security threat intelligence report...security researchers have disclosed a vulnerability, dubbed...
TRANSCRIPT
Security Threat Intelligence ReportJune 2020
In this issue
COVID-19 Themed Phishing Campaigns Adjust Tactics
Vulnerability in DNS Protocol Could Result in DDoS Condition
UK Budget Airline Breach Exposes Data on 9 Million Customers
U.S. NSA Warns that Russian Government Groups Are Exploiting Exim Mail Server Vulnerability
Message from Mark Hughes
As the world gradually lifts pandemic-related restrictions, it is clear COVID-19 has changed the way we work, shop and socialize, and these changes have created new and lucrative targets. Attackers launched numerous COVID-themed campaigns in the first quarter of
2020, but as success rates have fallen, they’re turning to more subtle phishing lures. Employing strong endpoint security, remote access solutions and security monitoring is essential in this threat climate.
Mark Hughes Senior Vice President and General Manager of Security DXC Technology
About this report
Fusing a range of public and
proprietary information feeds,
including DXC’s global network of
security operations centers and
cyber intelligence services, this
report delivers a overview of major
incidents, insights into key trends
and strategic threat awareness.
This report is a part of DXC Labs |
Security, which provides insights
and thought leadership to the
security industry.
Intelligence cutoff date:
May 30, 2020
Threat Updates
COVID-19 themed phishing campaigns adjust tactics
Reports of PowerPoint macros being used to deliver
AgentTesla
EKANS ransomware targets healthcare, financial and
engineering sectors
Multi-industry
Multi-industry
Multi-industry
Table of contents
3
4
4
Vulnerability Updates
NXNSAttack vulnerability in DNS protocol could result
in DDoS condition
StrandHogg 2.0 vulnerability impacting android
operating systems
Multi-industry
Multi-industry
6
7
Incidents/breaches
UK budget airline breach exposes data on 9 million
customers
Mercedes-Benz leak online logic unit source code
Aviation
Automotive
8
9
Nation State and Geopolitical
U.S. NSA warns of Russian government groups
exploiting Exim mail server vulnerability
Multi-industry 9
Security Threat Intelligence Report
2
Threat UpdatesCOVID-19 themed phishing campaigns adjust tactics Over the past 3 months, multiple criminal adversaries have repeatedly been observed
using the coronavirus (COVID-19) as a theme for phishing campaigns. Malicious
payloads have included a mixture of commodity malware and several variants of the
leading loaders, namely AgentTesla, LokiBot, NanoCore and FormBook.
A common tactic in recent campaigns has been to directly reference COVID-19 in the
name of the malicious spam email file attachment, such as:
• COVID-19_UPDATE.jpg.lnk
• CoronaVirusSafetyMeasures_pdf.exe
• Coronavirus Disease (COVID-19) CURE.zip
• COVID-19 Communication to Corporate Clients.rar
The detection rate of such files over the past 3 weeks has fallen, which may indicate
this tactic could be on the decline as intended victims become more aware of the
threats associated with these files through online and media awareness campaigns.
ImpactA slight shift toward lure-themes that make less obvious COVID-19 references has
been detected, including use of more generic, business-related names for file
attachments. For example, a popular technique is to use fake invoices and purchase
orders with only a passing reference to the pandemic within the email body.
DXC perspectiveThis shift in social engineering techniques and themes does not reduce the threat
from phishing emails, since the final payloads remain consistent. However, it does
demonstrate the evolving nature of social-engineering phishing attacks and the
ability of adversaries to quickly adapt to regional and global events.
DXC recommends that all users remain vigilant around the threats posed by
attachments and should verify unexpected attachments with the purported sender
before opening them or pass them to security staff for examination in a controlled
environment.
Source: CrowdStrike Intelligence
Security Threat Intelligence Report
3
Reports of PowerPoint macros being used to deliver AgentTesla In May 2020, industry researchers provided information about a campaign delivering
AgentTesla via a malicious PowerPoint file. The only content the file is said to contain
is a macro command that connects to a server when the PowerPoint file is closed.
The server responds to the request by sending encoded JavaScript (JS) in a file that
downloads two further files, one of which is an AgentTesla executable.
ImpactAgentTesla is a Remote Access Trojan (RAT) strain of malware that is available for
purchase on the digital black market. It was originally designed to log an infected
user’s keystrokes and clipboard to a remote command and control (C2) server. But
AgentTesla has since evolved to include additional modules and services that attempt
to collect extensive information, including details about FTP clients, web browsers, file
downloaders, machine info (username, computer name, OS, CPU architecture, RAM)
and wireless networks.
DXC perspectiveThe researchers did not provide much information about the specific campaign using
this PowerPoint file, including the means of delivery, but AgentTesla has recently
been observed being distributed through various coronavirus (COVID-19)-themed
campaigns.
Organizations should consider the following:
• Block email attachments commonly associated with malware.
• Block email attachments that cannot be scanned by antivirus software.
• Implement email filtering at the mail gateway and block suspicious IP addresses at
the firewall.
Source: SANS Internet Storm Centre
EKANS ransomware targets healthcare, financial and engineering sectors Media reports in May 2020 indicated that several European entities have become
victims of the EKANS ransomware, including a Germany-based healthcare
organization, a financial services entity and a France-based engineering company.
ImpactIt is not known at this time whether the actors have been successful in exfiltrating
victim data or are simply threatening to do so. (The current trend of ransomware
operators is to use stolen data as leverage against the victim organization.)
37% Increase in COVID-19-related
enterprise mobile phishing in the 1st
quarter 2020
$35 millionEstimated cost per unmitigated mobile
phishing incident for enterprises with
10,000 devices
COVID-19 mobile phishing attacks
by industry:
Hospitals – 15.5%
Professional Services – 14.9%
Financial Services – 10%
Manufacturing – 6.3%
Government – 4.4%
(source: Lookout Security, Phishing
Spotlight Report)
Security Threat Intelligence Report
4
DXC perspectiveEKANS was identified in January and contains some distinctive capabilities, including
the ability to terminate security software and industrial control system (ICS)-related
processes.
While no significant changes to the ransomware have been reported since its
discovery in January, there has been a significant change in the operator’s tactics,
which are now more in line with other big game hunting (BGH)-ransomware
operations. Ransom notes associated with recent EKANS infections threaten that if
the victim does not make contact within 48 hours, or refuses to pay the ransom, data
exfiltrated from the victim’s network will be made public.
The threat from ransomware has been consistently growing over the past few years
and shows no sign of slowing down. As organizations and security professionals find
ways to counter the ransomware threat, the criminal actors find new ways to evade
the protections and extort companies.
Both technical solutions and staff training measures should be employed to block
phishing attacks (a primary attack vector used by ransomware), and vulnerability
management and patching regimes must be enacted to counter exploitation of
known security vulnerabilities. Endpoint security measures should also be employed
to detect and prevent infection through web-browsing activities.
Primary defenses against ransomware center on preventing it from infecting systems
or spreading through the network. Organizations should:
• Educate users on spotting potential phishing emails and the dangers associated
with clicking links and attachments in unsolicited emails.
• Block email attachments commonly associated with malware.
• Block email attachments that cannot be scanned by antivirus software.
• Implement email filtering at the mail gateway and block suspicious IP addresses at
the firewall.
• Use multifactor authentication (MFA) on all remote access systems.
• Ensure that all server and endpoint software is maintained at a current level,
including all relevant security software.
Source: CrowdStrike Intelligence
Security Threat Intelligence Report
5
Vulnerability UpdatesNXNSAttack vulnerability in DNS protocol could result in DDoS conditionA group of academic researchers disclosed details about a vulnerability, dubbed
NXNSAttack in media reports, that exists in the DNS protocol. All recursive DNS
resolvers from various companies are reportedly affected by this vulnerability.
ImpactThe NXNSAttack vulnerability takes advantage of the way DNS recursive resolvers
operate when receiving a name service referral response that contains nameservers
but without their corresponding IP addresses.
The number of DNS messages exchanged in a typical resolution process may in
some circumstances be much higher in practice than is reasonably expected due
to the proactive resolution of nameservers’ IP addresses. This inefficiency creates a
bottleneck that could be used to launch a distributed denial-of-service (DDoS) attack
against recursive resolvers and authoritative name servers.
The vulnerability has been assigned the following common vulnerabilities and
exposure (CVE) IDs, depending on the vendor:
• CVE-2020-8616
• CVE-2020-12662
• CVE-2020-12667
• CVE-2020-10995
It is likely that other CVEs will be announced as vendors continue to provide patches
for this vulnerability.
DXC perspectiveDDoS attacks have been around for a long time and are a common tactic used by
hacktivist and unsophisticated criminal groups. The technique usually relies on the
ability of a threat actor to direct large volumes of data at a target in an attempt to
make it unavailable to legitimate users, often employing the use of criminal botnets to
generate the data required.
The NSNXAttack vulnerability described by the research team indicates it is capable
of amplifying a simple DNS query from 2 to 1,620 times its initial size, creating a
massive spike in traffic that can crash a victim DNS server without the need for large-
scale botnets.
Public reports speculate that exploitation of this vulnerability could lead to a “Mirai-
scale disruption”; however, DXC has not observed any reports of threat actors
exploiting the vulnerability in the wild.
Source: ZDNet
Security Threat Intelligence Report
6
StrandHogg 2.0 vulnerability impacting Android operating systemsSecurity researchers have disclosed a vulnerability, dubbed StrandHogg 2.0, in the
Android operating system that could allow a threat actor to hijack any application
installed on the victim’s device.
ImpactTo exploit the vulnerability, a threat actor would need to socially engineer a victim
into downloading and installing a malicious application. Once installed, the malware
hijacks other installed applications, executing and displaying a malicious version
of the legitimate application, and can record phone conversations, track GPS
movements, and access SMS messages, photos, camera, microphone and stored
login credentials.
The vulnerability has been assigned CVE-2020-0096 and was patched by Google in
May 2020. It impacts Android version 9.0 and earlier. Android 10 is not impacted by
this vulnerability.
DXC perspectiveRecent reports show an increase of 37 percent in mobile phishing rates between Q4
2019 and Q1 2020 as threat actors look to take advantage of the move from physical
to mobile or home offices in response to COVID-19.
Mobile devices are an increasingly popular target for attackers. The interfaces make
it more difficult for a user to differentiate between legitimate and malicious emails
and websites, and text message functionality adds an additional attack vector. Once
compromised, mobile devices contain a wealth of information that can be directly
monetized or used to compromise corporate networks and other systems.
Organizations should educate users about the potential for malicious mobile phishing
and ensure that suitable endpoint security is installed and maintained on devices that
are used to connect to corporate resources.
At this time, DXC is not aware of any threat actors attempting to exploit these
vulnerabilities in the wild.
Source: PromonThreatpost
Security Threat Intelligence Report
7
Incidents/breachesUK budget airline breach exposes data on 9 million customersOn May 19, 2020, easyJet disclosed it had suffered a data breach that allowed
attackers to access the email and travel details of about 9 million customers, as well
as the credit card details of 2,200 of those customers. Passport information is not
thought to have been exposed in the attack.
ImpactThe breach is believed to have been discovered in late January 2020, and the
company notified affected customers and conducting a forensic analysis of the
incident. At this stage, no technical information has been disclosed about the
incident, which is also under investigation by the United Kingdom’s Information
Commissioner’s Office (ICO) and law enforcement.
A statement from EasyJet stressed there was no evidence that the data accessed had
been misused by criminals.
DXC perspectiveAttacks against airlines by cyber criminals are common. In November 2019, Europol
announced the results of the 2019 Global Airline Action Day (GAAD) operation that
had been carried out in coordination with other law enforcement agencies, including
INTERPOL, Ameripol, and the U.S. Secret Service. During this operation, 79 individuals
were arrested for the use of illicitly obtained airline tickets, and scores of malicious
transactions were identified.
In late 2019, cyber intelligence sources observed numerous instances of criminal
threat actors making claims on underground criminal forums about targeting airlines
in the United States, Japan, Taiwan and the United Kingdom. Forum members
claimed to have airline customer payment details, membership information, and
other personal information. Russian-language criminal groups have also been seen
advertising access to European airline networks and selling access to customer
accounts of two U.S. airlines at price points between $200 and $500 USD.
The breach of this customer information is highly likely to put affected customers at
significant additional risk of social engineering attacks. Affected customers should be
extremely suspicious of opening email attachments and should keep a close watch on
their bank and credit card accounts.
It is assessed as highly likely that criminal threat actors will continue to target airline
networks, customer payment information, and customer benefit accounts as a source
of valuable and easily monetized data.
Source: BBCAirlinergsCrowdstrike
630%Increase in cyber attacks on cloud
accounts between January 2020 and
April 2020.
Security Threat Intelligence Report
8
Mercedes-Benz online logic unit source code leaked The source code for “connected vehicle” components installed in Mercedes-Benz
vans has been leaked online after configuration errors were discovered in the
organization’s GitLab system, which is used to track changes in source code across
multiperson engineering teams.
ImpactThe leaked source code included details of the onboard logic unit (OLU) components
in Mercedes vans, which are used to connect vehicles to the cloud and allow third-
party developers to create applications to retrieve van data. These applications are
generally used to track the location and status of vehicles while they are on the road.
While the leak initially appeared to be harmless, subsequent analysis of the
information discovered passwords and API tokens for Daimler’s internal systems.
These passwords and access tokens potentially could be used to plan and mount
future intrusions against Daimler’s cloud services and internal network.
DXC perspectiveThe breach appears to have been caused by a failure to conduct account verification
checks, so an external individual was able to register an unused Daimler email
address on the GitLab portal and gain access without any additional security checks.
Misconfigured security settings have been behind some of the largest cloud-
based security breaches of recent years, a trend DXC considers likely to grow as
organizations continue to adopt cloud services to support more remote working
practices.
Organizations should ensure that cloud-based services can comply with existing
organizational security policies, that authentication mechanisms are tied back to
enterprise-based single sign-on (SSO) services, and that the security of these services
is regularly checked to confirm that access is suitably restricted and that data held in
these services is correctly safeguarded.
Source: ZDNet
Nation State and GeopoliticalU.S. NSA warns that Russian government groups are exploiting Exim mail server vulnerability The U.S. National Security Agency (NSA) issued an advisory on May 28, 2020 alleging
that a threat actor group associated with Russia’s Main Intelligence Directorate (G.U.)
Other news
• Police websites in Minneapolis
hit by cyber attacks as protests
continue - The Washington
Post
• Black Lives Matter Activists
Targeted by Cyber Attacks -
ComputerWeekly.com
• Interserve hit by Cyber Attacks
- City A.M.
• Cyber-attacks against UK
Orgs up 30% in Q1 2020 -
infosecurity
• Israel thwarted cyber-attack on
water systems - DW
Security Threat Intelligence Report
9
has been actively exploiting a remote code execution vulnerability in the Exim Mail
Transfer Agent (MTA) software used in UNIX-based operating systems.
The critical flaw, designated CVE-2019-10149 and patched on June 5, 2019, can
be exploited to execute commands with administrative “root” privileges, thereby
enabling attackers to have full control over a vulnerable system.
Users of the email server software, which comes preinstalled on certain Linux
distributions such as Debian, are urged to install Exim version 4.93 or later.
DXC perspectiveVulnerable mail servers are an attractive target for both criminal and nation state-
backed threat actors. Once compromised, mail servers provide a powerful pivot
point to access internal networks, allowing threat actors to intercept incoming email
and search through email archives, and they can become a key asset for launching
business email compromise (BEC) attacks against an organization and others it has
relationships with.
The U.S. NSA’s announcement is an important reminder that organizations must avidly
practice basic cyber hygiene by regularly patching their open source software.
Source: WiredCBR
Security Threat Intelligence Report
10
Learn moreThank you for reading the Security Threat Intelligence Report. Learn more about
security trends and insights from DXC Labs | Security.
DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent
potential attack pathways, reduce cyber risk, and improve threat detection and
incident response. Our expert advisory services and 24x7 managed security services
are backed by 3,500+ experts and a global network of security operations centers.
DXC provides solutions tailored to our clients’ diverse security needs, with areas of
specialization in Cyber Defense, Digital Identity, Secured Infrastructure and Data
Protection. Learn how DXC can help protect your enterprise in the midst of large-
scale digital change. Visit www.dxc.technology/security.
Stay current on the latest threats at www.dxc.technology/threats
Get the insights that matter.www.dxc.technology/optin
About DXC Technology
DXC Technology (NYSE: DXC) helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability across public, private and hybrid clouds. With decades of driving innovation, the world’s largest companies trust DXC to deploy our enterprise technology stack to deliver new levels of performance, competitiveness and customer experiences. Learn more about the DXC story and our focus on people, customers and operational execution at www.dxc.technology.
©2020 DXC Technology Company. All rights reserved. May 2020
Security Threat Intelligence Report