/apt-c-06_0day.html

19. https://twitter.com/RedDrip7/status/1261114030262894592

20. https://twitter.com/cyberwar_15/status/1254740042280349696

21. https://twitter.com/Timele9527/status/1253941585026314240

22. https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2196511/exim-mail- transfer-agent-actively-exploited-by-russian-gru-cyber-actors/

23. https://thehill.com/policy/cybersecurity/500009-minneapolis-city-systems-temporarily- brought-down-by-cyberattack

Fidelis Cybersecurity is a leading provider of threat detection, hunting and response solutions. Fidelis combats the full spectrum of cyber-crime, data theft and espionage by providing full visibility across hybrid cloud / on-prem environments, automating threat and data theft detection, empowering threat hunting and optimizing incident response with context, speed and accuracy.

By integrating bi-directional network traffic analysis across your cloud and internal networks with email, web, endpoint detection and response, and automated deception technology, the Fidelis Elevate™ platform captures rich metadata and content that enables real-time and retrospective analysis, giving security teams the platform to effectively hunt for threats in their environment. Fidelis solutions are delivered as standalone products, an integrated platform, or as a 24×7 Managed Detection and Response service that augments existing security operations and incident response capabilities. Fidelis is trusted by Global 1000s and Governments as their last line of defense. Get in the hunt. www.fidelissecurity.com