September 2019

MAN-

UFACTUR-

ING/PUBLIC

SECTOR

Threat Intelligence Report

IN THIS ISSUE• Ransomware sweeps through 23 Texas cities

• Sextortion on the rise

• APT 41 expands into financial crimes

• Data breaches double in 2019

• IoT devices under attack

September 2019

Threat updates

Table of Contents

Ransomware variants identified that target

specific nations

200 million email accounts targeted in

‘sextortion’ attacks

Guildma Infostealer leverages Facebook and

YouTube for updates

Campaign targets overseas Chinese speakers

using U.S.-based watering hole sites

Phishing campaign uses DocuSign

Extortion is a key theme in the threat landscape. In recent months, ransomware has

locked up public services in cities and counties across five U.S. states, with the latest

coordinated campaign hitting 23 Texas towns. Other ransomware campaigns are raging

through Europe. Criminals have also ramped up sextortion tactics through botnets,

targeting over 200 million email accounts. Victims have been pressured into making bit-

coin payments, but this tactic could also be used to gain access to valuable intellectual

property and networks. And keep an eye out for poorly configured printers and internet

of things (IoT) devices, because Russian hackers may be looking too. Read more in this

month’s report.

Mark HughesSenior Vice President and General Manager of Security DXC Technology

About this report

Fusing a range of public and proprietary information feeds, including DXC’s global network of security operations centers and cyber intelligence services, this report delivers a overview of major incidents, insights into key trends and strategic threat awareness.

This report is a part ofDXC Labs | Security, which provides insights and thought leadership to the security industry.

Intelligence cutoff date: 26 August 2019

Healthcare, Technology and Communications

Nation state & geopoliticalupdates

Chinese threat actor APT41 conducts advanced

espionage and criminal operations

APT28 uses internet-connected printer to

breach corporate network

Multi-industry

Multi-industry

Vulnerabilityupdates

Microsoft patches 4 critical security

vulnerabilities in remote desktop services

Severe flaws patched by Intel

Multi-industry

Public Sector

Multi-industry

Media/Entertainment

2

Incidents/Breaches

Data breaches double in first half of 2019

23 Texas cities hit by ransomware in latest U.S. public sector campaign

Disgruntled IT engineer hacks his company’s network to steal money

Capital One suspect had data from more than

30 other companies

BITTER APT targets China

Multi-industry

Public Sector

Technology

Multi-industry

Banking

Public Sector

Multi-industry

September 2019

Threat updatesRansomware variants targeting specific nations identifiedTrend Micro research has identified two ransomware incidents that appear to target specific nations or regions.

ENTSCRYPT, or GermanWiper, uses LNK files to execute PowerShell code and download the ransomware binary. Once executed, GermanWiper overwrites target files with zeroes, making the files unrecoverable. Despite this, the threat actor still attempts to extort victims into paying a bitcoin ransom in return for a decryption key. The ransom note is written in German, suggesting the adversary behind the campaign is either based in or targeting German-speaking countries.

ImpactGermanWiper is most often spread through LNK attachments in malicious emails, disguised as job application forms. However, it is also believed to be distributed through fake software updates and downloads from compromised websites. A further campaign using a ransomware variant known as STOP was discovered encrypting files and changing the files’ extensions to .cosakos. Before encrypting any files, STOP ransomware checks the victim’s IP address and deletes itself if it is located in one of the f ollowing countries: Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Russia, Syria, Tajikistan, Ukraine and Uzbekistan.

Source: Trend Micro

DXC perspective GermanWiper highlights the fact that paying ransom offers no guarantee of data recovery. It is unclear as to why GermanWiper’s operators chose to make files unrecoverable rather than encrypting them. It may be to disrupt any efforts made by victims to decrypt files and subsequently increase the likelihood of payments being made in panic mode. This type of ransomware campaign has a relatively short shelf life, but variants using the same tactics will likely emerge. Denial of initial access is key to ransomware prevention. Effective identity and access management controls, network access controls, phishing mail protections, training and next-generation endpoint solutions can all help prevent account compromise and malware delivery. In addition to prevention, organizations should construct and regularly test data recovery plans. Backups should be logically isolated to protect them from infection.

200 million email accounts targeted in sextortion attacks Campaigns leveraging sextortion tactics are becoming more frequent. Sextortion typically involves an email-based scam that relies on emotion-driven motivators, such as fear and urgency, to extort a ransom payment from a target. The scammer claims to have intimate and embarrassing footage and internet history of the victim that will be released to coworkers, friends and family if a ransom isn’t paid.

Cofense recently highlighted 200 million email addresses that were being targeted by a “for-rent” botnet. Its analysis indicated that more than $1.5 million in ransom payments had been made to bitcoin wallets associated with the campaign this year.

3

Phishing campaign uses DocuSign

Other News

September 2019

ImpactThe adversary’s claim of possessing compromising data is a bluff. In almost all circumstances, no such access has been obtained, and emails are executed by large botnets using leaked and compromised email address databases. Despite there being no actual compromise, this spray-and-pray attack creates sufficient volume and panic among victims to generate large returns.

Source: Cofense

DXC perspectiveBlackmail and extortion will likely increase and diversify in nature. At present, sextortion campaigns typically focus on mass personal email lists and don’t leverage, or even obtain, actual sensitive data. DXC believes this dynamic will change. Sextortion will expand to become considerably more targeted and will use sensitive data stolen from individuals’ personal devices as a means of gaining access to corporate networks or intellectual property. Criminals may seek to use sextortion tactics to force victims to hand over corporate credentials or sensitive intellectual property, much as in conventional intelligence operations. Those at highest risk will be executives, financial controllers and privileged access holders.

Guildma Infostealer leverages Facebook and YouTube for updates In mid-August, a new variant of the Guildma Infostealer malware was observed by the SANS Internet Storm Center (ISC) accessing Facebook and YouTube to update its command and control (C2) server list.

The Guildma Infostealer (aka Astaroth Trojan) has been active since at least 2017 and has targeted users in Europe and South America, typically arriving in a phishing email. This most recent sample utilizes access to Facebook and YouTube user profiles to retrieve and update its list of C2 servers.

ImpactThe malware employs process hollowing and DLL side-loading in an attempt to evade endpoint protection products. Guildma can log keystrokes, collect various system information and install additional malware.

Source: Sans Institute

DXC perspectiveMalware using Facebook and YouTube presents a challenge to cyber defenders. Blocking access to such services is likely to prove problematic where access to social media is needed, such as sales, marketing and customer service, so organizations will need to rely on other layers of threat prevention, such as endpoint detection and web proxies. Social media access required by this malware also provides an additional detection opportunity. Assets such as servers, which in normal operations should not initiate social media activity, can be easily identified when such activities occur.

Campaign targets overseas Chinese speakers using U.S.-based watering hole sitesThe compromise of a U.S.-based Chinese news site was discovered by Fortinet in early August 2019.

The news site provides Chinese news to overseas individuals. Attackers injected a link to a fake Twitter page in an attempt to lure victims into entering their Twitter credentials for

4

Groups 1 and 2

Group 4

Group 5

Group 6

Group 11

Group 12

• Financial Services

• Professional Services/Consulting

• Telecommunications

• Manufacturing

• Insurance

Most-attacked industries in 2019

September 2019

harvesting. Malicious JavaScript also injected into the news site checked for the presence of certain site cookies to narrow the intended targets for infecting.

ImpactMultiple exploits were employed to deliver backdoor malware known as Sality, which can collect screenshots and files and give the malicious operator direct shell access.

Source: Fortinet

DXC perspectiveOrganizations cannot focus solely on endpoint security. Robust source code auditing, web application patching and web server file integrity monitoring are necessary controls to detect and prevent threat actors from attempting to turn an organization’s external website into a malicious watering hole. Infecting customers and partners is likely to cause significant brand damage to organizations.

Vulnerability Updates Microsoft patches four critical security vulnerabilities in remote desktop servicesOn August 13, Microsoft released a series of security updates that included fixes for four critical remote code execution (RCE) vulnerabilities: CVE-2019-1181, CVE-2019-2282, CVE-2019-1222 and CVE-2019-1226.

Like the previously fixed BlueKeep vulnerability, these four are wormable. This means any future malware that exploits them could propagate among vulnerable machines without user interaction.

ImpactMicrosoft discovered these vulnerabilities during a security-hardening review of remote desktop services (formerly known as terminal services) following the announcement of the BlueKeep vulnerability in May.

DXC perspective Currently, there are no reports of this vulnerability being exploited in the wild. However, given it is possible to remotely trigger these vulnerabilities without credentials or user interaction, this vulnerability has the potential to be exploited as part of fast-moving, global malware attacks such as the WannaCry infections in 2017.

The vulnerabilities can be partially mitigated on affected systems by enabling network level authentication (NLA), but such systems will remain vulnerable to RCE exploitation if the attacker has valid credentials.

It is highly likely that public exploits of these vulnerabilities will be available within weeks or days. Historically, unauthenticated remote code execution vulnerabilities such as these are prime targets for inclusion in automated and worm-based attacks.

Source: Microsoft CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1226

5

• Escalate patching for vulnerable Win-

dows deployments

• Enable NLA on systems that cannot be

immediately patched to provide partial

mitigation until patches can be proper-

ly applied

• Block TCP Port 3389 at perimeter

firewalls

DXC recommends that organizations:

Severe flaws patched by Intel

Other News

September 2019

Incidents and breachesData breaches double in first half of 2019According to a recent report by Risk Based Security, the number of reported data breaches and exposed records increased by more than 50 percent during the first half of 2019, compared to the same period in 2018.

The report, which tracks publicly disclosed breaches only, says in the first 6 months of 2019 there were 3,816 data breaches — an increase of 54 percent. In those breaches, 4.1 billion records were compromised, a number that grew by 52 percent. Of the compromised records, 3.2 billion were from just eight breaches — all of which were attributed to malicious actors discovering and accessing misconfigured databases.

ImpactThe healthcare sector suffered the most breaches, at 224, with sectors such as retail, finance and insurance close behind. Email addresses and passwords were mostly stolen, with email addresses exposed in 70 percent of the incidents and passwords in 64 percent.

Source: SC Media

DXC perspectiveThis report serves to reinforce the criticality of database security, which has been a recurring theme in 2019. Implementation of security fundamentals — such as appropriate authentication configuration, patch management, and visibility and audit of assets — could have prevented nearly all 2019 exposures. Organizations with databases holding sensitive information should further harden their defenses by eliminating public IP access where possible, avoiding common ports, closing unnecessary services and requiring the use of proxies for access.

23 Texas cities hit by ransomware in latest U.S. public sector campaign In what appears to be a coordinated attack, 23 municipal governments in Texas are the latest U.S. public sector organizations to be hit with ransomware attacks. To avoid further exposure to other would-be cyber adversaries, the Texas Department of Information Resources (DIR) is withholding details, such as which cities have been affected.

Despite speculation in the media, there has been no confirmation as to which ransomware strain was used. DIR did confirm, however, that it believes the incidents were conducted by a single threat actor. Reports suggest the affected departments are still offline at the time of writing.

ImpactThese attacks follow recent state and local ransomware attacks in New York, Florida, Louisiana and Maryland, most of which resulted in significant losses due to ransom payments or damage repairs. It is not known at this time whether any of the Texas jurisdictions paid a ransom to the attackers.

Source:s BBC, Texas Department of Information Resources

DXC perspective The ransomware attacks in Texas are the latest in a chain of similar incidents affecting the U.S. public sector. Public bodies face the less-than-enviable task of deciding whether to pay or self-recover in the event of infection. This dynamic is even more challenging given the high visibility associated with loss of publicly funded services. 6

September 2019

Entities have taken varied approaches. For example, in May, Baltimore refused to capitulate to attackers. The RobinHood ransomware infection that crippled the city’s infrastructure resulted in costs of around $18 million. The initial ransom was $100,000. In June, council leaders in Riviera Beach, Florida, voted to pay attackers almost $600,000 in bitcoin to decrypt infected systems. A week later, officials in Lake City, Florida, paid attackers $500,000 following a similar ransomware demand.

In an immediate way, it is often cost-effective to pay the ransom. However, doing so positions the victim in complex ethical grounds with no guarantee that the payment will result in restoration of data. This ethical dimension is all the more contentious when public money is involved. Payment of ransoms fuels the ransomware industry, directly contributes to the widespread harm created by organized crime, and only serves to highlight the victim as an organization worth targeting again in the future.

Disgruntled IT engineer hacks own company’s network to steal money Using his privileged position to hack the company network and make fraudulent payments, an inside actor stole $40,000 from artificial intelligence developer Scale AI.

The insider used undisclosed intrusion methods to gain illegitimate access to financial systems. Scale AI disrupted his first attack, although the company was not able to attribute it to a perpetrator.

ImpactBut the insider was ultimately successful and in subsequent attacks transferred relatively small payments into PayPal accounts hundreds of times between March 2019 and May 2019. To disrupt investigative efforts throughout the attack period, the attacker extensively used VPNs and deleted audit logs on systems.

Scale AI escalated the incident to the FBI, which eventually caught the insider, who had naively used his cell phone number to verify multiple PayPal accounts linked to the fraudulent payments.

Source: Latest Hacking News

DXC perspective Insider threats are among the most complex to detect and prevent. A maliciously motivated insider often has intimate knowledge of the internal network and security configuration, as well as the requisite skills to operate bespoke tooling. In this instance, the attacker presented the perfect storm of pure malicious intention with technical capability.

Preventing such attacks requires a layered approach and mature security architecture. AI-powered endpoint protections and user-behavior analytics within the SIEM can help identify malicious actions, such as the clearing of audit logs, suspicious accessing of materials or accessing the system at unusual times. Further, privileged users should be audited more frequently and thoroughly.

7

Number of publicly disclosed data breaches in first 6 months of 2019

3,816

Capital One suspect had data from

over 30 other companies

BITTER APT targets China

Other News

September 2019

8

Nation State & Geopolitical UpdatesChinese threat actor APT41 conducts advanced espionage and criminal operations APT41 is a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. This group is unique among China-based actors in that it leverages nonpublic malware normally reserved for espionage campaigns in what appears to be activity for personal gain.

The group’s financially motivated activity primarily focuses on the video game industry, where members have manipulated virtual currencies and attempted to deploy ransomware. Due to the relatively small scale of the cyber criminal activity, FireEye believes members of the group are “moonlighting,” using their skills and tools to supplement their primary income.

ImpactLike other Chinese espionage operators, APT41’s espionage activity generally aligns with China’s five-year economic development plan. The group established and maintains strategic access to organizations in the healthcare, technology and telecommunications sectors.

Source: FireEye

DXC perspective APT41 is a highly skilled and well-resourced adversary. The group’s ability to wield nation state-level capabilities in financially motivated cyber crime campaigns makes it a major threat across multiple industry verticals. To carry out its initial compromise, APT41 leverages several techniques, such as spear phishing, moving laterally from trusted third parties and leveraging stolen credentials.

As with the insider attack at Scale AI, organizations can detect and prevent malicious compromises using a mature security architecture, AI-powered endpoint protection tools and user-behavior analytics. Additionally, implementing technical email protections, using multifactor authentication, and training employees to recognize suspicious emails all help prevent adversaries from obtaining access to corporate resources and gaining a foothold in corporate environments.

APT28 uses internet-connected printer to breach corporate network In April 2019 Microsoft threat researchers first observed Strontiums’ (commonly known as APT28) command and control communicating with various IoT devices. Through continuous monitoring and investigation, researchers uncovered numerous attempts by the threat group to specifically exploit IoT devices belonging to corporate entities.

ImpactIn one instance, an internet-connected printer with a manufacturer default password was accessed and then used to pivot within the corporate network. In another instance, the group accessed a voice over IP (VoIP) phone using default credentials.

Microsoft attributes APT28 to the Russia Intelligence Directorate.

Source: Microsoft

September 2019

DXC Labs | Security

DXC Labs delivers thought leadership technology prototypes to enable enterprises to thrive in the digital age.

DXC Labs | Security brings together our world-class advisors to develop strategic and architectural insights to reduce digital risk. DXC’s Cyber Reference Architecture is at the heart of our research, providing clients with detailed guidance on methods to efficiently resolve the most challenging security problems. We help clients minimize risk while taking maximum advantage of the digital commons.

Lean more at www.dxc.technology/securitylabs

DXC perspectiveIoT devices are quickly growing in business use, often due to their low cost and plug-and-play setup. But convenience can come with a price in the security realm where IoT assets may not receive administrative attention or firmware patch updates that address vulnerabilities.

Whenever possible, organizations should change default credentials on IoT endpoints and restrict network access to internal LANs. If external internet access to an IoT device is required, organizations should employ additional safeguards such as an intrusion detection system/intrusion prevention system (IDS/IPS) and DMZ network segregation.

Learn moreThank you for reading the Threat Intelligence Report. Learn more about security trends and insights from DXC Labs | Security.

Tips for protecting high-value targets

include:

• Ensure multifactor authentication is

enabled

• Log, monitor and audit accounts and

their configurations

• Designate an individual accountable

for social media account security

• Reserve all appropriate handles on

platforms, even if they are not in use

• Monitor for third-party vulnerabilities

on hosting applications

• Enforce a complex password policy

• Train social media staff on security

threats

Securing corporate social media

September 2019

DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent

potential attack pathways, reduce cyber risk, and improve threat detection and incident

response. Our expert advisory services and 24x7 managed security services are backed

by 3,500+ experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of

specialization in Intelligent Security Operations, Identity and Access Management, Data

Protection and Privacy, Security Risk Management, and Infrastructure and Endpoint

Security. Learn how DXC can help protect your enterprise in the midst of large-scale

digital change. Visit www.dxc.technology/security.

About DXC Technology As the world’s leading independent, end-to-end IT services company, DXC Technology

(NYSE: DXC) leads digital transformations for clients by modernizing and integrating their

mainstream IT, and by deploying digital solutions at scale to produce better business

outcomes. The company’s technology independence, global talent, and extensive partner

network enable 6,000 private and public-sector clients in 70 countries to thrive on change.

DXC is a recognized leader in corporate responsibility. For more information, visit

www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for

changemakers and innovators.

© Copyright 2019 DXC Technology Company. All rights reserved.

Stay current on the latest threatswww.dxc.technology/threats

9