threat intelligence report · maze ransomware group releases data on january 31, the france-based...
TRANSCRIPT
Threat Intelligence ReportMarch 2020
In this issue
ICS-focused ransomware identified
Coronavirus-themed malware on the rise
Active scanning for vulnerable Microsoft Exchange servers
Researchers uncover widespread Iranian cyber campaign
Message from Mark Hughes
Cyber operations are a key theme this month with new espionage operations spotted in the wild. The campaigns have been ongoing for years and demonstrate the significant damage they can do and the amount of time a threat actor can remain in an environment
undetected. Several large-scale data breaches were reported publicly. Breaches of any scale can have a devastating impact on victims. Read more in this month’s report.
Mark Hughes Senior Vice President and General Manager of Security DXC Technology
About this report
Fusing a range of public and
proprietary information feeds,
including DXC’s global network of
security operations centers and
cyber intelligence services, this
report delivers a overview of major
incidents, insights into key trends
and strategic threat awareness.
This report is a part of DXC Labs |
Security, which provides insights
and thought leadership to the
security industry.
Intelligence cutoff date:
28 February 2020
Threat Updates
ICS-focused ransomware identified
Coronavirus-themed malware lures on the rise
Online betting firms targeted in espionage operations
Multi-industry
Multi-industry
Entertainment
Table of contents
3
3
4
Vulnerability Updates
Active scanning for Microsoft Exchange server
vulnerability CVE-2020-0688
Ghostcat bug affects all Apache Tomcat versions
released in the last 13 years
Multi-industry
Multi-industry
5
5
Incidents/breaches
MGM Grand breach exposes 10.6 million guest details
Maze ransomware group releases data
Hospitality
Manufacturing/
Construction
6
7
Nation State and Geopolitical
Researchers uncover widespread Iranian cyber
campaign
Public Sector 9
Threat Intelligence Report
2
Threat UpdatesICS-focused ransomware identified At the end of January 2020, a new ransomware variant emerged dubbed EKANS. In
addition to the standard file encryption routines, EKANS contains functionality to
forcibly stop a number of processes, including multiple processes related to industrial
control system (ICS) operations.
ImpactEKANS presents a specific risk to organizations running industrial control operations
not previously seen in ransomware and could result in a loss of control and/or
visibility of industrial processes. While some organizations may have the option to fall
back onto manual operations in the event of an incident, the costs and inefficiencies
of doing so could be substantial.
DXC perspective IT-focused ransomware has affected ICS systems in the past, usually through
infecting the Windows portion of control systems and disrupting operations. The
explicit inclusion of ICS-specific functionality is a new development and possibly one
aimed at extracting large payments from manufacturing organizations.
Primary defenses against ransomware center on preventing it from infecting systems
or spreading through the network. Organizations should consider the following:
• Block email attachments commonly associated with malware
• Block email attachments that cannot be scanned by antivirus software
• Implement email filtering at the mail gateway and block suspicious IP addresses at
the firewall
Source: Dragos - https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/
Coronavirus-themed malware lures on the riseAs the outbreak of Coronavirus (COVID-19) continues to spread across the globe,
criminal threat actors continue to try and capitalize on the concerns of the public to
deliver malicious artifacts.
ImpactIn January and throughout February 2020, the most prevalent Coronavirus-themed
campaigns targeted China and Japan, distributing Emotet in malicious email
attachments. These emails claimed to be from local government sources and were
designed to look as if they were reporting the spread of the infection and providing
advice on how citizens could protect themselves from contracting the virus.
Threat Intelligence Report
3
DXC perspective• This is an opportunistic threat scenario intended to spread malware as widely
as possible. DXC believes that it is almost certain that additional local-language
campaigns will surface as outbreaks occur in new countries around the world.
Source: Check Point - https://blog.checkpoint.com/2020/02/18/beware-of-the-other-virus-the-spread-of-coronavirus-themed-malware/
Online betting companies targeted in espionage operationsAn advanced threat actor dubbed “DRBControl” has been targeting gambling and
betting companies since mid-2019 using two previously unknown backdoors and
malware linked to two Chinese threat groups.
The actor appears to focus on companies in Southeast Asia; however, unconfirmed
reports link the actor to similar attacks in Europe and the Middle East.
ImpactOperations concentrate on accessing source code and databases rather than
financial targets. This suggests that the operations are espionage-focused rather
than criminally driven.
Data collected from infected hosts includes documents (Office and PDF), key logs,
SQL dumps, browser cookies and a KeePass manager database.
DXC perspectiveWhile it is no surprise that online gambling companies are a target for attacks, it is
notable that the goal of these operations does not appear to have been financial.
There are many potential uses for the information that was targeted (identifying
users of the compromised platforms, establishing a rival online gambling platform, or
as a gateway to a larger parent entity). However, the exact motive behind the attacks
is not currently known.
Tools, tactics and procedures used in the attacks overlap with those used by the
Winnti and Emissary Panda groups, both of which are linked to the interests of the
Chinese government; however, it is unclear at this time whether the attackers are
acting on behalf of Beijing
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/drbcontrol-espionage-operation-hits-gambling-betting-companies/
$377KAverage initial ransom demand for
Ryuk ransomware in Q3 2019
Security Boulevard
https://securityboulevard.
com/2020/02/20-ransomware-
statistics-youre-powerless-to-
resist-reading/
$157Cost of ransomware attacks on U.S.
healthcare organizations since 2016
Dark Reading
https://www.darkreading.com/
attacks-breaches/healthcare-
ransomware-damage-passes-
$157m-since-2016/d/d-id/1337024
14Average frequency of ransomware
attacks worldwide
pheonixNAP
https://phoenixnap.com/blog/
ransomware-statistics-facts
million
seconds
Threat Intelligence Report
4
Vulnerability UpdatesActive scanning for Microsoft Exchange server vulnerability CVE-2020-0688Attackers are actively scanning large parts of the internet for Microsoft Exchange
servers that are vulnerable to CVE-2020-0688, one of the vulnerabilities that was
patched by Microsoft in the February 2020 patch cycle.
ImpactCVE-2020-0688 is a remote code execution flaw that could allow an attacker to
take full system-level control of a vulnerable exchange server. This could position the
attacker to steal or falsify corporate email communications at will and potentially use
it as a staging post for further intrusions.
There are no workarounds for this vulnerability, and the patch should be applied
immediately.
DXC perspectiveIn DXC’s view, Microsoft rated this vulnerability as Important in severity when it
was released, most likely because an attacker must first successfully authenticate
with the server. However, within an enterprise, most users would be permitted to
authenticate to the Exchange server, as would an outside attacker who compromised
the credentials of an enterprise user through a phishing or credential-stuffing attack.
Since the vulnerability was made public, working proof of concept exploits have been
demonstrated and active scanning for vulnerable servers has been seen in the wild.
DXC assesses it very likely that the scanning and exploitation process will become
highly automated for use as a data-theft and ransomware-distribution mechanism.
Sources: Microsoft - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 BleepingComputer - https://www.bleepingcomputer.com/news/security/hackers-scanning-for-vulnerable-microsoft-exchange-servers-patch-now/
Ghostcat bug impacts all Apache Tomcat versions released in the last 13 yearsResearchers have identified a flaw in Tomcat AJP (Apache JServ Protocol) that may
allow an attacker to read or write files to a Tomcat server.
AJP is a performance-optimized version of the HTTP protocol in binary format that is
used to exchange data with nearby HTTPD web servers or other Tomcat instances. It
is installed by default on all Tomcat servers and listens on TCP port 8009.
Threat Intelligence Report
5
ImpactThe vulnerability affects all 6.x, 7.x, 8.x, and 9.x Tomcat branches, meaning that all
Tomcat versions released since 2007 should be considered open to attack.
The ability to read or write files to a Tomcat server could allow an attacker to read
application configuration files for passwords or API tokens, or upload backdoors or
web shells to servers.
DXC perspectiveSearches on the internet identified more than 1 million Tomcat servers currently
available online; however, as an attacker would require access to TCP port 8009 to
trigger the vulnerability, the number of servers available to remote compromise over
the internet is significantly lower. DXC considers it more likely that this vulnerability
will be used for lateral movement within a previously compromised environment.
DXC recommends that organizations operating these vulnerable installations disable
the AJP connector if it is not in use and install the security patches as soon as
possible.
Sources: Mitre CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938Chaitin Tech - https://www.chaitin.cn/en/ghostcat
Incidents/breachesMGM Grand breach exposes 10.6 million guest details In late February 2020, the details of more than 10.6 million guests who stayed at
MGM resorts were published on a hacking forum. Public reports claim that the breach
was the result of unauthorized access to a cloud storage server in summer 2019.
ImpactPersonal details published on the forum included full names, home addresses, phone
numbers, emails and dates of birth for 10,683,188 guests who had previously stayed
at MGM resorts.
The breach is not thought to have contained any financial or authentication
information, and MGM personnel have contacted guests whose information has been
breached.
DXC perspective These kinds of breaches have become all too common. As organizations change to
meet business and technical advances, networks become increasingly complex, and
simple human error becomes an ever-bigger problem. This can become exaggerated
by the increasing online footprint of organizations as they adopt new architectures
such as cloud and hybrid operating models.
Threat Intelligence Report
6
The danger with this kind of breach is that the breached information is used to
conduct further attacks, such as targeted phishing, email-based scams or SIM-
swapping attacks long after the breach occurs.
Auditing and testing of network, system and applications security measures should
be performed by independent and experienced security teams on a regular basis to
ensure all internal and external security protections are working as intended and to
identify any potential gaps that require remediation as soon as possible.
Source: ZDNet - https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/
Maze ransomware group releases dataOn January 31, the France-based company Bouygues Construction disclosed that its
computer network had been infected with ransomware. In its disclosure, the company
did not specify the ransomware family or the ransom demanded.
Shortly after the incident, a website linked to the Maze ransomware group and used
to list victim companies that hadn’t paid, started leaking data the site claimed was
taken from Bouygues.
ImpactThe breach affected approximately 230 systems in 16 different countries, with
the majority being in Canada and France. In response, Bouygues shut down its
information systems to prevent further propagation of the malware.
The leaked information released on the Maze website relates to the company’s
employees and included names, home addresses, phone numbers, social insurance
numbers, banking details and drug test results.
Bouygues has said that operational activity on its construction sites had not been
disrupted and that it was working to minimize the impact on customers and partners.
DXC perspectiveThis incident follows a trend that emerged at the end of 2019, where ransomware
groups exfiltrate data before encrypting systems to create additional leverage over
the victim to gain payment.
Maze was an early adopter of this operational model, releasing 2GB of data from a
breach of networks at the U.S. city of Pensacola, Florida, in December 2019 and an
additional 14GB of data exfiltrated from a U.S.-based manufacturer in Georgia in
January 2020.
Technical solutions and staff training measures should be employed in all
organizations to block common ransomware attack vectors. Vulnerability
management and patching regimes must be enacted to counter exploitation of
known security vulnerabilities. Staff training should focus on phishing and malware,
and endpoint security measures should be employed to detect and prevent infection
through web browsing activities.
$6 Projected total damage done by attacks
by 2021
Cyber Crime Magazine
https://cybersecurityventures.
com/hackerpocalypse-cybercrime-
report-2016/
trillion
Threat Intelligence Report
7
Sources: ZDNet - https://www.zdnet.com/article/bouygues-construction-falls-victim-to-ransomware/ IntelligentCIO - https://www.intelligentcio.com/eu/2020/02/19/bouygues-groups-construction-subsidiary-hit-by-massive-ransomware-attack/
Nation State and GeopoliticalResearchers uncover widespread Iranian cyber campaign A recent report published by researchers details a widespread campaign by
Iranian state-linked threat groups APT33 and APT34. This campaign, dubbed “Fox
Kitten,” is thought to have been operational since 2017 and has affected dozens of
organizations in Israel, United States, Saudi Arabia, Lebanon, Kuwait, UAE, Australia,
France, Poland, Germany, Finland, Hungary, Italy and Austria.
Fox Kitten is believed to be espionage-driven, specifically targeting organizations
in the IT, defense, utilities, oil and gas, and aviation industries over multiple attack
waves.
The campaign has potentially resulted in the establishment of highly developed and
persistent access to company networks that can be used for reconnaissance and
espionage, and would also be an effective launchpad for supply chain attacks on
partner organizations.
DXC perspectiveAccording to the report, the initial attack vector used in the Fox Kitten campaign is
through remote access VPN systems. Several VPN products have had vulnerabilities
disclosed in recent months, and it is not surprising that nation-state actors are
targeting them, since they know that patching vulnerable systems can take a long
time.
The particular interest in targeting VPN systems and the broad scope across
numerous industry verticals globally suggest that the operation may be largely
opportunistic, with actors scanning for vulnerable servers, establishing a foothold,
and returning later if the organization is determined to be a valuable intelligence
target.
Source: ClearSky Security - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
Other news
• Data breach at agency in
charge of secure White House
communications - https://
threatpost.com/data-breach-
occurs-at-agency-in-charge-
of-secure-white-house-
communications/153160/
• Multiple WordPress
vulnerabilities under active
attack - https://www.
bleepingcomputer.com/
news/security/multiple-
wordpress-plugin-
vulnerabilities-actively-
being-attacked/
• U.S. Cybersecurity and
Infrastructure agency warns
of new North Korean malware
- https://www.us-cert.gov/
northkorea
• Mexico’s economic ministry
attacked - https://www.
silicon.co.uk/security/
cyberwar/mexico-ministry-
cyber-attack-331976
• Russia’s GRU behind massive
Georgia attack - https://
www.bbc.co.uk/news/
technology-51576445
Threat Intelligence Report
8
Learn moreThank you for reading the Threat Intelligence Report. Learn more about security
trends and insights from DXC Labs | Security.
DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent
potential attack pathways, reduce cyber risk, and improve threat detection and
incident response. Our expert advisory services and 24x7 managed security services
are backed by 3,500+ experts and a global network of security operations centers.
DXC provides solutions tailored to our clients’ diverse security needs, with areas of
specialization in Cyber Defense, Digital Identity, Secured Infrastructure and Data
Protection. Learn how DXC can help protect your enterprise in the midst of large-
scale digital change. Visit www.dxc.technology/security.
Stay current on the latest threats at www.dxc.technology/threats
Get the insights that matter.www.dxc.technology/optin
About DXC Technology
DXC Technology (NYSE: DXC) helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability across public, private and hybrid clouds. With decades of driving innovation, the world’s largest companies trust DXC to deploy our enterprise technology stack to deliver new levels of performance, competitiveness and customer experiences. Learn more about the DXC story and our focus on people, customers and operational execution at www.dxc.technology.
©2020 DXC Technology Company. All rights reserved. March 2020
Threat Intelligence Report