Threat Intelligence Report

June 2019

- MAN - UFACTUR ING/PUBLIC SECTOR

IN THIS ISSUE • New supply chain threats • Ransomware exploits Oracle WebLogic • Hacktivism on the rise • WhatsApp risks to mobile devices • New Lazarus Trojan discovered June 2019

About this report Supply chain vulnerabilities expose critical assets Fusing a range of public and proprietary information feeds, including DXC’s global network of security operations centers and cyber intelligence services, this Mark Hughes report delivers a overview of major Senior Vice President and General Manager of Security incidents, insights into key trends DXC Technology and strategic threat awareness. We’ve seen another active month with third-party security risks playing a role in major breaches, meaning it is more critical than ever to understand supply chain exposure. This report is a part of Ransomware continues to be a growing threat, with an increasing number of attacks DXC Labs | Security, which provides against enterprise environments, often referred to as big game hunting. insights and thought leadership to the security industry. Hacktivist groups are also very active, but the good news is these attacks are becoming Intelligence cutoff date: less effective where proper security controls are in place. I encourage you to read more May 24, 2019 about the latest threats.

Table of Contents Threat New ransomware variant exploits Oracle Web- Multi-industry updates Logic vulnerability

Hacktivism increases in the first quarter of 2019 Public Sector, but is less effective Healthcare, Educa- tion E-commerce attacks more valuable than ever Retail

Nation state Advanced supply-chain attacks attributed to Multi-industry & geopolitical Chinese group dubbed Barium updates Lazarus group develops new Trojan malware Public Sector Manu- dubbed ELECTRICFISH facturing, Technolo- gy & Research Vulnerability WhatsApp vulnerability leads to compromise of Multi-industry updates mobile devices in highly targeted attack

50,000 enterprises may be at risk to potential Multi-industry SAP software vulnerabilities

Incidents/ MIRRORTHIEF targets 201 online campus stores Retail Breaches with card-skimming attack Multi-industry Possible MegaCortex ransomware attack disrupts accounting software provider Wolters Kluwer Multi-industry CITYCOMP breach exposes financial data of numerous enterprises June 2019

Attack Threat updates motivations New ransomware variant exploits Oracle WebLogic vulnerability Attackers are using vulnerability CVE-2019-2725 to facilitate the spread of a new ransomware 81% variant dubbed Sodinokibi. Cybercrime

Impact 14% The critical vulnerability affects Oracle WebLogic servers, used for building and deploying en- Espionage terprise applications, allows for unauthenticated remote code execution. Attackers require no user interaction to deploy the ransomware. Once installed, the ransomware instructs victims to 3% transfer bitcoin to a specified address in return for the decryptor. Cyberwarfare

Notable features of the ransomware include the use of vssadmin.exe to delete automatic sys- 1% tem backups and attackers that follow up the Sodinokibi deployment with attempts to infect Hacktivism the same target with GandCrab ransomware. Industries and organizations targeted remain

Source: Hackmageddon out of the public domain, although Cisco Talos suggests there have been numerous victims. Source: Threatpost, Cisco Talos

DXC perspective Organizations using Oracle WebLogic are urgently encouraged to patch servers. The flaw was not patched in the standard quarterly update in April.

Hacktivism increases in first quarter of 2019 Prominent hacktivist collectives such as Anonymous, LulzSec and various newer groups continue to use relatively low-skill attack vectors — such as distributed denial of service (DDoS), website defacement, and exploitation of misconfigured databases — to gain attention and Most targeted support their various ideologies and causes. industries Impact 1. Multi-industry attacks Attack success rates vary, typically in relation to the cyber defense maturity of the targeted organization. Recent successes have been seen against government departments in Africa, 2. Public Sector where Ghost Squad Hackers continued a campaign against the Sudanese government. In 3. Communications, early April, Ghost Squad and others claimed to be launching DDoS attacks against 260 do- Entertainment & Tech mains a day, leading up to the removal of the autocratic president Omar al-Bashir. Anony- 4. Health & Life Sciences mous launched similar attacks on departments of the Zimbabwe government in late 2018.

5. Banking & Capital Other hacktivist collectives, particularly those operating in high-income countries, have Markets reportedly had more difficultly when targeting government and media interests. Many groups now focus on low-hanging fruit, such as government subsections or universities. Source: Wired

DXC perspective Hacktivist campaigns will continue targeting multiple industry verticals with public sector, energy, education and healthcare at heightened risk. The attackers typically will be motivated by political, social and environmental issues.

Faced with maturing cyber defenses, hacktivists may seek to increase social engineering activities and use novel methods to disrupt targets. Misinformation campaigns, aimed at dam- aging a target’s “brand,” could further provide hacktivists opportunities to cause 3 disruption outside of the scope of traditional cyber defenses. June 2019

E-commerce attacks more valuable than ever Payment card information stolen from online stores is increasing in value as demand for card verification value (CVV) numbers is outstripping supply.

Impact CVV resale prices have now risen to match those of cloned payment cards used at physical point-of-sale (POS) terminals.

Previously, data stolen with “card present” — where criminals create physical clones of cards — was considerably more valuable than cards used only online. POS card clones were $15 to $20 a card, whereas CVVs ranged from $2 to $8.

However, recent monitoring of dark web marketplaces shows CVVs are now as valuable as POS Barium APT data sets. A single CVV will routinely cost in excess of $20. The principal drivers for this dymanic Who are they? are likely an increased demand for stolen card data on the dark web and increased difficulty in • Advanced adversary that uses cloning physical cards due to wider chip-and-pin adoption in G20 nations. supply chain compromise to enable Source: Gemini Advisory highly focused targeting. Also known as Wicked Panda or Shad- DXC perspective owHammer. This situation may partly explain the increased prevelance of attacks on e-commerce sites in Where do they operate? the last 12 months, with a number of prominent card-skimming campaigns hitting online stores • Intelligence and analysis suggest across various industries. they are likely Chinese-speaking. They target globally. Nation state and geopolitical updates What do they want? • Barium appears to focus on target- Advanced supply chain attacks attributed to Chinese group ed espionage, most likely in support dubbed Barium of Chinese strategic goals. Intellec- The group is believed to be responsible for the significant breaches of ASUS in March 2019 and tual property, sensitive government Avast’s CCleaner software, affecting 500,000 and 700,000, respectively. documents and research are likely objectives. Impact Barium uses supply chain attacks to compromise hosts en masse, but actively exploits only a Do they work alone? small number of preselected targets. Of the half-million devices implicated in the ASUS breach, • Probably not. They have links to the malware activated on only 600, based on predefined MAC addresses written into the exploit state-sponsored Chinese group APT code. Similarly, only 70 of those compromised by CCleaner saw secondary spyware down- 17 and potentially cybercriminal loads. group Winniti. How can I stop them? Features • Defense in depth and mature tech- The group typically exploits trusted models to deploy malware. Notably, it compromises update nology solutions are required. Fun- servers of suppliers and uses them to push out malicious payloads under the guise of being damental security solutions include legitimate updates. The group’s access to the suppliers enables it to use genuine signatures and understanding your supply chain certificates, making detection early in the kill chain extremely challenging. Evidence suggests risk and effective mailbox, endpoint Barium also links supply chain attacks to gain deeper or more advantageous access. The com- and network protections. promise of CCleaner, for example, was used to target ASUS.

Though Barium’s ability to compromise major software and hardware suppliers has given it access to more than a million devices, the group appears to show little interest in destructive actions. Instead, it focuses on highly targeted espionage operations. Its targets are not known, but intelligence points toward the group being aligned with Chinese state interests. Barium may 4 also operate as part of a wider collective of advanced adversaries. Its code shares June 2019

fingerprints with code previously used by the state-sponsored Chinese group APT 17, and it shares tooling with cybercriminal group Winnti. Source: Kaspersky, Wired

DXC perspective Barium poses a serious and credible risk to public sector, research and technology enterprises holding intellectual property that would be advantageous to Chinese strategic aims. It also poses a serious threat to suppliers of hardware and software, which it will seek to compromise to gain access to their true targets.

For the true target, preventing Barium from gaining initial access may prove challenging. Through compromise of supply chains, the group can package its well-obfuscated malicious payloads within legitimate activities and with genuine certificates.

More crucial is the ability to detect and disrupt malicious activity within your networks at the earliest opportunity. Next-generation endpoint detection systems, well-configured security information and event management (SIEM) and user-entity-behavior analytics can assist in detection. Diligent privilege and account management, coupled with network segmentation, is an effective method of disrupting adversaries in their efforts to navigate internal networks to obtain sensitive information.

Lazarus group develops new Trojan malware dubbed ELECTRICFISH Though best-known for attacks aimed at financial gain, Lazarus retains its capability to con- Though best known for financially duct advanced espionage operations. Its latest backdoor Trojan, ELECTRICFISH, was discov- motivated attacks, Lazarus has devel- ered following joint work of the U.S. Department of Homeland Security and the Federal Bureau oped capabilities to conduct sophisti- of Investigation. cated espionage. Impact The malware is predominately an application to tunnel traffic between a specified source and a destination IP address. It uses a custom protocol to tunnel traffic and continuously attempts to reach out from both the source and the destination systems, allowing either side to initiate a tunneling session.

The malware can be configured with a proxy server/port and proxy username and password, which allows the adversary to bypass the compromised system’s required authentication to reach outside of the network. Indicators of compromise are available. Source: US Cert

DXC perspective Lazarus is likely to target organizations that hold information that may aid North Korean strategic interests. This may include public sector organizations in North America, Europe and the Asia-Pacific region, and global manufacturing, technology and research organizations.

Although this spyware appears to hold greatest utility in espionage operations, Lazarus has traditionally been oriented toward financial gain. It remains possible this tooling could be used to support data-theft-for-ransom attacks. This risk will heighten should the economic situation in North Korea continue to degrade.

5 June 2019

Vulnerability updates WhatsApp vulnerability leads to compromise of mobile devices in highly targeted attack WhatsApp pushed an update to its 1.5 billion users after it became aware of a buffer over- Prominent ransomeware (2019) flow vulnerability that allowed the installation of spyware on mobile devices. LockerGaga Impact • Targeted manufacturing and The vulnerability exists in the WhatsApp voice over IP (VoIP) stack and allows remote code industrial enterprises. Operated by execution via a specially crafted series of Secure Real-time Transport Control Protocol an advanced actor that combined (SRTCP) packets sent to a target phone. Threat actors have already exploited the flaw to automated and manual techniques install spyware on devices without the need for user interaction. It is widely reported that to maximize infection scale. various journalists, NGOs and human rights activists were principal targets in this cam- Ryuk paign. • Initially thought to be a revised Her- mes ransomware strain, operated The exploit was reportedly developed by the Israeli technology company NSO Group. The by a North Korean group. However, NSO Group is believed to supply spyware techonology to a range of governments globally. new intelligence suggests it is oper- The NSO Group says it doesn’t operate any of the tools it develops. ated by a prominent Russian cyber Source: ArsTechnica, Infosecurity Magazine criminal. Targets enterprise-scale organizations using Emotet for DXC perspective initial access. Exploitation of this vulnerability has been highly targeted to date. However, the WhatsApp PewCryp security update could be reverse engineered, putting exploits into the hands of more adver- • Bizarrely does not require a finan- saries. cial ransom, rather wanting victims to subscribe to YouTuber PewDiePie Organizations should ensure that staff are using the latest WhatsApp version on both work in order to receive a decryptor. and personal devices to mitigate the risk of this exploit. Distributed via spam. 50,000 enterprises may be at risk to potential SAP Katyusha software vulnerabilities • First appeared in late 2017 and Potential vulnerabilities in some SAP software leave enterprises exposed, according to uses the EternalBlue and Dou- Onapsis Research Labs. blePulsar exploits to propagate. Primarily delivered via spam. Impact GandCrab An exploit tool called “10KBLAZE” utilizes errors in SAP NetWeaver configurations to gain • Widely seen in 2018, with its unrestricted access to SAP systems. . As well as data theft and destruction, attackers could ransomware-as-a-service model manipulate transaction data by creating vendors, releasing shipments and making fraudu- popular with cybercriminals. Still a lent payments. It is estimated that 50,000 enterprises may be affected by this vulnerability. principal threat in 2019. Bitdefender Source: SAP, Reuters has recently released an updated decryptor. DXC perspective Adversaries will quickly look to identify and exploit this vulnerability, and exploit source code is already available. SAP recommends that organizations comply with SAP Security Notes #821875, #1408081 and #1421005. SAP’s patch for this vulnerability should be applied as a critical priority.

6 June 2019

Incidents and breaches Mirrorthief targets 201 online campus stores with card-skimming attack TrendMicro reported that the Mirrorthief group’s latest round of card-skimming attacks, a tactic often referred to by the umbrella term “Magecart,” has affected 201 campus e-commerce stores.

Impact As with previous Magecart incidents, payment card data was copied and exfiltrated to a malicious server at the point of user entry to the payment page. Mirrorthief compromised PrismWeb, the e-commerce platform used by the stores, to inject its malicious code. Victim numbers remain unknown. Source: TrendMicro

DXC perspective Third-party contributor or supplier compromise remains a highly effective way for adversaries to inject skimming code into an array of stores by simply compromising a single platform. The enduring success of this model will likely see it increase in prevalence. The security of third-party contributors is integral to the security of an e-commerce platform. Organizations should include third-party security considerations within their wider security architecture.

Possible MegaCortex ransomware attack disrupts accounting software provider Wolters Kluwer Access to software giant Wolters Kluwer’s CCH Axcess product, a cloud-based tax prepa- ration, compliance and workflow management solution, was disrupted in early May due to what the organization initially described as “technical anomalies.” Though it ultimately admitted experienceing a malware incident, Wolters Kluwer stressed that no sensitive data had been stolen and customers had not been otherwise affected.

Impact Although formal details of the malware are not in the public domain, intelligence suggests the company suffered a MegaCortex ransomware attack. MegaCortex, much like other prominent malware types such as Ryuk and LockerGoga, leverages both automated scripts and manual activity to maximize the number of victims and scale of infection. There is some suggestion that MegaCortex may use the Emotet or Qbot malware to aid in gaining initial network access, a tactic not uncommon in ransomware aimed at enterprise-level targets.

The similarities between MegaCortex and other prominent ransomware families go further. At least one command-and-control (C2) address is shared and the list of processes and services in the batch file is nearly identical to LockerGoga infections. Source: SecurityWeek, Sophos

DXC perspective Ransomware targeted at enterprise environments is a growing trend dubbed “big game hunting.” Adversaries typically infect en masse using automated vectors, often using Trojan malware delivered by spam or drive-by download, and then laterally move through 7 networks to compromise domain controllers using manual techniques. Once domain con- June 2019

trollers are accessed, the ransomware binaries can be pushed out to the network, maxi- mizing the scale of infection.

The best defense for enterprises is preventing initial compromise through mailbox filtering, perimeter defenses and endpoint security solutions. Next-generation endpoint security and SIEM can also detect suspicious internal actions prior to the ransomware binaries being pushed out by domain controllers, thereby increasing the organization’s ability to disrupt adversaries early in the kill chain.

CITYCOMP breach exposes financial data of numerous enterprises CITYCOMP, an IT supplier to multiple blue chip organizations, suffered a significant data-theft-for-ransom attack in late April. Details of how the attackers gained access to CITYCOMP are not in the public domain at this time.

Impact The attackers stole significant amounts of data pertaining to key clients, including Oracle, Toshiba, Volkswagen and Airbus. The attackers attempted to extort CITYCOMP by threatening to release the data if a ransom was not paid. When CITYCOMP did not comply, the data was released to the dark web. Source: Sophos

DXC perspective Ransomware is only one type of extortion attack. Data theft for ransom remains a credible threat, often proving more lucrative for attackers than data theft for resale.

Learn more Thank you for reading the Threat Intelligence Report. Learn more about security trends and insights from DXC Labs | Security:

DXC Labs | Security

DXC Labs delivers thought leadership technology prototypes to enable enterprises to thrive in the digital age.

DXC Labs | Security brings together our world-class advisors to develop strategic and architectural insights to reduce digital risk. DXC’s Cyber Reference Architecture is at the heart of our research, providing clients with detailed guidance on methods to efficiently resolve the most challenging security problems. We help clients minimize risk while taking maximum advantage of the digital commons.

Lean more at www.dxc.technology/securitylabs June 2019

DXC in Security Recognized as a leader in security services, DXC Technology helps clients prevent potential attack pathways, reduce cyber risk, and improve threat detection and incident response. Our expert advisory services and 24x7 managed security services are backed by 3,500+ experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of spe- cialization in Intelligent Security Operations, Identity and Access Management, Data Pro- tection and Privacy, Security Risk Management, and Infrastructure and Endpoint Security. Learn how DXC can help protect your enterprise in the midst of large-scale digital change. Visit www.dxc.technology/security.

Stay current on the latest threats www.dxc.technology/threats

About DXC Technology As the world’s leading independent, end-to-end IT services company, DXC Technology (NYSE: DXC) leads digital transformations for clients by modernizing and integrating their mainstream IT, and by deploying digital solutions at scale to produce better business outcomes. The company’s technology independence, global talent, and extensive partner network enable 6,000 private and public-sector clients in 70 countries to thrive on change. DXC is a recognized leader in corporate responsibility. For more information, visit www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for changemakers and innovators.