-
Security Threat Intelligence Report
September 2020
In this issue
Trickbot malware targets Linux
Internet Explorer script-based malware emerges
Business email compromise attacks bypass MFA
Zoom phishing campaign harvesting Office 365 credentials
Agent Tesla RAT adds new features
-
Message from Mark Hughes
The shift to remote work has seen a considerable uptick in
targeting remote access solutions. A new Zoom phishing campaign is
harvesting Office 365 credentials while new business email
compromise attacks can bypass multifactor authentication. We
must
ensure identity and access management are tight, and cyber
hygiene is an ongoing focus. We also must continue to educate teams
to keep a diligent eye on ongoing phishing schemes and malware.
Mark Hughes Senior Vice President and General Manager of
Security DXC Technology
About this report
Fusing a range of public and
proprietary information feeds,
including DXC’s global network
of security operations centers
and cyber intelligence services,
this report delivers an overview
of major incidents, insights into
key trends and strategic threat
awareness.
This report is a part of DXC Labs |
Security, which provides insights
and thought leadership to the
security industry.
Intelligence cutoff date:
August 24, 2020
Threat Updates
TrickBot’s Anchor malware platform targets Linux
devices
Business email compromise attacks bypass MFA
Zoom phishing campaign harvesting O365
credentials
Agent Tesla RAT adds new features
Multi-industry
Multi-industry
Multi-industry
Multi-industry
Table of contents
3
6
7
9
Vulnerability Updates
Internet Explorer scripting malware emerges Multi-industry
12
Incidents/breaches
Carnival Corporation suffers ransomware attack Travel Industry
15
Nation State and Geopolitical
U.S. Justice Department seizes cryptocurrency
accounts of 3 suspected terrorist groups
Multi-industry 16
Security Threat Intelligence Report
2
https://www.dxc.technology/security/insights/146282-dxc_labs_securityhttps://www.dxc.technology/security/insights/146282-dxc_labs_security
-
Threat UpdatesTrickBot’s Anchor malware platform targets Linux
devices Discovered by Stage 2 researcher Waylon Grange, TrickBot’s
Anchor malware is
still in the early stages of development. Intel is limited at
this time. Updates will be
reported as they become available.
TrickBot is a multipurpose Windows malware platform that uses
different modules
to perform various malicious activities, including information
stealing, password
stealing, Windows domain infiltration and malware delivery.
TrickBot is rented by threat actors who use it to infiltrate a
network and harvest
anything of value. It is then used to deploy ransomware such as
Ryuk and Conti to
encrypt the network’s devices as a final attack.
Anchor_Linux will configure itself to run every minute using the
following crontab
entry: */1 * * * * root [filename]
Attack VectorAccording to Stage 2, this malware is often
delivered as part of a ZIP file and is a
lightweight Linux backdoor. Upon execution it installs itself as
a cron job, determines
the public IP for the host and then begins to beacon via DNS
queries to its C2 server.
Dropper functionality includes:
• The ability to drop other malware on Linux devices and execute
it
• An embedded Windows TrickBot executable
• A Linux embedded binary that serves as new lightweight
TrickBot malware
• Code connections to older TrickBot tools
This malware can be used to infect Windows machines on the same
network. This is
the Windows infection process:
• Anchor_Linux will copy the embedded TrickBot malware to
Windows hosts on the
same network using SMB and $IPC
Figure 1. Setting up persistence via CRON
Source: Vitali Kremez
Security Threat Intelligence Report
3
-
• When successfully copied to a Windows device, Anchor_Linux
will configure it as a
Windows service using:
– The Service Control Manager Remote protocol
– SMB SVCCTL named pipe
Upon startup, the Windows machine will connect to the C2 for
instructions.
Linux versionThe Linux version allows threat actors to target
non-Windows environments with a
backdoor. If successful, attackers can pivot to Windows devices
on the same network.
It uses an attack vector outside of email phishing for Windows
infection. The Linux
backdoor has a persistence mechanism as seen in the cron job. It
functions in the
UNIX environment and targets devices in the UNIX environment,
including:
• Routers
• VPN devices
• NAS devices run on Linux operating systems
IoT devices also require security controls and monitoring to
detect Anchor_Linux.
Figure 2. Copying a file via SMB
Source: Waylon Grange
Figure 3. TrickBot’s Anchor framework
Source: SentinelOne
ATM makers address illegal cash
withdrawals
ATM manufacturers Diebold Nixdorf
and NCR have fixed a number
of software vulnerabilities that
have allowed attackers to execute
arbitrary code with or without system
privileges. Hackers made illegal cash
withdrawals by committing deposit
forgery and manipulating underlying
systems by issuing valid commands
to dispense currency.
Security Threat Intelligence Report
4
-
HuntingAnchor_Linux will create a log file at:
/tmp/anchor.log
There is a high probability that the name of the log file will
change as the malware
development progresses. If this file exists, a complete audit of
the system for the
presence of the Anchor_Linux malware should be conducted. It is
expected that
TrickBot will continue its development to make it a
full-featured addition to its Anchor
framework.
IoCs – Courtesy of Stage 2 Security
Hashes:
55754d178d611f17efe2f17c456cb42469fd40ef999e1058f2bfe44a503d877c
C721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
7686a3c039b04e285ae2e83647890ea5e886e1a6631890bbf60b9e5a6ca43d0
Domains:
*.biillpi[.]com
IPs:
23.95.97[.]59
Yara:
rule anchor_linux_dns
{
meta:
author = “Stage 2 Security”
description = “Trickbot anchor_linux”
strings:
$hdr = {7f 45 4c 46}
$x1 = {80 74 0? ?? b9}
$x2 = “anchor_l”
$x3 = “getaddrinfo”
$x4= “IPC$”
$x5 = {48 ?? 2f 74 6d 70 2f 00 00 00}
$x6 = “test my ip”
$x7 = {73 6d 62 32 5f [4–7] 5f 61 73 79 6e 63 20}
$x8 = “Kernel32.dll”
$x9 = “libcurl”
$x10 = “/1001/”
condition:
$hdr at 0 and 7 of ($x*)
}
Security Threat Intelligence Report
5
-
ImpactTrickbot was first detected in 2016 and has developed its
capabilities extensively over
the years. Trickbot can disable antivirus systems, propagate
throughout a network,
perform man-in-the-middle attacks and drop other malware. The
latest Trickbot
update means the malware has a completely new attack vector
targeting Linux and
Unix devices. Based on its success with Windows machines, the
impact rating to
organizations should be considered critical.
TrickBot has been seen in the wild dropping Ryuk and
GlobeImposter ransomware.
Multiple malware infections greatly complicate the remediation
process. It has
successfully disabled endpoint antivirus applications, allowing
the infection to spread
across the network, compromising over a hundred systems.
Note that Trickbot began as a banking trojan and is proficient
at harvesting and
exfiltrating data from infected systems prior to deploying
ransomware, which is a
tactic adopted by most ransomware groups in 2020.
DXC perspectiveTrickbot is used by multiple threat actor groups
due to its success rate and its
ability to propagate throughout the environment and drop other
malware. Groups
using Trickbot are financially motivated, and successful
intrusions will result in the
exfiltration of data. Security controls should be tuned to alert
on abnormal outbound
traffic. It may also deliver disruptive malware such as
ransomware and system-wiping
malware.
The recent addition of this new Trickbot attack vector will
require security teams to
tune security monitoring tools to detect intrusions as well as
hunt for existing
network presence of previous non-detected intrusions.
Sources: Stage 2 Security Intezer Labs Sans
Business email compromise attacks bypass MFA Business email
compromise (BEC) campaigns are increasing in frequency, and
compromise success rates are up, with reports of email accounts
being taken over
despite multifactor authentication (MFA) and conditional
access.
It is not possible to enforce MFA when a user signs into an
account using legacy
email protocols, including IMAP, SMTP, MAPI and POP. Office 365
licenses provide
the ability to configure conditional access policies, which
block access from legacy
applications. However, attackers are bypassing conditional
access controls by
obscuring (renaming) the app being used. Credential stuffing
campaigns have been
seen in the wild using legacy applications in attempts to bypass
MFA.
iOS SDK breach surfaces
Researchers discovered malicious
functionality within the iOS
MintegralAdSDK (aka SourMint)
distributed by Chinese company
Mintegral. The malicious functionality
enabled ad fraud on hundreds of
iOS apps and brought major privacy
concerns to consumers. It allows
spying on user link click activity
within thousands of iOS apps that
use the SDK, tracking requests
performed by the app and reporting
it back to Mintegral’s servers..
Security Threat Intelligence Report
6
https://www.dxc.technology/security/offerings/140115/140189-secured_infrastructurehttps://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30https://twitter.com/VK_Intel/status/1288541754728341505https://www.sans.org/reading-room/whitepapers/malicious/paper/36097
-
ImpactThe motivation behind BEC attacks is financial and can
impact organizations at
various levels:
• Credential harvesting and data exfiltration
• Financial losses from company fund transfer requests
• GDPR fines associated with PII data being exfiltrated
• Reputational damage resulting from any of the above
DXC perspectiveEven the most highly trained and vigilant
employee will get fooled by the variety
of tactics that threat actors use. Security controls such as
secure email gateways
(SEGs) should be used to prevent such emails from reaching the
legitimate users.
SEGs are helpful in filtering out inbound emails containing
malicious files, URLs and
known abusive senders. However, SEGs will not help with
well-planned and -crafted
social engineering tactics.
Internal controls should be in place to limit or completely
avoid a single point of
failure within all departments. Special emphasis should be
placed on requiring
multiple signoffs on sending company funds externally.
Organizations should consider the following:
• Secure email gateways
• A privileged access management solution
• Endpoint protection that detects and stops abnormal
behavior
Sources: ProofpointFBI InfraGard: Membership Distribution
Zoom phishing campaign harvesting Office 365 credentials
Attackers sending phishing emails to Zoom users aimed at credential
harvesting. The
messages contain a meeting invitation that includes a file to
download to access
details about a meeting invitation and start the meeting.
The email messages originated from hijacked accounts and newly
purchased domain
names (zoomcommuncations.com and zoomvideoconfrence.com), with
identification
information appearing to be legitimate:
Security Threat Intelligence Report
7
https://www.dxc.technology/security/offerings/144342/144344-privileged_account_managementhttps://www.dxc.technology/security/offerings/144345/144350-managed_endpoint_protectionhttps://www.proofpoint.com/us/threat-reference/business-email-compromise
-
Instead of harvesting Zoom credentials, the main goal of the
campaign is to harvest
Office 365 credentials by redirecting users to a Microsoft
Office 365 or Outlook
login page. HTML, JavaScript and PHP code is encoded on the page
and unreadable
to humans and automated security tools. It remains undetectable
and evades URL
reputation checkers.
Figure 4.
Figure 5.
RDP used by Iranian actors in
international Dharma ransomware
attacks
Iranian actors leveraged the remote
desktop protocol (RDP) as part
of an international campaign to
target companies with Dharma
ransomware. Artifacts found by
the investigating organization,
Group-IB, indicated that the group
attempted to distribute Dharma on
an affected company’s networks
in Russia, Japan, China and India.
The attackers used Advanced Port
Scanner to map the compromised
network for available hosts
moving laterally by abusing RDP.
Ransomware demands ranged from
1 to 5 BTC.
Security Threat Intelligence Report
8
-
ImpactThe Zoom platform has seen a dramatic increase in traffic
due to the increase in
remote workers. This exploit gives attackers the ability to
enter organization meetings
and steal proprietary information as well as credentials.
DXC perspectiveNo single security control is enough to stop a
well-crafted attack such as this one.
Key tactics include secure email gateways and timely threat
intelligence combined
with user education on what to expect from various virtual
meeting vendors.
Source: INKY – Bukar Alibe
Agent Tesla RAT adds new features Agent Tesla is emerging as an
inexpensive and easy-to-use malware aimed at
stealing information. It is attractive to low-skilled threat
actors, and many versions
now exist based on the original code.
The malware first appeared on the agenttesla.com site, which is
now closed. Varying
levels of code were sold for $12 to $35:
Agent Tesla is delivered via email, and those attacked were
observed spreading it via
COVID-19-themed messages, often masquerading as information or
updates from
the World Health Organization.
Recent Agent Tesla upgrades include:
• More robust spreading and injection methods
• Discovery and theft of wireless network details and
credentials
• Harvest configuration data and credentials from:
– VPN clients
– FTP and email clients
– Web browsers
– Extract credentials from the registry and related
configuration files
Figure 6.
Security Threat Intelligence Report
9
https://www.inky.com/blog/zoom-doom-how-inky-unraveled-a-credential-harvesting-phishing-scam
-
List of targeted software
360 Browser CoreFTP Liebao SeaMonkey
Apple Safari CyberFox Microsoft IE & Edge Sleipnir 6
Becky! Internet
Mail
Epic Privacy Microsoft Outlook SmartFTP
BlackHawk Elements Mozilla Firefox Sputnik
Brave FileZilla Mozilla
Thunderbird
Tencent
QQBrowser
CentBrowser FlashFXP Elements The Bat! Email
CFTP Flock OpenVPN Torch
Chedot Google Chrome Opera Trillian Messenger
Chromium
(general)
IceCat Opera Mail UCBrowser
Citrio IceDragon Orbitum Uran
Claws Mail IncrediMail PaleMoon Vivaldi
Coccoc Iridium Postbox WaterFox
Comodo Dragon KMeleon QIP Surf WinSCP
CoolNovo Kometa Qualcomm Eudora Yandex
The harvested data is transmitted to the C2 via SMTP or FTP. The
transfer method is
hardcoded in the malware’s internal configuration and includes
credentials (FTP or
SMTP) for the C2. New variants can drop or retrieve secondary
executables.
Samples of this malware have been seen creating hidden folders
and processes in
%temp%. The persistent process set via Registry:
/c copy “C:/Users/admin1/Desktop/tes_10.exe”
“%temp%\FolderN\name.exe” /Y
ExecutionThis malware gathers local system information, installs
the keylogger module, and
initializes routines for discovering and harvesting data. This
process includes basic
WMI queries. Examples include:
• start iwbemservices::execquery - select * from
win32_operatingsystem
• start iwbemservices::execquery - select * from
win32_processor
Figure 7.
Russia’s GRU military unit behind
Linux malware attacks
Russia’s GRU military unit is
suspected to be behind Drovorub,
a Linux malware toolset consisting
of an implant coupled with a kernel
module rootkit, a file transfer and
port forwarding tool, and a C2
server. Identifying this malware
is difficult. Packet inspection at
network boundaries is useful in
detecting Drovorub on networks,
including probing, security products,
live response, memory analysis and
media (disk image) analysis.
Security Threat Intelligence Report
10
-
For wireless network settings and credential discovery, the
malware launches an
instance of netsh.exe. The syntax utilized initially is:
• Netsh.exe wlan show profile
Upon launch, an instance of the malware is dropped into %temp%
as a hidden file, in
a hidden folder:
• /c copy “C:/Users/admin1/Desktop/tes_10.exe”
“%temp%\FolderN\name.exe” /Y
The following command is then used to create the autorun
registry key:
• /c reg add “HKCU\Software\Microsoft\Windows
NT\CurrentVersion\Windows” /v
Load /t REG_SZ /d “%temp%\FolderN\name.exe.lnk” /f
MITRE ATT&CK mapping:• Modify registry (T1112)
• Subvert trust controls: Install root certificate
(T1553.004)
• Hide artifacts: NTFS file attributes (T1564.004)
• Hijack execution flow: DLL search order hijacking
(T1574.001)
• Process injection: Process hollowing (T1055.012)
• Data from information repositories (T1213)
• Boot or logon autostart execution: Registry run keys/startup
folder (T1547.001)
• Process injection (T1055)
• Unsecured credentials: Credentials in files (T1552.001)
• System information discovery (T1082)
• Query registry (T1012)
• OS credential dumping (T1003)
• Scheduled task (T1053)
ImpactAgent Tesla was first seen in the wild in 2014. It is a
.NET-based keylogger and remote
access trojan (RAT) that beacons data back to a C2 server.
Recent developments
have increased its capabilities extensively. Current versions
have improved
persistence and the ability to harvest data from more
services.e
DXC perspectiveAgent Tesla is easily accessible and is used by
many threat actor groups due to its
success rate and ability to exfiltrate data without notice.
Groups using Agent Tesla
are both financially and espionage motivated, which means
successful intrusions
will result in the exfiltration of data. Expect to see more
malspam campaigns that will
Security Threat Intelligence Report
11
-
attempt to distribute Agent Tesla. Cyber defense security
controls should be tuned
to alert on abnormal outbound traffic.
Sources: Malpedia Check Point Bleeping Computer
Vulnerability UpdatesInternet Explorer scripting malware
emergesRecent samples of script-based malware through the Internet
Explorer (IE) browser
exploits Windows OS users. Observed in the wild over the past 2
months, two distinct
samples have been obtained from compromised machines:
Sample 1:
• JScript Remote Access Trojan (RAT)
• Persistence mechanism enabled
• Uses encoded network connection to connect to the attacker
• Attackers execute arbitrary commands on the target machine
Sample 2:
• AutoIT downloader
• Uses network connection and script functions to download and
execute malware
• Capable of loading a variety of malware types
Based on the c.js JScript RAT downloaded from the
assurancetemporaireenligne.
com domain on April 18, the PowerShell command used to exploit
the CVE-2019-0752
vulnerability is:
Persistence mechanismThe c.js script creates and sets a new
value for the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This value, named loaderName, is set with a path to a certain
loader.jse file.
Figure 8.
Security Threat Intelligence Report
12
https://www.dxc.technology/security/offerings/140115/140163-cyber_defensehttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_teslahttps://blog.checkpoint.com/2020/05/11/april-2020s-most-wanted-malware-agent-tesla-remote-access-trojan-spreading-widely-in-covid-19-related-spam-campaigns/https://www.bleepingcomputer.com/news/security/upgraded-agent-tesla-malware-steals-passwords-from-browsers-vpns/
-
The run key causes programs to run each time a user logs on. The
loader.jse script,
which is not created yet, will run automatically each time the
Windows OS boots. For
the next step of the persistence process, the c.js creates the
actual loader.jse file.
The following image shows the loader.jse script is created in
the AppData folder. This
is a hidden folder by default on Windows OS:
When the loader.jse is run, it opens the registry key
HKCU\Software\loaderName and
runs the code contained in the data value.
The packed code in the registry key loaderName contains function
(p,a,c,k,e,d)
pattern, which indicates the Dean Edwards packer was used to
obfuscate the code.
This packer is outdated now but was commonly used in the past by
benign scripts
and therefore whitelisted by many kinds of detection
technologies.
The attacker can perform the following tasks on the target
system:
• Execute commands
• Download files
• Reboot the Windows OS
• Terminate processes
• Shut down Windows OS
Figure 10.
Figure 9.
Security Threat Intelligence Report
13
-
AutoIT downloaderThis is the 2.exe file downloaded from the
dark.crypterfile.com domain using the
same vulnerability CVE-2019-0752:
The AutoIT code retrieves the system information, which is
stored in the $asysinfo
array. Then there is a check on the sixth element of this array,
which corresponds to
the number of logical processors.
The check verifies whether the number of logical processors is
greater than or
equal to four, and then malicious files download. Using the
InetGet and Run AutoIT
functions, the malicious script downloads and executes multiple
files on the target
system.
The last file downloaded is stored in the Current User Startup
folder. The file will
execute each time the user logs in to the Windows OS.
Impact per MicrosoftCVE-2020-1380 has received a CVSS score of
7.5,\ according to Microsoft. A remote
code execution vulnerability exists in the way that the
scripting engine handles
objects in memory in Internet Explorer. The vulnerability could
corrupt memory
in such a way that an attacker could execute arbitrary code in
the context of
the current user. An attacker who successfully exploited the
vulnerability could
gain the same user rights as the current user. If the current
user is logged on with
administrative user rights, an attacker could take control of an
affected system. An
attacker could then install programs; view, change or delete
data; or create new
accounts with full user rights.
DXC perspectivePatching vulnerabilities of this nature needs to
be a high priority for all organizations.
This exploit that contains multiple facets — including a remote
access trojan, a
downloader and an effective persistence mechanism — have the
potential to cause
extensive damage within an IT environment. Patching or other
mitigation techniques,
although difficult at times, is the best option.
According to Microsoft, in a web-based attack scenario, an
attacker could host a
specially crafted website that is designed to exploit the
vulnerability through Internet
Figure 11. Command used to download and launch the AutoIT
downloader sample.
Figure 12.
Security Threat Intelligence Report
14
-
Explorer and then convince a user to view the website. An
attacker could also embed
an ActiveX control marked “safe for initialization” in an
application or Microsoft
Office document that hosts the IE rendering engine. The attacker
could also take
advantage of compromised websites, including those that accept
or host user-
provided content or advertisements. These websites could contain
specially crafted
content that could exploit the vulnerability.
The security update addresses the vulnerability by modifying how
the scripting
engine handles objects in memory.
Sources: Microsoft Mitre Trend Micro
Incidents/breachesCarnival Corporation suffers ransomware
attackCarnival disclosed a ransomware attack that impacted one of
its subsidiaries.
Carnival has not disclosed which division was the target of that
attack or if other
divisions were subsequently affected.
Carnival’s brands include Princess Cruises, Holland America
Line, P&O Cruises, Costa
Cruises, AIDA Cruises and Cunard.
The attack appears to have exfiltrated customer and employee
data. In a Form 8-K
regulatory filing, Carnival said its investigation so far shows
no other systems were
impacted.
“While the investigation of the incident is ongoing, the company
has implemented
a series of containment and remediation measures to address this
situation and
reinforce the security of its information technology systems,”
Carnival stated.
The Prevailion company was tracking C2 activity across the
internet and observed
suspicious activity to and from Carnival’s network between
February and early June
of this year.
During that period, an IP address belonging to Carnival was
observed regularly
communicating with malicious C2 servers outside the company.
High levels of
communication were observed between April 11 and June 5.
Prevailion tracked over 46,000 attempted connections from the
Carnival IP address
to the C2 servers.
Prevailion identified the activity as associated with Ramnit
malware, which most
recently was used for credential theft.
The above C2 activity cannot be definitely linked to the August
2020 ransomware
attack, but it should be noted that ransomware groups have
changed their tactics
from encrypting data upon entry to maintaining a stealth
presence within the
Investment scam sites shut down
The National Cyber Security Centre
(NCSC) has shut down more than
300,000 URLs found to be linked
to investment scams in a four-
month period. Many of these ruses
began with fake news articles that
promoted investment advice from
celebrities. As most common with
phishing, the news articles sought
to trick readers into visiting hoax
websites claiming methods to help
the user “get rich quick.”
Source: Tripwire
Security Threat Intelligence Report
15
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1380https://blog.trendmicro.com/trendlabs-security-intelligence/august-patch-tuesday-fixes-critical-ie-important-windows-vulnerabilities-exploited-in-the-wild/https://www.tripwire.com/state-of-security/security-data-protection/ncsc-shut-down-300k-urls-linked-to-investment-scams-4-months/
-
compromised environment. The goal is to exfiltrate sensitive and
proprietary data
and use that as leverage to obtain the requested ransom
ImpactDetails regarding this attack, the second successful
breach this year at Carnival,
are limited. Carnival did initiate an internal investigation
that included notifying law
enforcement and engaging an external security firm.
Reports note that Carnival’s internal security team and controls
were able to prevent
the entire network from being compromised. The ransomware
encryption process
was halted but the impact on customer and employee data is not
known, nor has
the attack vector been disclosed. Carnival has indicated that it
expects to see claims
arising from customers’ data being exposed.
DXC perspectiveRansomware attacks are on the rise and will
continue given how lucrative such
attacks are. Financially motivated threat actors have no reason
to stop attacks that
have such a high success rate.
Preparation and planning are key components to stopping
ransomware attacks.
It is highly recommended that all organizations obtain a copy of
the U.S. Secret
Service’s “Preparing for a Cyber Incident – A Guide to
Ransomware.” The document
contains valuable information that can be useful in combatting
all types of malware
attacks.
Another factor to consider is that this was the second
successful attack at Carnival in
a matter of months. It is not uncommon for threat actors to
initiate secondary attacks
to test if the environment is still vulnerable.
Sources: Prevailion Security Affairs
Nation State and GeopoliticalU.S. Justice Department seizes
cryptocurrency accounts of three suspected terrorist groups The
U.S. Justice Department announced it has seized a record $2 million
in
cryptocurrency intended to finance the activities of al-Qaida,
the al-Qassam
Brigades and the Islamic State.
U.S. authorities obtained warrants to seize the money and to
dismantle 300
cryptocurrency accounts. Warrants also took down four websites
and four Facebook
pages the three terror groups used as part of their cyber
campaigns to generate
funds.
Other news
• Utah Gun Exchange breached -
Security Boulevard
• Canada revenue agency discloses
credential stuffing attack -
Security Boulevard
• Nine leaky GitHub repos affecting
200K U.S. residents - Security
Boulevard
Security Threat Intelligence Report
16
https://www.dxc.technology/security/offerings/140115/145734-dxc_cyber_reference_architecturehttps://www.prevailion.com/carnival-cruise-lines-long-running-breach-problem/https://securityaffairs.co/wordpress/107263/cyber-crime/carnival-corporation-ransomware-attack.html?utm_source=rss&utm_medium=rss&utm_campaign=carnival-corporation-ransomware-attackhttps://securityboulevard.com/2020/08/utah-gun-exchange-confirms-data-breach-after-bad-actors-publishes-stolen-customer-records-online/https://securityboulevard.com/2020/08/canada-revenue-agency-discloses-credential-stuffing-attack-on-5500-service-accounts/https://securityboulevard.com/2020/08/researcher-discloses-9-leaky-github-repos-affecting-200k-u-s-residents-and-possibly-many-more/https://securityboulevard.com/2020/08/researcher-discloses-9-leaky-github-repos-affecting-200k-u-s-residents-and-possibly-many-more/
-
ImpactFederal prosecutors said the three campaigns relied on
sophisticated cyber tools to
generate cryptocurrency donations to finance their
operations.
Officials also noted that donations were not anonymous. Agents
with the Internal
Revenue Service, Homeland Security Investigations and the FBI
tracked and seized
150 cryptocurrency accounts that laundered funds for the
terrorist groups. Agents
also executed criminal search warrants for the people and
organizations that
donated money from within the United States.
DXC perspectiveThe Department of Homeland Security has an
ongoing campaign called, “If You See
Something, Say Something.”
As information technology and cybersecurity professionals, we
are in a unique
position to come across intelligence that may be valuable in
preventing a terrorist
attack. Share the intel.
Sources: United States Department of Justice Department of
Homeland Security – Membership distribution
Security Threat Intelligence Report
17
https://www.justice.gov/opa/pr/global-disruption-three-terror-finance-cyber-enabled-campaigns
-
Learn moreThank you for reading the Security Threat Intelligence
Report. Learn more about
security trends and insights from DXC Labs | Security.
DXC in SecurityRecognized as a leader in security services, DXC
Technology helps clients prevent
potential attack pathways, reduce cyber risk, and improve threat
detection and
incident response. Our expert advisory services and 24x7 managed
security services
are backed by 3,000 experts and a global network of security
operations centers.
DXC provides solutions tailored to our clients’ diverse security
needs, with areas of
specialization in Cyber Defense, Digital Identity, Secured
Infrastructure and Data
Protection. Learn how DXC can help protect your enterprise in
the midst of large-
scale digital change. Visit www.dxc.technology/security.
Stay current on the latest threats at
www.dxc.technology/threats.
Get the insights that matter.www.dxc.technology/optin
About DXC Technology
DXC Technology (NYSE: DXC) helps global companies run their
mission critical systems and operations while modernizing IT,
optimizing data architectures, and ensuring security and
scalability across public, private and hybrid clouds. With decades
of driving innovation, the world’s largest companies trust DXC to
deploy our enterprise technology stack to deliver new levels of
performance, competitiveness and customer experiences. Learn more
about the DXC story and our focus on people, customers and
operational execution at www.dxc.technology.
©2020 DXC Technology Company. All rights reserved. September
2020
Security Threat Intelligence Report
https://www.dxc.technology/security/insights/146282-dxc_labs_securityhttp://www.dxc.technology/securityhttp://www.dxc.technology/threatshttp://www.dxc.technology/threatshttp://www.dxc.technology/optinhttps://www.linkedin.com/company/dxctechnology/https://twitter.com/dxctechnologyhttps://www.facebook.com/DXCTechnology/http://www.dxc.technology