November 2019

MAN-

UFACTUR-

ING/PUBLIC

SECTOR

Threat Intelligence Report

IN THIS ISSUE • APT29 still active

• Apple software update vulnerability used to distribute ransomware

• TA505 launches phishing campaign

• Ransomware attack locks out Pitney Bowes customers

November 2019

Threat updates

Table of Contents

TA505 launches phishing campaign

LokiBot focuses on United Arab Emirates (UAE),

Germany and Portugal

Malware volumes decline but become more

targeted

Ransomware continues to be a major threat, accounting for 39 percent of global data

incidents and costing billions of dollars. Effective network controls and endpoint solutions

can help, but organizations must construct and regularly test backups and data recov-

ery plans to ensure recovery. Advanced threat actors also featured prominently in new

operations related to nation-state actors and cyber criminals. Read more in this month’s

report.

Mark HughesSenior Vice President and General Manager of Security DXC Technology

About this report

Fusing a range of public and proprietary information feeds, including DXC’s global network of security operations centers and cyber intelligence services, this report delivers a overview of major incidents, insights into key trends and strategic threat awareness.

This report is a part ofDXC Labs | Security, which provides insights and thought leadership to the security industry.

Intelligence cutoff date: 26 October 2019

Nation state & geopoliticalupdates

Industry reporting indicates APT29 is still active

Multi-industry

Multi-industry

Vulnerabilityupdates

CVE-2019-6333 in HP Touchpoint Analytics

Apple software update vulnerability used in

ransomware distribution

Multi-industry

Financial Services

Multi-industry

2

Incidents/Breaches

AVAST breached through compromised VPN

profile

Pitney Bowes customers locked out by

ransomware attack

Immutable Games Company targeted in DoS

attack

Technology

Multi-industry

Logistics

Technology

November 2019

Threat updatesTA505 sustains phishing campaignSince the beginning of September, the TA505 threat group has run a series of phishing campaigns containing two new malware strains. The emails targeted financial institutions in Greece, Singapore, United Arab Emirates, Georgia, Sweden, Lithuania and other countries.

ImpactThe malspam attempts to deliver the new Get2 malware loader, which then delivers additional second-stage payloads including FlawedGrace, FlawedAmmyy, Snatch and the new SDBbot Remote Access Tool . Once opened, the downloader code embedded in the Excel file attempts to retrieve payload data that may include information stealer and remote access Trojan malware.

DXC perspective This campaign implies a change in tactics for TA505, which has moved away from ransomware operations and toward the distribution of backdoors and theft of information.

TA505 has been active since at least late 2014 and mainly targets its malware attacks at financial institutions and large retail organizations.Denial of initial access is key to malware prevention. Effective identity and access management controls, network access controls, phishing mail protections, training and next-generation endpoint solutions can all help prevent account compromise and malware delivery. As well as prevention, organizations should construct and regularly test data recovery plans. Backups should be logically isolated to protect them from infection.

Source: BleepingComputer

LokiBot focuses on UAE, Germany and PortugalIn early July 2019, a campaign was used to send customized phishing emails with malicious LokiBot attachments to 100 organizations, primarily in the UAE, Germany and Portugal.

ImpactLokiBot is a backdoor and information/credential stealing malware. In this campaign, phishing emails were sent with customized lure content specific to the targeted organization. Attached were Microsoft Office files with links to other remote malicious files. This remote linking technique can evade some traditional endpoint protection products, and in this instance infects the phished victim with LokiBot.

DXC perspectiveOrganizational group policy should disable MS Office macros and other active content by default. User training can equip employees to identify aspects of phishing emails, such as email with attachments from an unknown sender.

Source: Microsoft

Malware volumes decline but become more targeted Research released by SonicWall indicates malware and ransomware infections are becoming more targeted, with attackers selecting a smaller number of high-value targets.

3

November 2019

ImpactResearch shows criminal attackers are adopting big game hunting techniques to increase their return on investment. This change of tactics appears to correspond with an increase in ransom demands. The research also shows phishing attacks are becoming more targeted, with an increase in phishing attacks focused on C-suite executives and IT department leaders.

DXC perspectiveWhile the SonicWall research indicates malware levels have declined, the research confirms trends seen by DXC intelligence that the threat from malware and ransomware continues to evolve and is no less significant.Increased sophistication in targeting and deployment tactics and a focus on high-value enterprise environments has driven an increase in ransom demands and potentially accounts for the more targeted approach to phishing.

Source: SonicWall

Vulnerability Updates CVE-2019-6333 in HP Touchpoint AnalyticsVulnerability in HP Touchpoint Analytics is leading to full system compromise.

ImpactHP Touchpoint Analytics is a telemetry-providing service installed on HP laptops. In October, a DLL search-order vulnerability was discovered and assigned as CVE-2019-6333. DLL search-order refers to the locations and paths the software will search to load required legitimate dynamic link libraries (DLL files). A DLL search-order hijack places a malicious DLL file in the highest path (first to be searched). This vulnerability is dangerous, since HP Touchpoint Analytics runs as “SYSTEM” with full Windows permissions.

DXC perspectiveHP Touchpoint Analytics should be updated per the c06463166 bulletin. It is not necessary to install any software or updates on HP systems without HP Touchpoint Analytics.

Source: SafeBreach, HP

Apple Software Update vulnerability used in ransomware distributionBitPaymer ransomware leverages zero-day exploit in August 2019 against users of Apple software.

ImpactApple Software Update is a separate application installed alongside other Apple software, such as iTunes. Even when iTunes is removed, the updater component persists and would need to be uninstalled separately.

In August 2019, attacks were detected that were using an unquoted path vulnerability in the Apple Software Update component. This tactic permitted the typically trusted and digitally signed component to execute malicious code from an illegitimate directory.

DXC perspectiveCustomers should update affected Apple products with the October 7 patch.

4

Group 6

Group 12

STOP (DJVu)

Top 10 Malware types 2019

STOP ransomware affects the systems of home users and can easily be picked up by downloading unsecured files.

Dharma ransomware is a cryptovirus that is pushed onto systems via malicious download links and email links.

Phobos ransomware is mainly spread via exploits of unsecured remote desktop services.

GlobeImposter makes up 6.5 percent of all ransomware submissions and is usually delivered via malspam campaigns.

REvil, also known as Sodinokibi, was first discovered in 2019. It is extremely evasive and uses advanced techniques to avoid detection.

Dharma

Phobos

GlobeImposter

REvil

According to Europol, GandCrab ransomware has infected nearly 500,000 victim systems since it was first detected in early 2018.

Magniber has been around since 2013 and still accounts for 3.3 percent of ransomware submissions.

First discovered in June 2017, this malware uses AES-256 and RSA-2048 to lock files on infected systems.

GandCrab

Magniber

Scarab

Rapid ransomware acts as a Trojan horse to encrypt files before demanding a ransom.

Troldesh has been around since 2014 and has been used in many campaigns .

Rapid

Troldesh

November 2019

Customers not using Apple software should inventory and uninstall all software components to prevent this type of exploit in the future.

Source: Morphisec, Apple

Incidents and breachesAvast breached through compromised VPN profileIn October cyber security software maker Avast released a statement detailing a security breach that affected its internal corporate network. Avast believes attackers intended to insert malware into the source code of its CCleaner software.

ImpactAccording to the statement, the breach occurred when an employee’s credentials were compromised and used to access the corporate VPN service. The intrusion, detected in September but determined to date back to early May, surfaced during an investigation into the sudden access rights elevation of the account.

Following the detection, Avast monitored the activities of the attacker in its environment before removing the malware and taking measures to ensure the integrity of its software products and networks.

The organization is now working with local authorities and an external forensics team to complete a full investigation into the incident.

DXC perspective The experience of Avast provides considerations for both prevention and response. Prevention of initial access vectors for such attacks can be disrupted through adoption of multifactor authentication (MFA) systems and credential leakage monitoring.

Avast’s response to this incident shows how important an organization’s response is in limiting damage. Comprehensive incident response planning must encompass a variety of domains, including containment, technical recovery, remediation, business continuity and communications.

Source: ZDNet

Pitney Bowes customers locked out by ransomwareOn October 14, logistics firm Pitney Bowes detected an undisclosed strain of ransomware on its systems.

ImpactThe ransomware attack encrypted information and locked customers out of their accounts, restricting their ability to purchase additional mailing labels or access the company’s supplies web store. It has not been disclosed whether a ransom has been demanded or if the organization would consider paying. Pitney Bowes has assured customers there is no sign any client data or accounts were affected.

DXC perspective Separate analysis by McAfee indicates that ransomware attacks have more than doubled in the first three months of 2019, suggesting that ransomware operators are getting a financial return for these attacks.

5

Other News

November 2019

Both the United Kingdom’s National Crime Agency (NCA) and the United State’s Federal Bureau of Investigation (FBI) advise not to pay ransoms, since it encourages the attackers to continue such campaigns, and there is no guarantee that a decryption key will be supplied or, if supplied, that it will work.

The final decision on whether to pay lies with the organization’s executives, and it can be difficult when they are facing crippled IT infrastructure and concerned shareholders. The opportunity to recover quickly and get the business functioning again can be irresistible, even when there is a chance that the gamble may not pay off.

Whether or not the organization chooses to pay, it is essential that targeted organizations recover in a controlled way, removing the ransomware infection from the environment and putting measures in place to prevent any repeat attacks.

Technical solutions and staff training measures should be employed to block phishing attacks. Vulnerability management and patching regimes must be enacted to counter exploitation of known security vulnerabilities, and endpoint security measures should be employed to detect and prevent infection through web browsing activities.

Source: SPAMfighter, DigitalCommerce360

Immutable games company targeted in DoS attackImmutable, an online gaming company in Australia, suffered a denial-of-service attack after offering support to a professional gamer who was banned for supporting the Hong Kong democracy protests.

ImpactBlizzard gaming banned Hong Kong’s Chung Ng Wai from Hearthstone eSports for a year and withdrew tournament prize money he had won after he expressed support for protests in the Chinese territory.

Seven hours after Immutable stepped in and offered to support Wai by covering his lost winnings, the company was targeted by a denial-of-service attack that blocked players from logging into their online gaming platform. The company reports the attack was continuing, but that it had managed to ward off damage with the help of external security experts. While Immutable has yet to analyze the attack in detail, the firm currently believes that it likely originated from China.

DXC perspective This attack illustrates the unforeseen risks companies face when dealing with issues that involve geopolitical sensitivities.

Given the tactics used, DXC believes this attack is most likely the work of hacktivist actors. Hacktivists are motivated to target entities in multiple industry sectors based on many factors, but most commonly when an organization is deemed to be acting contrary to an individual’s or group’s political, social or ideological beliefs.

The majority of hacktivist attacks can be mitigated by improving basic security. By ensuring that all internet-facing infrastructure is accounted for and included in vulnerability and patch management systems, organizations can avoid being easy targets.

Source: Sydney Morning Herald 6

of the global data breaches caused by malware were ransomware.

39%

• Cyberattacks from “hostile nation

states” foiled by UK Cyber Centre -

• UK and U.S. intelligence exposes

Turla group attack

• Hibiscus Petroleum suffers cyber

attack

• German automation giant Pilz dis-

rupted by ransomware attack

• Chinese hacking group targets

Southeast Asian governments with

data-stealing malware

Other News

November 2019

Nation State & Geopolitical UpdatesIndustry reporting indicates APT29 is still activeOpen source reporting released on October 17 details a campaign targeting the foreign ministries of at least three European nations.

The campaign, dubbed “Operation Ghost,” is believed to date back to September 2013 and has been linked to APT29, a prolific threat actor with suspected links to the Russian Federation intelligence services.

ImpactThe initial attack vector used in this campaign is believed to be via spear phishing email with a malicious attachment or link. Once activated, the lure file installs one of several backdoor implants used by APT29 and connects to command and control servers online. Unique command and control infrastructure is believed to be used for each target to frustrate detection and attribution efforts.

Once a foothold has been established, credentials are harvested from infected machines and used in lateral movement within the environment.

DXC perspective APT29 has a significant presence in the cyber espionage world and is highly skilled and well resourced. The targeting of foreign ministries suggests a clear interest in the collection of information concerning international political movements, policies and decisions. DXC believes this activity is likely part of Russia’s ongoing espionage activities targeting western nations and former USSR countries.

Government organizations need to monitor their networks for evidence of suspected APT29 activity.

Source: ESET

Learn moreThank you for reading the Threat Intelligence Report. Learn more about security trends and insights from DXC Labs | Security.

7

DXC Labs | Security

DXC Labs delivers thought leadership technology prototypes to enable enterprises to thrive in the digital age.

DXC Labs | Security brings together our world-class advisors to develop strategic and architectural insights to reduce digital risk. DXC’s Cyber Reference Architecture is at the heart of our research, providing clients with detailed guidance on methods to efficiently resolve the most challenging security problems. We help clients minimize risk while taking maximum advantage of the digital commons.

Lean more at www.dxc.technology/securitylabs

November 2019

DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent

potential attack pathways, reduce cyber risk, and improve threat detection and incident

response. Our expert advisory services and 24x7 managed security services are backed

by 3,500+ experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of

specialization in Intelligent Security Operations, Identity and Access Management, Data

Protection and Privacy, Security Risk Management, and Infrastructure and Endpoint

Security. Learn how DXC can help protect your enterprise in the midst of large-scale

digital change. Visit www.dxc.technology/security.

About DXC Technology As the world’s leading independent, end-to-end IT services company, DXC Technology

(NYSE: DXC) leads digital transformations for clients by modernizing and integrating their

mainstream IT, and by deploying digital solutions at scale to produce better business

outcomes. The company’s technology independence, global talent, and extensive partner

network enable 6,000 private and public-sector clients in 70 countries to thrive on change.

DXC is a recognized leader in corporate responsibility. For more information, visit

www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for

changemakers and innovators.

© Copyright 2019 DXC Technology Company. All rights reserved.

Stay current on the latest threatswww.dxc.technology/threats

9