Threat Intelligence Report

Threat Intelligence Report

October 2019 Threat Intelligence Report - MAN - UFACTUR ING/PUBLIC SECTOR IN THIS ISSUE • October is Cyber Security Awareness Month • Ecuador suffers massive data breach • Emotet returns after 4-month break • Campaign targets U.S. taxpayers • APT33 targets aerospace and energy sectors October 2019 About this report Fusing a range of public and proprietary information feeds, including DXC’s global network of Mark Hughes security operations centers and Senior Vice President and General Manager of Security cyber intelligence services, this DXC Technology report delivers a overview of major October is Cyber Security Awareness Month and the perfect time to assess the threat to incidents, insights into key trends your enterprise and the motivations of attackers. This month saw the return of Emotet and strategic threat awareness. after four months of inactivity, a new ransomware strain targeting enterprises, and new phishing campaigns that target enterprises and users globally. Data security also fea- This report is a part of tures prominently this month as Ecuador investigates an unsecured database containing DXC Labs | Security, which provides the personal details of over 20 million citizens. Read more in this month’s report. insights and thought leadership to the security industry. Table of Contents Cyber Security Awareness Month: Know your Multi-industry Intelligence cutoff date: Threat attackers 26 September 2019 updates Emotet returns after 4-month break Multi-industry TFlower ransomware poses new threat to enterprises Multi-industry Campaign targets U.S. taxpayers Multi-industry Cross-platform Glupteba malware adds worm Multi-industry capability PsiXBot hides command and control name resolution Media/ Entertainment in HTTPS Vulnerability Critical vulnerability in Exim mail server Multi-industry updates Updates released to counter critical vulnerabilities in Multi-industry Google Chrome and Microsoft Internet Explorer Multi-industry Exploit code released for BlueKeep vulnerability LastPass Password manager leaks credentials Multi-industry U.S. government contractor Miracle Systems Defense Incidents/ potentially breached Breaches Ecuador citizens data exposed in unsecured database Public Sector, Technology Ransomware attacks disrupt 49 U.S. school districts Public Sector and educational institutions French authorities dismantle global botnet Multi-industry Nation state Asian telecommunications companies targeted by Technology and & geopolitical Chinese-linked threat actors Communications updates Iranian-linked threat actors target energy and Defense 2 aerospace sectors October 2019 Threat updates Cyber Security Awareness Month: Know your attackers The key to being cyber aware is understanding the motivations and tactics of your attackers. To mark Cyber Security Awareness Month, DXC focuses on the five primary types of cyber attackers: nation-state, cybercriminals, hacktivists, lone-wolf hackers and insider threats. Nation-state attackers: These state-backed cyber criminals typically are focused on trying to project power in a region or gain an economic or political advantage over a rival. Their activities range from traditional espionage to disrupting adversaries by leaking confidential data. Nation-states are often associated with advanced persistent threats (APTs), in which an attacker gains access to a system and remains undetected for an extended period. These groups typically use the most sophisticated techniques. One of the most infamous nation- state hacking groups is Russian-backed APT28, also known as Strontium or Fancy Bear, which was recently observed exploiting internet of things (IoT) devices, including a VOIP 8,000 phone, an office printer and a video decoder. Microsoft enterprise customers targeted or compromised by nation- Nation-state activity is increasing around the globe. New reports accuse the Chinese state attacks in 2019 government of intrusions into telecommunications networks to track Asian dissidents, and Iran is likely to ramp up its cyber espionage efforts against Saudi Arabia and the United States. Government agencies, defense contractors and critical infrastructure are key potential targets. Cyber criminal groups: Cyber criminal groups, motivated by financial gain, have shifted from targeting end users to more sophisticated big game hunting, with large corporations and government agencies as their targets. The public sector has become a major target. Over the past 6 months, cyber criminal campaigns used ransomware to lock down city government services in five U.S. states, plus 23 Texas towns, and 500 schools and colleges. Notorious payment-card skimming family Magecart is also acting opportunistically. Employing a new tactic, Magecart bots recently infected 17,000 websites by exploiting 78 days improperly configured Amazon Cloud S3 buckets to steal card information. Global median time to detect a These types of threats underscore the need for rigorous cyber defenses as well as a plan breach in 2019 for how to respond and recover — or whether to pay or not pay the ransom. Hacktivists: Hacktivists are politically motivated, ideology-driven actors. One well-known hacktivist group, Anonymous, first made headlines when it retaliated against the Church of Scientology’s perceived internet censorship using distributed denial-of-service (DDOS), spamming and other attacks. Increasingly, social media is the target, as evidenced by the account takeover of Twitter cofounder Jack Dorsey — crusader against online hate groups — which was used to send out pro-Nazi tweets. Even law enforcement is not immune, with London’s Metropolitan Police Twitter account sending out a series of bizarre and profane messages in July. 3 October 2019 Hacktivists typically have lower levels of technical sophistication, and social media accounts offer a soft target that allows them to project their disruptive efforts to a wide audience. Organizations should carefully consider security basics around corporate social media platforms, including monitoring, auditing and requirements for complex passwords and multifactor authentication. Lone-wolf hackers: Not part of an organized crime group, lone-wolf hackers are often opportunists motivated by financial gain. In some cases, lone-wolf hackers can grow their ranks quickly. In addition to the two lone wolves arrested for the TalkTalk hack of nearly 160,000 customer accounts, authorities suspected that at least 10 more individuals were involved in the scheme to extort the company’s CEO. Lone-wolf hackers are more likely to target smaller organizations, public agencies and NGOs. Their aim is usually to gain access to data that can be sold on the dark web or 184% sensitive or embarrassing data that can be used for extortion. Increase in average ransom pay- ment in Q2 2019 Insider threats Unlike organized cyber crime groups, malicious insiders often operate on a small scale, looking for opportunities for personal gain, or for retribution against a real or perceived slight by their employer. The prospect of monetary gain drives many insider threats with opportunities to embezzle or sell stolen proprietary information. For example, a disgruntled IT engineer at Scale AI hacked the company network and made hundreds of small fraudulent payments into PayPal accounts before getting caught. In 2018, Tesla CEO Elon Musk announced that an insider exported large amounts of highly sensitive Tesla data to unknown third parties. Another potential motivator for insiders is whistleblowing. Disenfranchised workers can do Group 4 significant reputation damage by publicly exposing what they consider to be unethical practices, even if the accusations later prove to be unfounded. Groups 1 and 2 Insider threats are among the most complex to detect and prevent. A maliciously motivated insider often has intimate knowledge of the company’s internal network and Group 5 security configurations, as well as the requisite skills to operate bespoke tooling. Preventing such attacks requires a layered approach and mature security architecture. AI-powered endpoint protection and user-behavior analytics within the SIEM can help Group 6 identify malicious actions, such as the clearing of audit logs, suspicious access of materials or access of systems at unusual times. Further, privileged users should be audited more frequently and thoroughly. Group 11 Emotet returns after 4-month break Emotet spam campaigns have returned after a four-month period of inactivity with a new malspam campaign.. Group 12 On September 16, Malwarebytes and Spamhaus spotted a series of new spam emails written in Italian, Polish and German that contained a document-themed lure in the form of either a malicious attachment or links to malicious documents online. This was followed approximately 24 hours later by English-language phishing messages with a subject line containing the phrase “Payment Remittance Advice.” 4 October 2019 Known Emotet Spreader Modules This latest wave of phishing messages targeted domains across a range of countries NetPass including Argentina, Germany, the United States and the United Kingdom. Recovers all network passwords stored on a system for the logged-on user. Impact Outlook Scraper Possibly the biggest threat posed by Emotet is that it can be used as a delivery vector for Scrapes names, dates, email addresses more dangerous payloads. Emotet Trojans have been partnered with TrickBot and Ryuk and email bodies from Outlook accounts. Information found in the email account is ransomware strains to create a combination that

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    12 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us