Threat Intelligence ReportJanuary 2020
In this issue
Hacktivist threats emerge amid Iranian crisis
Multiple vulnerabilities in Cisco Data Center Network Manager
Travelex Services crippled by ransomware attack
Targeted attack against Austrian foreign ministry
Message from Mark Hughes
2019 was a turbulent year with an unprecedented rise in attacks against private and public sector organizations of all sizes and industries, and 2020 shows no sign of slowing.
Security is improving every day as more organizations better understand the threats they face. However, with increased cyber/physical convergence and deployment of new technologies, new threats are continually emerging.
Many of the incidents last year could have been prevented by improving basic cyber security measures. Get these right and you make the job of the attacker much more difficult.
Mark Hughes Senior Vice President and General Manager of Security DXC Technology
About this report
Fusing a range of public and
proprietary information feeds,
including DXC’s global network of
security operations centers and
cyber intelligence services, this
report delivers a overview of major
incidents, insights into key trends
and strategic threat awareness.
This report is a part of DXC Labs |
Security, which provides insights
and thought leadership to the
security industry.
Intelligence cutoff date:
09 January 2020
Threat updates
Hacktivist threats emerge amid Iranian crisis
REvil Ransomware targets unpatched VPN servers
Multi-industry
Multi-industry
Table of contents
3
4
Vulnerability updates
Multiple vulnerabilities in Cisco Data Center Network
Manager
CVE-2019-19781 – Critical Citrix/Netscaler
Vulnerability
Multi-industry
Multi-industry
4
5
Incidents/breaches
Travelex services crippled by ransomware attack Finance/Currency
Exchange
6
Nation State and Geopolitical
Targeted attack against Austrian foreign ministry Public Sector 7
Threat Intelligence Report
2
Threat updatesHacktivist threats emerge amid Iranian crisis The U.S. Department of Homeland Security (DHS) has issued a terrorism advisory
bulletin warning of cyber attacks following the death of Iran’s Islamic Revolutionary
Guard Corps (IRGC) Quds Force Commander Qassem Soleimani in a January 2
drone strike.
Iran responded with missle strikes on U.S. military bases six days later, but Chris
Krebs, director of the Cybersecurity and Infrastructure Security Agency at DHS,
said Jan. 18 that the threat alert remains active. While no cyber attacks have been
reported, he said adversaries may be working on a cyber response, warning that
“new access takes time.”
ImpactDXC Intelligence partners have observed specific threats of retaliation by nonstate
Iranian cyber threat actors, including pro-IRGC hacktivists, and the defacement of
several sites belonging to U.S.-based entities. While no specific, credible threat has
yet been observed emanating from Iranian state-linked adversaries, it is likely that
Iran will use a broad range of cyber capabilities against U.S. and allied interests in the
wake of Soleimani’s death.
Threats have also been observed by Iranian cyber criminals. Criminal forums and
discussion groups used by Iranian actors involved in ransomware and financial fraud
campaigns shared a brief statement threatening U.S., Israeli and Saudi sites with
defacement and calling for an increase in ransomware attacks.
This activity is expected to increase in the coming months.
DXC perspective Iran has a long history of conducting large-scale cyber campaigns, and DXC
considers it likely that these capabilities will be used in response to the recent
escalation, most likely against government and critical infrastructure.
However, in addition to the threat from nation-state and state-backed threat actors,
the death of Soleimani has caused significant anger in the civilian population, which
is driving hacktivist and criminal attacks against private sector organizations with
significant inks to the United States and allied countries.
The majority of hacktivist attacks can be mitigated by improving basic security.
By ensuring all internet-facing infrastructure is accounted for and included in
vulnerability and patch management systems, organizations can avoid becoming
easy targets.
Sources: DHS - https://www.dhs.gov/sites/default/files/ntas/alerts/20_0104_ntas_bulletin.pdf TechCrunch - https://techcrunch.com/2020/01/06/homeland-security-iran-cyberattacks/
Threat Intelligence Report
3
REvil Ransomware targets unpatched VPN serversCyber criminals using the REvil (Sodinokibi) ransomware are targeting unpatched
Pulse VPN servers to gain a foothold in environments before installing ransomware.
ImpactThe REvil ransomware strain that was targeting a vulnerability in Oracle WebLogic
systems as an infection vector has been repurposed to target unpatched Pulse VPN
servers.
The ransomware uses a vulnerability made public April 24, 2019, to connect to remote
networks before gaining administrative access and using administrative tools to
spread around the network and deploy the ransomware.
There is no known publicly available decrypter for this strain of malware, and
affected companies would need to recover from system backups.
DXC perspectiveThis updated campaign illustrates the tactical changes commonly made by criminal
threat actors and the need for effective vulnerability management and patching
regimens when combating these threats.
DXC recommends that all organizations maintain regular vulnerability scanning in
concert with strict patching routines to ensure that known vulnerabilities are closed
before they can be used to effect damage by criminals.
Source: ZDNet - https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/
Vulnerability UpdatesMultiple Vulnerabilities in Cisco Data Center Network ManagerCisco published six advisories to address 12 vulnerabilities in its Data Center Network
Manager (DCNM) system on January 2. Of these 12 vulnerabilities, six were given
“critical” severity ratings, seven were classified as “high” severity ratings, and two
were identified as “medium.”
ImpactDCNM is the management system for Cisco’s Unified Fabric and provides dashboard
capabilities for data center operators to provision, manage and maintain network
infrastructure.
Three of the vulnerabilities were categorized as critical, scoring 9.8 on the 10-point
Common Vulnerability Scoring System (CVSS), and could allow a remote attacker to
2019First appearance of REvil (Sodinokibi)
ransomware
$11.5BEstimated value of ransoms paid to
cybercriminals in 2019
365%Increase in ransomware detections
against businesses 2018-19
April
Threat Intelligence Report
4
bypass authentication and gain administrative privileges on affected systems.
• CVE-2019-15975 – Affects the REST API endpoint
• CVE-2019-15976 – Affects the SOAP API endpoint
• CVE-2019-15977 – Affects the DCNM web-based management interface. This
vulnerability is related to hard-coded authentication credentials within the
application.
Of the seven high-severity vulnerabilities, three were identified as path traversal
vulnerabilities, two were listed as SQL injection vulnerabilities, and two were listed as
command injection vulnerabilities. The two medium vulnerabilities were identified as
read-access and unauthorized-access vulnerabilities.
Neither Cisco nor DXC has seen evidence that these vulnerabilities are being actively
exploited at this time.
DXC perspectiveThere are no workarounds for these vulnerabilities, and the patches should be applied
immediately. Waiting for scheduled updates is not recommended.
Source: Cisco –https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypasshttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-injecthttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-path-travhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-comm-injecthttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-xml-ext-entityhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-unauth-accesshttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codexhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
CVE-2019-19781 – Critical Citrix/Netscaler vulnerabilityA critical vulnerability in Citrix Application Delivery Controller (NetScaler ADC) and
Citrix Gateway (NetScaler Gateway), tracked as CVE-2019-19781, could be exploited
by attackers to access company networks.
It has been estimated that 80,000 companies in 158 countries are potentially at risk,
most of them in the United States (38%), followed by the United Kingdom, Germany,
the Netherlands and Australia.
ImpactIf exploited, the vulnerability could allow an attacker direct access to the company’s
internal networks from the internet.
Threat Intelligence Report
5
The vulnerability affects all supported versions of the product and all supported
platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler
Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler
Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.
The attack does not require authentication credentials and could therefore be
triggered by any external attacker.
Citrix has released advice to mitigate the flaw and recommends that all users update
all vulnerable software versions.
DXC perspectiveCustomers should immediately implement the mitigation advice from Citrix and
upgrade vulnerable appliances with updated versions of the firmware. Details on final
fixes for CVE can be found here: https://www.citrix.com/blogs/2020/01/24/citrix-
releases-final-fixes-for-cve-2019-19781/
Source: Citrix – https://support.citrix.com/article/CTX267027 https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/
Incidents/breachesTravelex services crippled by ransomware attack Sodinokibi ransomware infected Travelex systems, encrypting critical business files
December 31, prompting the company to take its systems offline.
ImpactSince taking systems offline, Travelex customers have been unable to use web
services or the mobile application for transactions or to make card payments at any
Travelex stores globally.
In addition to a reported $3 million ransom being demanded, the attackers claim
to have copied over 5 gigabytes of customer data, including dates of birth, Social
Security numbers, card information and other data, and say the data will be
published on the internet if Travelex fails to pay.
The incident is ongoing at the time of this writing and has been linked to the updated
REvil campaign reported earlier in this update.
DXC perspective The ransomware trend of recent years shows little sign of subsiding in the foreseeable
future, with cyber criminals continuing to profit at the expense of ill-prepared
companies.
$3.92MAverage cost of a data breach in 2019
Threat Intelligence Report
6
The United Kingdom’s National Crime Agency (NCA) and the U.S. Federal Bureau of
Investigation (FBI) both advise not to pay ransoms, as it encourages attackers to
continue such campaigns and there is no guarantee a decryption key will be supplied
or that it will work.
The final decision on whether to pay or not can be difficult when the organization
is facing crippled IT infrastructure and concerned shareholders. The opportunity to
recover quickly and get the business functioning again can be irresistible, even when
there is a chance the gamble may not pay off.
Whether the ransom is paid or not, it is essential that targeted organizations recover
in a controlled way, removing the ransomware infection from the environment and
putting measures in place to prevent repeat attacks.
Both technical solutions and staff training measures should be employed to block
phishing attacks, and vulnerability management and patching regimes must be
enacted to counter exploitation of known security vulnerabilities. Endpoint security
measures should be employed to detect and prevent infection through web browsing
activities.
Source: Bleeping Computer - https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/
Nation State and GeopoliticalTargeted attack against Austrian foreign ministry A press release from the Austrian Ministry of the Interior and Austrian Foreign ministry
on January 4 reported the discovery of a targeted cyber attack against the foreign
ministry’s computer systems in Vienna.
The release states that the activity is similar to attacks seen against other European
countries and suggests a nation state threat actor may be responsible.
ImpactForeign ministries are a natural target for espionage-focused nation state activities,
and other European countries have been targeted in recent years.
DXC perspectiveRussian state actors are known to have been particularly active against European
government entities in recent years, having several high-profile attacks attributed to
them. However, from the limited information available it is not possible to attribute the
current attack in Vienna to any particular state or group.
Source: BBC - https://www.bbc.co.uk/news/world-europe-50997773
Other news
• Cyber attack hits Las Vegas
during CES show - https://
www.trustedreviews.com/
news/cyber-attack-las-
vegas-ces-3968075
• Early signs of cyber attacks
against Tokyo 2020 Olympic
games - https://www.
cpomagazine.com/cyber-
security/state-backed-cyber-
attacks-expected-at-tokyo-
2020-games/
• Oddly specific cyber attack
targets Alaskan airline Ravn
Air - https://www.theregister.
co.uk/2020/01/02/ravnair_
ransomware_dhc_dash_8/
• Microsoft phishing scam
exploits Iran cyber attack
scare - https://www.
bleepingcomputer.com/
news/security/microsoft-
phishing-scam-exploits-iran-
cyberattack-scare/
• German bicycle manufacturer
targeted by cyber
criminals - https://www.
securitymagazine.com/
articles/91507-german-
bicycle-manufacturer-
targeted-by-cyberattack
Threat Intelligence Report
7
Learn moreThank you for reading the Threat Intelligence Report. Learn more about security
trends and insights from DXC Labs | Security.
DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent
potential attack pathways, reduce cyber risk, and improve threat detection and
incident response. Our expert advisory services and 24x7 managed security services
are backed by 3,500+ experts and a global network of security operations centers.
DXC provides solutions tailored to our clients’ diverse security needs, with areas of
specialization in Intelligent Security Operations, Identity and Access Management,
Data Protection and Privacy, Security Risk Management, and Infrastructure and
Endpoint Security. Learn how DXC can help protect your enterprise in the midst of
large-scale digital change. Visit www.dxc.technology/security.
Stay current on the latest threats at www.dxc.technology/threats
Get the insights that matter.www.dxc.technology/optin
About DXC Technology
DXC Technology (NYSE: DXC) helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability across public, private and hybrid clouds. With decades of driving innovation, the world’s largest companies trust DXC to deploy our enterprise technology stack to deliver new levels of performance, competitiveness and customer experiences. Learn more about the DXC story and our focus on people, customers and operational execution at www.dxc.technology.
©2020 DXC Technology Company. All rights reserved. January 2020
Threat Intelligence Report