Threat Intelligence ReportMarch 2020

In this issue

ICS-focused ransomware identified

Coronavirus-themed malware on the rise

Active scanning for vulnerable Microsoft Exchange servers

Researchers uncover widespread Iranian cyber campaign

Message from Mark Hughes

Cyber operations are a key theme this month with new espionage operations spotted in the wild. The campaigns have been ongoing for years and demonstrate the significant damage they can do and the amount of time a threat actor can remain in an environment

undetected. Several large-scale data breaches were reported publicly. Breaches of any scale can have a devastating impact on victims. Read more in this month’s report.

Mark Hughes Senior Vice President and General Manager of Security DXC Technology

About this report

Fusing a range of public and

proprietary information feeds,

including DXC’s global network of

security operations centers and

cyber intelligence services, this

report delivers a overview of major

incidents, insights into key trends

and strategic threat awareness.

This report is a part of DXC Labs |

Security, which provides insights

and thought leadership to the

security industry.

Intelligence cutoff date:

28 February 2020

Threat Updates

ICS-focused ransomware identified

Coronavirus-themed malware lures on the rise

Online betting firms targeted in espionage operations

Multi-industry

Multi-industry

Entertainment

Table of contents

3

3

4

Vulnerability Updates

Active scanning for Microsoft Exchange server

vulnerability CVE-2020-0688

Ghostcat bug affects all Apache Tomcat versions

released in the last 13 years

Multi-industry

Multi-industry

5

5

Incidents/breaches

MGM Grand breach exposes 10.6 million guest details

Maze ransomware group releases data

Hospitality

Manufacturing/

Construction

6

7

Nation State and Geopolitical

Researchers uncover widespread Iranian cyber

campaign

Public Sector 9

Threat Intelligence Report

2

Threat UpdatesICS-focused ransomware identified At the end of January 2020, a new ransomware variant emerged dubbed EKANS. In

addition to the standard file encryption routines, EKANS contains functionality to

forcibly stop a number of processes, including multiple processes related to industrial

control system (ICS) operations.

ImpactEKANS presents a specific risk to organizations running industrial control operations

not previously seen in ransomware and could result in a loss of control and/or

visibility of industrial processes. While some organizations may have the option to fall

back onto manual operations in the event of an incident, the costs and inefficiencies

of doing so could be substantial.

DXC perspective IT-focused ransomware has affected ICS systems in the past, usually through

infecting the Windows portion of control systems and disrupting operations. The

explicit inclusion of ICS-specific functionality is a new development and possibly one

aimed at extracting large payments from manufacturing organizations.

Primary defenses against ransomware center on preventing it from infecting systems

or spreading through the network. Organizations should consider the following:

• Block email attachments commonly associated with malware

• Block email attachments that cannot be scanned by antivirus software

• Implement email filtering at the mail gateway and block suspicious IP addresses at

the firewall

Source: Dragos - https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/

Coronavirus-themed malware lures on the riseAs the outbreak of Coronavirus (COVID-19) continues to spread across the globe,

criminal threat actors continue to try and capitalize on the concerns of the public to

deliver malicious artifacts.

ImpactIn January and throughout February 2020, the most prevalent Coronavirus-themed

campaigns targeted China and Japan, distributing Emotet in malicious email

attachments. These emails claimed to be from local government sources and were

designed to look as if they were reporting the spread of the infection and providing

advice on how citizens could protect themselves from contracting the virus.

Threat Intelligence Report

3

DXC perspective• This is an opportunistic threat scenario intended to spread malware as widely

as possible. DXC believes that it is almost certain that additional local-language

campaigns will surface as outbreaks occur in new countries around the world.

Source: Check Point - https://blog.checkpoint.com/2020/02/18/beware-of-the-other-virus-the-spread-of-coronavirus-themed-malware/

Online betting companies targeted in espionage operationsAn advanced threat actor dubbed “DRBControl” has been targeting gambling and

betting companies since mid-2019 using two previously unknown backdoors and

malware linked to two Chinese threat groups.

The actor appears to focus on companies in Southeast Asia; however, unconfirmed

reports link the actor to similar attacks in Europe and the Middle East.

ImpactOperations concentrate on accessing source code and databases rather than

financial targets. This suggests that the operations are espionage-focused rather

than criminally driven.

Data collected from infected hosts includes documents (Office and PDF), key logs,

SQL dumps, browser cookies and a KeePass manager database.

DXC perspectiveWhile it is no surprise that online gambling companies are a target for attacks, it is

notable that the goal of these operations does not appear to have been financial.

There are many potential uses for the information that was targeted (identifying

users of the compromised platforms, establishing a rival online gambling platform, or

as a gateway to a larger parent entity). However, the exact motive behind the attacks

is not currently known.

Tools, tactics and procedures used in the attacks overlap with those used by the

Winnti and Emissary Panda groups, both of which are linked to the interests of the

Chinese government; however, it is unclear at this time whether the attackers are

acting on behalf of Beijing

Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/drbcontrol-espionage-operation-hits-gambling-betting-companies/

$377KAverage initial ransom demand for

Ryuk ransomware in Q3 2019

Security Boulevard

https://securityboulevard.

com/2020/02/20-ransomware-

statistics-youre-powerless-to-

resist-reading/

$157Cost of ransomware attacks on U.S.

healthcare organizations since 2016

Dark Reading

https://www.darkreading.com/

attacks-breaches/healthcare-

ransomware-damage-passes-

$157m-since-2016/d/d-id/1337024

14Average frequency of ransomware

attacks worldwide

pheonixNAP

https://phoenixnap.com/blog/

ransomware-statistics-facts

million

seconds

Threat Intelligence Report

4

Vulnerability UpdatesActive scanning for Microsoft Exchange server vulnerability CVE-2020-0688Attackers are actively scanning large parts of the internet for Microsoft Exchange

servers that are vulnerable to CVE-2020-0688, one of the vulnerabilities that was

patched by Microsoft in the February 2020 patch cycle.

ImpactCVE-2020-0688 is a remote code execution flaw that could allow an attacker to

take full system-level control of a vulnerable exchange server. This could position the

attacker to steal or falsify corporate email communications at will and potentially use

it as a staging post for further intrusions.

There are no workarounds for this vulnerability, and the patch should be applied

immediately.

DXC perspectiveIn DXC’s view, Microsoft rated this vulnerability as Important in severity when it

was released, most likely because an attacker must first successfully authenticate

with the server. However, within an enterprise, most users would be permitted to

authenticate to the Exchange server, as would an outside attacker who compromised

the credentials of an enterprise user through a phishing or credential-stuffing attack.

Since the vulnerability was made public, working proof of concept exploits have been

demonstrated and active scanning for vulnerable servers has been seen in the wild.

DXC assesses it very likely that the scanning and exploitation process will become

highly automated for use as a data-theft and ransomware-distribution mechanism.

Sources: Microsoft - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 BleepingComputer - https://www.bleepingcomputer.com/news/security/hackers-scanning-for-vulnerable-microsoft-exchange-servers-patch-now/

Ghostcat bug impacts all Apache Tomcat versions released in the last 13 yearsResearchers have identified a flaw in Tomcat AJP (Apache JServ Protocol) that may

allow an attacker to read or write files to a Tomcat server.

AJP is a performance-optimized version of the HTTP protocol in binary format that is

used to exchange data with nearby HTTPD web servers or other Tomcat instances. It

is installed by default on all Tomcat servers and listens on TCP port 8009.

Threat Intelligence Report

5

ImpactThe vulnerability affects all 6.x, 7.x, 8.x, and 9.x Tomcat branches, meaning that all

Tomcat versions released since 2007 should be considered open to attack.

The ability to read or write files to a Tomcat server could allow an attacker to read

application configuration files for passwords or API tokens, or upload backdoors or

web shells to servers.

DXC perspectiveSearches on the internet identified more than 1 million Tomcat servers currently

available online; however, as an attacker would require access to TCP port 8009 to

trigger the vulnerability, the number of servers available to remote compromise over

the internet is significantly lower. DXC considers it more likely that this vulnerability

will be used for lateral movement within a previously compromised environment.

DXC recommends that organizations operating these vulnerable installations disable

the AJP connector if it is not in use and install the security patches as soon as

possible.

Sources: Mitre CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938Chaitin Tech - https://www.chaitin.cn/en/ghostcat

Incidents/breachesMGM Grand breach exposes 10.6 million guest details In late February 2020, the details of more than 10.6 million guests who stayed at

MGM resorts were published on a hacking forum. Public reports claim that the breach

was the result of unauthorized access to a cloud storage server in summer 2019.

ImpactPersonal details published on the forum included full names, home addresses, phone

numbers, emails and dates of birth for 10,683,188 guests who had previously stayed

at MGM resorts.

The breach is not thought to have contained any financial or authentication

information, and MGM personnel have contacted guests whose information has been

breached.

DXC perspective These kinds of breaches have become all too common. As organizations change to

meet business and technical advances, networks become increasingly complex, and

simple human error becomes an ever-bigger problem. This can become exaggerated

by the increasing online footprint of organizations as they adopt new architectures

such as cloud and hybrid operating models.

Threat Intelligence Report

6

The danger with this kind of breach is that the breached information is used to

conduct further attacks, such as targeted phishing, email-based scams or SIM-

swapping attacks long after the breach occurs.

Auditing and testing of network, system and applications security measures should

be performed by independent and experienced security teams on a regular basis to

ensure all internal and external security protections are working as intended and to

identify any potential gaps that require remediation as soon as possible.

Source: ZDNet - https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/

Maze ransomware group releases dataOn January 31, the France-based company Bouygues Construction disclosed that its

computer network had been infected with ransomware. In its disclosure, the company

did not specify the ransomware family or the ransom demanded.

Shortly after the incident, a website linked to the Maze ransomware group and used

to list victim companies that hadn’t paid, started leaking data the site claimed was

taken from Bouygues.

ImpactThe breach affected approximately 230 systems in 16 different countries, with

the majority being in Canada and France. In response, Bouygues shut down its

information systems to prevent further propagation of the malware.

The leaked information released on the Maze website relates to the company’s

employees and included names, home addresses, phone numbers, social insurance

numbers, banking details and drug test results.

Bouygues has said that operational activity on its construction sites had not been

disrupted and that it was working to minimize the impact on customers and partners.

DXC perspectiveThis incident follows a trend that emerged at the end of 2019, where ransomware

groups exfiltrate data before encrypting systems to create additional leverage over

the victim to gain payment.

Maze was an early adopter of this operational model, releasing 2GB of data from a

breach of networks at the U.S. city of Pensacola, Florida, in December 2019 and an

additional 14GB of data exfiltrated from a U.S.-based manufacturer in Georgia in

January 2020.

Technical solutions and staff training measures should be employed in all

organizations to block common ransomware attack vectors. Vulnerability

management and patching regimes must be enacted to counter exploitation of

known security vulnerabilities. Staff training should focus on phishing and malware,

and endpoint security measures should be employed to detect and prevent infection

through web browsing activities.

$6 Projected total damage done by attacks

by 2021

Cyber Crime Magazine

https://cybersecurityventures.

com/hackerpocalypse-cybercrime-

report-2016/

trillion

Threat Intelligence Report

7

Sources: ZDNet - https://www.zdnet.com/article/bouygues-construction-falls-victim-to-ransomware/ IntelligentCIO - https://www.intelligentcio.com/eu/2020/02/19/bouygues-groups-construction-subsidiary-hit-by-massive-ransomware-attack/

Nation State and GeopoliticalResearchers uncover widespread Iranian cyber campaign A recent report published by researchers details a widespread campaign by

Iranian state-linked threat groups APT33 and APT34. This campaign, dubbed “Fox

Kitten,” is thought to have been operational since 2017 and has affected dozens of

organizations in Israel, United States, Saudi Arabia, Lebanon, Kuwait, UAE, Australia,

France, Poland, Germany, Finland, Hungary, Italy and Austria.

Fox Kitten is believed to be espionage-driven, specifically targeting organizations

in the IT, defense, utilities, oil and gas, and aviation industries over multiple attack

waves.

The campaign has potentially resulted in the establishment of highly developed and

persistent access to company networks that can be used for reconnaissance and

espionage, and would also be an effective launchpad for supply chain attacks on

partner organizations.

DXC perspectiveAccording to the report, the initial attack vector used in the Fox Kitten campaign is

through remote access VPN systems. Several VPN products have had vulnerabilities

disclosed in recent months, and it is not surprising that nation-state actors are

targeting them, since they know that patching vulnerable systems can take a long

time.

The particular interest in targeting VPN systems and the broad scope across

numerous industry verticals globally suggest that the operation may be largely

opportunistic, with actors scanning for vulnerable servers, establishing a foothold,

and returning later if the organization is determined to be a valuable intelligence

target.

Source: ClearSky Security - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf

Other news

• Data breach at agency in

charge of secure White House

communications - https://

threatpost.com/data-breach-

occurs-at-agency-in-charge-

of-secure-white-house-

communications/153160/

• Multiple WordPress

vulnerabilities under active

attack - https://www.

bleepingcomputer.com/

news/security/multiple-

wordpress-plugin-

vulnerabilities-actively-

being-attacked/

• U.S. Cybersecurity and

Infrastructure agency warns

of new North Korean malware

- https://www.us-cert.gov/

northkorea

• Mexico’s economic ministry

attacked - https://www.

silicon.co.uk/security/

cyberwar/mexico-ministry-

cyber-attack-331976

• Russia’s GRU behind massive

Georgia attack - https://

www.bbc.co.uk/news/

technology-51576445

Threat Intelligence Report

8

Learn moreThank you for reading the Threat Intelligence Report. Learn more about security

trends and insights from DXC Labs | Security.

DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent

potential attack pathways, reduce cyber risk, and improve threat detection and

incident response. Our expert advisory services and 24x7 managed security services

are backed by 3,500+ experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of

specialization in Cyber Defense, Digital Identity, Secured Infrastructure and Data

Protection. Learn how DXC can help protect your enterprise in the midst of large-

scale digital change. Visit www.dxc.technology/security.

Stay current on the latest threats at www.dxc.technology/threats

Get the insights that matter.www.dxc.technology/optin

About DXC Technology

DXC Technology (NYSE: DXC) helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability across public, private and hybrid clouds. With decades of driving innovation, the world’s largest companies trust DXC to deploy our enterprise technology stack to deliver new levels of performance, competitiveness and customer experiences. Learn more about the DXC story and our focus on people, customers and operational execution at www.dxc.technology.

©2020 DXC Technology Company. All rights reserved. March 2020

Threat Intelligence Report