Security Threat Intelligence ReportJune 2020

In this issue

COVID-19 Themed Phishing Campaigns Adjust Tactics

Vulnerability in DNS Protocol Could Result in DDoS Condition

UK Budget Airline Breach Exposes Data on 9 Million Customers

U.S. NSA Warns that Russian Government Groups Are Exploiting Exim Mail Server Vulnerability

Message from Mark Hughes

As the world gradually lifts pandemic-related restrictions, it is clear COVID-19 has changed the way we work, shop and socialize, and these changes have created new and lucrative targets. Attackers launched numerous COVID-themed campaigns in the first quarter of

2020, but as success rates have fallen, they’re turning to more subtle phishing lures. Employing strong endpoint security, remote access solutions and security monitoring is essential in this threat climate.

Mark Hughes Senior Vice President and General Manager of Security DXC Technology

About this report

Fusing a range of public and

proprietary information feeds,

including DXC’s global network of

security operations centers and

cyber intelligence services, this

report delivers a overview of major

incidents, insights into key trends

and strategic threat awareness.

This report is a part of DXC Labs |

Security, which provides insights

and thought leadership to the

security industry.

Intelligence cutoff date:

May 30, 2020

Threat Updates

COVID-19 themed phishing campaigns adjust tactics

Reports of PowerPoint macros being used to deliver

AgentTesla

EKANS ransomware targets healthcare, financial and

engineering sectors

Multi-industry

Multi-industry

Multi-industry

Table of contents

3

4

4

Vulnerability Updates

NXNSAttack vulnerability in DNS protocol could result

in DDoS condition

StrandHogg 2.0 vulnerability impacting android

operating systems

Multi-industry

Multi-industry

6

7

Incidents/breaches

UK budget airline breach exposes data on 9 million

customers

Mercedes-Benz leak online logic unit source code

Aviation

Automotive

8

9

Nation State and Geopolitical

U.S. NSA warns of Russian government groups

exploiting Exim mail server vulnerability

Multi-industry 9

Security Threat Intelligence Report

2

Threat UpdatesCOVID-19 themed phishing campaigns adjust tactics Over the past 3 months, multiple criminal adversaries have repeatedly been observed

using the coronavirus (COVID-19) as a theme for phishing campaigns. Malicious

payloads have included a mixture of commodity malware and several variants of the

leading loaders, namely AgentTesla, LokiBot, NanoCore and FormBook.

A common tactic in recent campaigns has been to directly reference COVID-19 in the

name of the malicious spam email file attachment, such as:

• COVID-19_UPDATE.jpg.lnk

• CoronaVirusSafetyMeasures_pdf.exe

• Coronavirus Disease (COVID-19) CURE.zip

• COVID-19 Communication to Corporate Clients.rar

The detection rate of such files over the past 3 weeks has fallen, which may indicate

this tactic could be on the decline as intended victims become more aware of the

threats associated with these files through online and media awareness campaigns.

ImpactA slight shift toward lure-themes that make less obvious COVID-19 references has

been detected, including use of more generic, business-related names for file

attachments. For example, a popular technique is to use fake invoices and purchase

orders with only a passing reference to the pandemic within the email body.

DXC perspectiveThis shift in social engineering techniques and themes does not reduce the threat

from phishing emails, since the final payloads remain consistent. However, it does

demonstrate the evolving nature of social-engineering phishing attacks and the

ability of adversaries to quickly adapt to regional and global events.

DXC recommends that all users remain vigilant around the threats posed by

attachments and should verify unexpected attachments with the purported sender

before opening them or pass them to security staff for examination in a controlled

environment.

Source: CrowdStrike Intelligence

Security Threat Intelligence Report

3

Reports of PowerPoint macros being used to deliver AgentTesla In May 2020, industry researchers provided information about a campaign delivering

AgentTesla via a malicious PowerPoint file. The only content the file is said to contain

is a macro command that connects to a server when the PowerPoint file is closed.

The server responds to the request by sending encoded JavaScript (JS) in a file that

downloads two further files, one of which is an AgentTesla executable.

ImpactAgentTesla is a Remote Access Trojan (RAT) strain of malware that is available for

purchase on the digital black market. It was originally designed to log an infected

user’s keystrokes and clipboard to a remote command and control (C2) server. But

AgentTesla has since evolved to include additional modules and services that attempt

to collect extensive information, including details about FTP clients, web browsers, file

downloaders, machine info (username, computer name, OS, CPU architecture, RAM)

and wireless networks.

DXC perspectiveThe researchers did not provide much information about the specific campaign using

this PowerPoint file, including the means of delivery, but AgentTesla has recently

been observed being distributed through various coronavirus (COVID-19)-themed

campaigns.

Organizations should consider the following:

• Block email attachments commonly associated with malware.

• Block email attachments that cannot be scanned by antivirus software.

• Implement email filtering at the mail gateway and block suspicious IP addresses at

the firewall.

Source: SANS Internet Storm Centre

EKANS ransomware targets healthcare, financial and engineering sectors Media reports in May 2020 indicated that several European entities have become

victims of the EKANS ransomware, including a Germany-based healthcare

organization, a financial services entity and a France-based engineering company.

ImpactIt is not known at this time whether the actors have been successful in exfiltrating

victim data or are simply threatening to do so. (The current trend of ransomware

operators is to use stolen data as leverage against the victim organization.)

37% Increase in COVID-19-related

enterprise mobile phishing in the 1st

quarter 2020

$35 millionEstimated cost per unmitigated mobile

phishing incident for enterprises with

10,000 devices

COVID-19 mobile phishing attacks

by industry:

Hospitals – 15.5%

Professional Services – 14.9%

Financial Services – 10%

Manufacturing – 6.3%

Government – 4.4%

(source: Lookout Security, Phishing

Spotlight Report)

Security Threat Intelligence Report

4

DXC perspectiveEKANS was identified in January and contains some distinctive capabilities, including

the ability to terminate security software and industrial control system (ICS)-related

processes.

While no significant changes to the ransomware have been reported since its

discovery in January, there has been a significant change in the operator’s tactics,

which are now more in line with other big game hunting (BGH)-ransomware

operations. Ransom notes associated with recent EKANS infections threaten that if

the victim does not make contact within 48 hours, or refuses to pay the ransom, data

exfiltrated from the victim’s network will be made public.

The threat from ransomware has been consistently growing over the past few years

and shows no sign of slowing down. As organizations and security professionals find

ways to counter the ransomware threat, the criminal actors find new ways to evade

the protections and extort companies.

Both technical solutions and staff training measures should be employed to block

phishing attacks (a primary attack vector used by ransomware), and vulnerability

management and patching regimes must be enacted to counter exploitation of

known security vulnerabilities. Endpoint security measures should also be employed

to detect and prevent infection through web-browsing activities.

Primary defenses against ransomware center on preventing it from infecting systems

or spreading through the network. Organizations should:

• Educate users on spotting potential phishing emails and the dangers associated

with clicking links and attachments in unsolicited emails.

• Block email attachments commonly associated with malware.

• Block email attachments that cannot be scanned by antivirus software.

• Implement email filtering at the mail gateway and block suspicious IP addresses at

the firewall.

• Use multifactor authentication (MFA) on all remote access systems.

• Ensure that all server and endpoint software is maintained at a current level,

including all relevant security software.

Source: CrowdStrike Intelligence

Security Threat Intelligence Report

5

Vulnerability UpdatesNXNSAttack vulnerability in DNS protocol could result in DDoS conditionA group of academic researchers disclosed details about a vulnerability, dubbed

NXNSAttack in media reports, that exists in the DNS protocol. All recursive DNS

resolvers from various companies are reportedly affected by this vulnerability.

ImpactThe NXNSAttack vulnerability takes advantage of the way DNS recursive resolvers

operate when receiving a name service referral response that contains nameservers

but without their corresponding IP addresses.

The number of DNS messages exchanged in a typical resolution process may in

some circumstances be much higher in practice than is reasonably expected due

to the proactive resolution of nameservers’ IP addresses. This inefficiency creates a

bottleneck that could be used to launch a distributed denial-of-service (DDoS) attack

against recursive resolvers and authoritative name servers.

The vulnerability has been assigned the following common vulnerabilities and

exposure (CVE) IDs, depending on the vendor:

• CVE-2020-8616

• CVE-2020-12662

• CVE-2020-12667

• CVE-2020-10995

It is likely that other CVEs will be announced as vendors continue to provide patches

for this vulnerability.

DXC perspectiveDDoS attacks have been around for a long time and are a common tactic used by

hacktivist and unsophisticated criminal groups. The technique usually relies on the

ability of a threat actor to direct large volumes of data at a target in an attempt to

make it unavailable to legitimate users, often employing the use of criminal botnets to

generate the data required.

The NSNXAttack vulnerability described by the research team indicates it is capable

of amplifying a simple DNS query from 2 to 1,620 times its initial size, creating a

massive spike in traffic that can crash a victim DNS server without the need for large-

scale botnets.

Public reports speculate that exploitation of this vulnerability could lead to a “Mirai-

scale disruption”; however, DXC has not observed any reports of threat actors

exploiting the vulnerability in the wild.

Source: ZDNet

Security Threat Intelligence Report

6

StrandHogg 2.0 vulnerability impacting Android operating systemsSecurity researchers have disclosed a vulnerability, dubbed StrandHogg 2.0, in the

Android operating system that could allow a threat actor to hijack any application

installed on the victim’s device.

ImpactTo exploit the vulnerability, a threat actor would need to socially engineer a victim

into downloading and installing a malicious application. Once installed, the malware

hijacks other installed applications, executing and displaying a malicious version

of the legitimate application, and can record phone conversations, track GPS

movements, and access SMS messages, photos, camera, microphone and stored

login credentials.

The vulnerability has been assigned CVE-2020-0096 and was patched by Google in

May 2020. It impacts Android version 9.0 and earlier. Android 10 is not impacted by

this vulnerability.

DXC perspectiveRecent reports show an increase of 37 percent in mobile phishing rates between Q4

2019 and Q1 2020 as threat actors look to take advantage of the move from physical

to mobile or home offices in response to COVID-19.

Mobile devices are an increasingly popular target for attackers. The interfaces make

it more difficult for a user to differentiate between legitimate and malicious emails

and websites, and text message functionality adds an additional attack vector. Once

compromised, mobile devices contain a wealth of information that can be directly

monetized or used to compromise corporate networks and other systems.

Organizations should educate users about the potential for malicious mobile phishing

and ensure that suitable endpoint security is installed and maintained on devices that

are used to connect to corporate resources.

At this time, DXC is not aware of any threat actors attempting to exploit these

vulnerabilities in the wild.

Source: PromonThreatpost

Security Threat Intelligence Report

7

Incidents/breachesUK budget airline breach exposes data on 9 million customersOn May 19, 2020, easyJet disclosed it had suffered a data breach that allowed

attackers to access the email and travel details of about 9 million customers, as well

as the credit card details of 2,200 of those customers. Passport information is not

thought to have been exposed in the attack.

ImpactThe breach is believed to have been discovered in late January 2020, and the

company notified affected customers and conducting a forensic analysis of the

incident. At this stage, no technical information has been disclosed about the

incident, which is also under investigation by the United Kingdom’s Information

Commissioner’s Office (ICO) and law enforcement.

A statement from EasyJet stressed there was no evidence that the data accessed had

been misused by criminals.

DXC perspectiveAttacks against airlines by cyber criminals are common. In November 2019, Europol

announced the results of the 2019 Global Airline Action Day (GAAD) operation that

had been carried out in coordination with other law enforcement agencies, including

INTERPOL, Ameripol, and the U.S. Secret Service. During this operation, 79 individuals

were arrested for the use of illicitly obtained airline tickets, and scores of malicious

transactions were identified.

In late 2019, cyber intelligence sources observed numerous instances of criminal

threat actors making claims on underground criminal forums about targeting airlines

in the United States, Japan, Taiwan and the United Kingdom. Forum members

claimed to have airline customer payment details, membership information, and

other personal information. Russian-language criminal groups have also been seen

advertising access to European airline networks and selling access to customer

accounts of two U.S. airlines at price points between $200 and $500 USD.

The breach of this customer information is highly likely to put affected customers at

significant additional risk of social engineering attacks. Affected customers should be

extremely suspicious of opening email attachments and should keep a close watch on

their bank and credit card accounts.

It is assessed as highly likely that criminal threat actors will continue to target airline

networks, customer payment information, and customer benefit accounts as a source

of valuable and easily monetized data.

Source: BBCAirlinergsCrowdstrike

630%Increase in cyber attacks on cloud

accounts between January 2020 and

April 2020.

Security Threat Intelligence Report

8

Mercedes-Benz online logic unit source code leaked The source code for “connected vehicle” components installed in Mercedes-Benz

vans has been leaked online after configuration errors were discovered in the

organization’s GitLab system, which is used to track changes in source code across

multiperson engineering teams.

ImpactThe leaked source code included details of the onboard logic unit (OLU) components

in Mercedes vans, which are used to connect vehicles to the cloud and allow third-

party developers to create applications to retrieve van data. These applications are

generally used to track the location and status of vehicles while they are on the road.

While the leak initially appeared to be harmless, subsequent analysis of the

information discovered passwords and API tokens for Daimler’s internal systems.

These passwords and access tokens potentially could be used to plan and mount

future intrusions against Daimler’s cloud services and internal network.

DXC perspectiveThe breach appears to have been caused by a failure to conduct account verification

checks, so an external individual was able to register an unused Daimler email

address on the GitLab portal and gain access without any additional security checks.

Misconfigured security settings have been behind some of the largest cloud-

based security breaches of recent years, a trend DXC considers likely to grow as

organizations continue to adopt cloud services to support more remote working

practices.

Organizations should ensure that cloud-based services can comply with existing

organizational security policies, that authentication mechanisms are tied back to

enterprise-based single sign-on (SSO) services, and that the security of these services

is regularly checked to confirm that access is suitably restricted and that data held in

these services is correctly safeguarded.

Source: ZDNet

Nation State and GeopoliticalU.S. NSA warns that Russian government groups are exploiting Exim mail server vulnerability The U.S. National Security Agency (NSA) issued an advisory on May 28, 2020 alleging

that a threat actor group associated with Russia’s Main Intelligence Directorate (G.U.)

Other news

• Police websites in Minneapolis

hit by cyber attacks as protests

continue - The Washington

Post

• Black Lives Matter Activists

Targeted by Cyber Attacks -

ComputerWeekly.com

• Interserve hit by Cyber Attacks

- City A.M.

• Cyber-attacks against UK

Orgs up 30% in Q1 2020 -

infosecurity

• Israel thwarted cyber-attack on

water systems - DW

Security Threat Intelligence Report

9

has been actively exploiting a remote code execution vulnerability in the Exim Mail

Transfer Agent (MTA) software used in UNIX-based operating systems.

The critical flaw, designated CVE-2019-10149 and patched on June 5, 2019, can

be exploited to execute commands with administrative “root” privileges, thereby

enabling attackers to have full control over a vulnerable system.

Users of the email server software, which comes preinstalled on certain Linux

distributions such as Debian, are urged to install Exim version 4.93 or later.

DXC perspectiveVulnerable mail servers are an attractive target for both criminal and nation state-

backed threat actors. Once compromised, mail servers provide a powerful pivot

point to access internal networks, allowing threat actors to intercept incoming email

and search through email archives, and they can become a key asset for launching

business email compromise (BEC) attacks against an organization and others it has

relationships with.

The U.S. NSA’s announcement is an important reminder that organizations must avidly

practice basic cyber hygiene by regularly patching their open source software.

Source: WiredCBR

Security Threat Intelligence Report

10

Learn moreThank you for reading the Security Threat Intelligence Report. Learn more about

security trends and insights from DXC Labs | Security.

DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent

potential attack pathways, reduce cyber risk, and improve threat detection and

incident response. Our expert advisory services and 24x7 managed security services

are backed by 3,500+ experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of

specialization in Cyber Defense, Digital Identity, Secured Infrastructure and Data

Protection. Learn how DXC can help protect your enterprise in the midst of large-

scale digital change. Visit www.dxc.technology/security.

Stay current on the latest threats at www.dxc.technology/threats

Get the insights that matter.www.dxc.technology/optin

About DXC Technology

DXC Technology (NYSE: DXC) helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability across public, private and hybrid clouds. With decades of driving innovation, the world’s largest companies trust DXC to deploy our enterprise technology stack to deliver new levels of performance, competitiveness and customer experiences. Learn more about the DXC story and our focus on people, customers and operational execution at www.dxc.technology.

©2020 DXC Technology Company. All rights reserved. May 2020

Security Threat Intelligence Report