June 2019 N- CTUR- UBLIC R Threat Intelligence Report IN THIS ISSUE • New supply chain threats • Ransomware exploits Oracle WebLogic • Hacktivism on the rise • WhatsApp risks to mobile devices • New Lazarus Trojan discovered
June 2019
MAN-
UFACTUR-
ING/PUBLIC
SECTOR
Threat Intelligence Report
IN THIS ISSUE• New supply chain threats• Ransomware exploits Oracle WebLogic• Hacktivism on the rise• WhatsApp risks to mobile devices• New Lazarus Trojan discovered
June 2019
Threat updates
Multi-industry
Public Sector, Healthcare, Educa-tion
Retail
Table of ContentsNew ransomware variant exploits Oracle Web-
Logic vulnerability
Hacktivism increases in the first quarter of 2019
but is less effective
E-commerce attacks more valuable than ever
Advanced supply-chain attacks attributed to
Chinese group dubbed Barium
Lazarus group develops new Trojan malware
dubbed ELECTRICFISH
WhatsApp vulnerability leads to compromise of
mobile devices in highly targeted attack
50,000 enterprises may be at risk to potential
SAP software vulnerabilities
MIRRORTHIEF targets 201 online campus stores
with card-skimming attack
Possible MegaCortex ransomware attack
disrupts accounting software provider Wolters
Kluwer
CITYCOMP breach exposes financial data of
numerous enterprises
Multi-industry
Public Sector Manu-facturing, Technolo-gy & Research
Multi-industry
Multi-industry
Retail
Multi-industry
Multi-industry
Nation state & geopoliticalupdates
Vulnerabilityupdates
Incidents/Breaches
Supply chain vulnerabilities expose critical assets
We’ve seen another active month with third-party security risks playing a role in major
breaches, meaning it is more critical than ever to understand supply chain exposure.
Ransomware continues to be a growing threat, with an increasing number of attacks
against enterprise environments, often referred to as big game hunting.
Hacktivist groups are also very active, but the good news is these attacks are becoming
less effective where proper security controls are in place. I encourage you to read more
about the latest threats.
Mark HughesSenior Vice President and General Manager of Security DXC Technology
About this report
Fusing a range of public and proprietary information feeds, including DXC’s global network of security operations centers and cyber intelligence services, this report delivers a overview of major incidents, insights into key trends and strategic threat awareness.
This report is a part ofDXC Labs | Security, which provides insights and thought leadership to the security industry. Intelligence cutoff date: May 24, 2019
June 2019
Threat updatesNew ransomware variant exploits Oracle WebLogic vulnerability Attackers are using vulnerability CVE-2019-2725 to facilitate the spread of a new ransomware
variant dubbed Sodinokibi.
Impact
The critical vulnerability affects Oracle WebLogic servers, used for building and deploying en-
terprise applications, allows for unauthenticated remote code execution. Attackers require no
user interaction to deploy the ransomware. Once installed, the ransomware instructs victims to
transfer bitcoin to a specified address in return for the decryptor.
Notable features of the ransomware include the use of vssadmin.exe to delete automatic sys-
tem backups and attackers that follow up the Sodinokibi deployment with attempts to infect
the same target with GandCrab ransomware. Industries and organizations targeted remain
out of the public domain, although Cisco Talos suggests there have been numerous victims.
Source: Threatpost, Cisco Talos
DXC perspective
Organizations using Oracle WebLogic are urgently encouraged to patch servers. The flaw was
not patched in the standard quarterly update in April.
Hacktivism increases in first quarter of 2019 Prominent hacktivist collectives such as Anonymous, LulzSec and various newer groups con-
tinue to use relatively low-skill attack vectors — such as distributed denial of service (DDoS),
website defacement, and exploitation of misconfigured databases — to gain attention and
support their various ideologies and causes.
Impact
Attack success rates vary, typically in relation to the cyber defense maturity of the targeted
organization. Recent successes have been seen against government departments in Africa,
where Ghost Squad Hackers continued a campaign against the Sudanese government. In
early April, Ghost Squad and others claimed to be launching DDoS attacks against 260 do-
mains a day, leading up to the removal of the autocratic president Omar al-Bashir. Anony-
mous launched similar attacks on departments of the Zimbabwe government in late 2018.
Other hacktivist collectives, particularly those operating in high-income countries, have
reportedly had more difficultly when targeting government and media interests. Many groups
now focus on low-hanging fruit, such as government subsections or universities.
Source: Wired
DXC perspective
Hacktivist campaigns will continue targeting multiple industry verticals with public sector,
energy, education and healthcare at heightened risk. The attackers typically will be
motivated by political, social and environmental issues.
Faced with maturing cyber defenses, hacktivists may seek to increase social engineering
activities and use novel methods to disrupt targets. Misinformation campaigns, aimed at dam-
aging a target’s “brand,” could further provide hacktivists opportunities to cause
disruption outside of the scope of traditional cyber defenses.3
Attack motivations
81% Cybercrime
14% Espionage
3%Cyberwarfare
1%Hacktivism Source: Hackmageddon
Most targeted industries
1. Multi-industry attacks
2. Public Sector
3. Communications, Entertainment & Tech
4. Health & Life Sciences
5. Banking & Capital Markets
June 2019
Who are they?• Advanced adversary that uses
supply chain compromise to enable
highly focused targeting. Also
known as Wicked Panda or Shad-
owHammer.
Where do they operate? • Intelligence and analysis suggest
they are likely Chinese-speaking.
They target globally.
What do they want? • Barium appears to focus on target-
ed espionage, most likely in support
of Chinese strategic goals. Intellec-
tual property, sensitive government
documents and research are likely
objectives.
Do they work alone? • Probably not. They have links to
state-sponsored Chinese group APT
17 and potentially cybercriminal
group Winniti.
How can I stop them? • Defense in depth and mature tech-
nology solutions are required. Fun-
damental security solutions include
understanding your supply chain
risk and effective mailbox, endpoint
and network protections.
E-commerce attacks more valuable than ever Payment card information stolen from online stores is increasing in value as demand for card
verification value (CVV) numbers is outstripping supply.
Impact
CVV resale prices have now risen to match those of cloned payment cards used at physical
point-of-sale (POS) terminals.
Previously, data stolen with “card present” — where criminals create physical clones of cards —
was considerably more valuable than cards used only online. POS card clones were $15 to $20
a card, whereas CVVs ranged from $2 to $8.
However, recent monitoring of dark web marketplaces shows CVVs are now as valuable as POS
data sets. A single CVV will routinely cost in excess of $20. The principal drivers for this dymanic
are likely an increased demand for stolen card data on the dark web and increased difficulty in
cloning physical cards due to wider chip-and-pin adoption in G20 nations.
Source: Gemini Advisory
DXC perspective
This situation may partly explain the increased prevelance of attacks on e-commerce sites in
the last 12 months, with a number of prominent card-skimming campaigns hitting online stores
across various industries.
Nation state and geopolitical updatesAdvanced supply chain attacks attributed to Chinese group dubbed BariumThe group is believed to be responsible for the significant breaches of ASUS in March 2019 and
Avast’s CCleaner software, affecting 500,000 and 700,000, respectively.
Impact
Barium uses supply chain attacks to compromise hosts en masse, but actively exploits only a
small number of preselected targets. Of the half-million devices implicated in the ASUS breach,
the malware activated on only 600, based on predefined MAC addresses written into the exploit
code. Similarly, only 70 of those compromised by CCleaner saw secondary spyware down-
loads.
Features
The group typically exploits trusted models to deploy malware. Notably, it compromises update
servers of suppliers and uses them to push out malicious payloads under the guise of being
legitimate updates. The group’s access to the suppliers enables it to use genuine signatures and
certificates, making detection early in the kill chain extremely challenging. Evidence suggests
Barium also links supply chain attacks to gain deeper or more advantageous access. The com-
promise of CCleaner, for example, was used to target ASUS.
Though Barium’s ability to compromise major software and hardware suppliers has given it
access to more than a million devices, the group appears to show little interest in destructive
actions. Instead, it focuses on highly targeted espionage operations. Its targets are not known,
but intelligence points toward the group being aligned with Chinese state interests. Barium may
also operate as part of a wider collective of advanced adversaries. Its code shares
Barium APT
4
June 2019
Though best known for financially
motivated attacks, Lazarus has devel-
oped capabilities to conduct sophisti-
cated espionage.
fingerprints with code previously used by the state-sponsored Chinese group APT 17, and it
shares tooling with cybercriminal group Winnti.
Source: Kaspersky, Wired
DXC perspective
Barium poses a serious and credible risk to public sector, research and technology enterprises
holding intellectual property that would be advantageous to Chinese strategic aims. It also
poses a serious threat to suppliers of hardware and software, which it will seek to compromise
to gain access to their true targets.
For the true target, preventing Barium from gaining initial access may prove challenging.
Through compromise of supply chains, the group can package its well-obfuscated malicious
payloads within legitimate activities and with genuine certificates.
More crucial is the ability to detect and disrupt malicious activity within your networks at the
earliest opportunity. Next-generation endpoint detection systems, well-configured security
information and event management (SIEM) and user-entity-behavior analytics can assist in
detection. Diligent privilege and account management, coupled with network segmentation, is
an effective method of disrupting adversaries in their efforts to navigate internal networks to
obtain sensitive information.
Lazarus group develops new Trojan malware dubbed ELECTRICFISHThough best-known for attacks aimed at financial gain, Lazarus retains its capability to con-
duct advanced espionage operations. Its latest backdoor Trojan, ELECTRICFISH, was discov-
ered following joint work of the U.S. Department of Homeland Security and the Federal Bureau
of Investigation.
Impact
The malware is predominately an application to tunnel traffic between a specified source and
a destination IP address. It uses a custom protocol to tunnel traffic and continuously attempts
to reach out from both the source and the destination systems, allowing either side to initiate a
tunneling session.
The malware can be configured with a proxy server/port and proxy username and password,
which allows the adversary to bypass the compromised system’s required authentication to
reach outside of the network. Indicators of compromise are available.
Source: US Cert
DXC perspective
Lazarus is likely to target organizations that hold information that may aid North Korean stra-
tegic interests. This may include public sector organizations in North America, Europe and the
Asia-Pacific region, and global manufacturing, technology and research organizations.
Although this spyware appears to hold greatest utility in espionage operations, Lazarus has
traditionally been oriented toward financial gain. It remains possible this tooling could be used
to support data-theft-for-ransom attacks. This risk will heighten should the economic situation
in North Korea continue to degrade.
5
June 2019
Vulnerability updatesWhatsApp vulnerability leads to compromise of mobile devices in highly targeted attackWhatsApp pushed an update to its 1.5 billion users after it became aware of a buffer over-
flow vulnerability that allowed the installation of spyware on mobile devices.
Impact
The vulnerability exists in the WhatsApp voice over IP (VoIP) stack and allows remote code
execution via a specially crafted series of Secure Real-time Transport Control Protocol
(SRTCP) packets sent to a target phone. Threat actors have already exploited the flaw to
install spyware on devices without the need for user interaction. It is widely reported that
various journalists, NGOs and human rights activists were principal targets in this cam-
paign.
The exploit was reportedly developed by the Israeli technology company NSO Group. The
NSO Group is believed to supply spyware techonology to a range of governments globally.
The NSO Group says it doesn’t operate any of the tools it develops.
Source: ArsTechnica, Infosecurity Magazine
DXC perspective
Exploitation of this vulnerability has been highly targeted to date. However, the WhatsApp
security update could be reverse engineered, putting exploits into the hands of more adver-
saries.
Organizations should ensure that staff are using the latest WhatsApp version on both work
and personal devices to mitigate the risk of this exploit.
50,000 enterprises may be at risk to potential SAP software vulnerabilitiesPotential vulnerabilities in some SAP software leave enterprises exposed, according to
Onapsis Research Labs.
Impact
An exploit tool called “10KBLAZE” utilizes errors in SAP NetWeaver configurations to gain
unrestricted access to SAP systems. . As well as data theft and destruction, attackers could
manipulate transaction data by creating vendors, releasing shipments and making fraudu-
lent payments. It is estimated that 50,000 enterprises may be affected by this vulnerability.
Source: SAP, Reuters
DXC perspective
Adversaries will quickly look to identify and exploit this vulnerability, and exploit source
code is already available. SAP recommends that organizations comply with SAP Security
Notes #821875, #1408081 and #1421005. SAP’s patch for this vulnerability should be applied
as a critical priority.
6
LockerGaga• Targeted manufacturing and
industrial enterprises. Operated by
an advanced actor that combined
automated and manual techniques
to maximize infection scale.
Ryuk • Initially thought to be a revised Her-
mes ransomware strain, operated
by a North Korean group. However,
new intelligence suggests it is oper-
ated by a prominent Russian cyber
criminal. Targets enterprise-scale
organizations using Emotet for
initial access.
PewCryp • Bizarrely does not require a finan-
cial ransom, rather wanting victims
to subscribe to YouTuber PewDiePie
in order to receive a decryptor.
Distributed via spam.
Katyusha • First appeared in late 2017 and
uses the EternalBlue and Dou-
blePulsar exploits to propagate.
Primarily delivered via spam.
GandCrab • Widely seen in 2018, with its
ransomware-as-a-service model
popular with cybercriminals. Still a
principal threat in 2019. Bitdefender
has recently released an updated
decryptor.
Prominent ransomeware (2019)
June 2019
Incidents and breachesMirrorthief targets 201 online campus stores with card-skim-ming attackTrendMicro reported that the Mirrorthief group’s latest round of card-skimming attacks,
a tactic often referred to by the umbrella term “Magecart,” has affected 201 campus
e-commerce stores.
Impact
As with previous Magecart incidents, payment card data was copied and exfiltrated to a
malicious server at the point of user entry to the payment page.
Mirrorthief compromised PrismWeb, the e-commerce platform used by the stores, to inject
its malicious code. Victim numbers remain unknown.
Source: TrendMicro
DXC perspective
Third-party contributor or supplier compromise remains a highly effective way for adver-
saries to inject skimming code into an array of stores by simply compromising a single
platform. The enduring success of this model will likely see it increase in prevalence.
The security of third-party contributors is integral to the security of an e-commerce plat-
form. Organizations should include third-party security considerations within their wider
security architecture.
Possible MegaCortex ransomware attack disrupts accounting software provider Wolters KluwerAccess to software giant Wolters Kluwer’s CCH Axcess product, a cloud-based tax prepa-
ration, compliance and workflow management solution, was disrupted in early May due
to what the organization initially described as “technical anomalies.” Though it ultimately
admitted experienceing a malware incident, Wolters Kluwer stressed that no sensitive data
had been stolen and customers had not been otherwise affected.
Impact
Although formal details of the malware are not in the public domain, intelligence suggests
the company suffered a MegaCortex ransomware attack. MegaCortex, much like oth-
er prominent malware types such as Ryuk and LockerGoga, leverages both automated
scripts and manual activity to maximize the number of victims and scale of infection. There
is some suggestion that MegaCortex may use the Emotet or Qbot malware to aid in gain-
ing initial network access, a tactic not uncommon in ransomware aimed at enterprise-level
targets.
The similarities between MegaCortex and other prominent ransomware families go further.
At least one command-and-control (C2) address is shared and the list of processes and
services in the batch file is nearly identical to LockerGoga infections.
Source: SecurityWeek, Sophos
DXC perspective
Ransomware targeted at enterprise environments is a growing trend dubbed “big game
hunting.” Adversaries typically infect en masse using automated vectors, often using
Trojan malware delivered by spam or drive-by download, and then laterally move through
networks to compromise domain controllers using manual techniques. Once domain con-7
June 2019
trollers are accessed, the ransomware binaries can be pushed out to the network, maxi-
mizing the scale of infection.
The best defense for enterprises is preventing initial compromise through mailbox filtering,
perimeter defenses and endpoint security solutions. Next-generation endpoint security
and SIEM can also detect suspicious internal actions prior to the ransomware binaries
being pushed out by domain controllers, thereby increasing the organization’s ability to
disrupt adversaries early in the kill chain.
CITYCOMP breach exposes financial data of numerous enterprises CITYCOMP, an IT supplier to multiple blue chip organizations, suffered a significant
data-theft-for-ransom attack in late April. Details of how the attackers gained access to
CITYCOMP are not in the public domain at this time.
Impact
The attackers stole significant amounts of data pertaining to key clients, including
Oracle, Toshiba, Volkswagen and Airbus. The attackers attempted to extort CITYCOMP
by threatening to release the data if a ransom was not paid. When CITYCOMP did not
comply, the data was released to the dark web.
Source: Sophos
DXC perspective
Ransomware is only one type of extortion attack. Data theft for ransom remains a credi-
ble threat, often proving more lucrative for attackers than data theft for resale.
Learn moreThank you for reading the Threat Intelligence Report. Learn more about security trends
and insights from DXC Labs | Security:
DXC Labs | Security
DXC Labs delivers thought leadership technology prototypes to enable enterprises to thrive in the digital age.
DXC Labs | Security brings together our world-class advisors to develop strategic and architectural insights to reduce digital risk. DXC’s Cyber Reference Architecture is at the heart of our research, providing clients with detailed guidance on methods to efficiently resolve the most challenging security problems. We help clients minimize risk while taking maximum advantage of the digital commons.
Lean more at www.dxc.technology/securitylabs
June 2019
DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent po-
tential attack pathways, reduce cyber risk, and improve threat detection and incident
response. Our expert advisory services and 24x7 managed security services are backed
by 3,500+ experts and a global network of security operations centers.
DXC provides solutions tailored to our clients’ diverse security needs, with areas of spe-
cialization in Intelligent Security Operations, Identity and Access Management, Data Pro-
tection and Privacy, Security Risk Management, and Infrastructure and Endpoint Security.
Learn how DXC can help protect your enterprise in the midst of large-scale digital change.
Visit www.dxc.technology/security.
About DXC Technology As the world’s leading independent, end-to-end IT services company, DXC Technology
(NYSE: DXC) leads digital transformations for clients by modernizing and integrating their
mainstream IT, and by deploying digital solutions at scale to produce better business
outcomes. The company’s technology independence, global talent, and extensive partner
network enable 6,000 private and public-sector clients in 70 countries to thrive on change.
DXC is a recognized leader in corporate responsibility. For more information, visit
www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for
changemakers and innovators.
© Copyright 2019 DXC Technology Company. All rights reserved.
Stay current on the latest threatswww.dxc.technology/threats
8