threat intelligence report - assets1.dxc.technology · threat intelligence report in this issue •...
TRANSCRIPT
July 2019
MAN-
UFACTUR-
ING/PUBLIC
SECTOR
Threat Intelligence Report
IN THIS ISSUE• Ransomware disruption grows• BlueKeep RDP vulnerability reaches 1 million devices• New MuddyWater campaign compromises accounts• Adversaries layer common tools in Frankenstein campaign
July 2019
Threat updates
Table of Contents
Adversaries combine open source tools to avoid
attribution in Frankenstein campaign
Exploit permits Microsoft Active Directory (AD)
users to gain domain administrator privileges
Targeted spear phishing leverages less-
er-known file types
New Office 365 phishing campaign
HiddenWasp malware targets Linux
Cryptomining containers target docker hosts
with exposed APIs
Public Sector
Multi-industry
Multi-industry
Nation state & geopoliticalupdates
Vulnerabilityupdates
Incidents/Breaches
Ransomware is still grabbing the headlines, with threat actors combining automated
approaches and manual methods to maximize the leverage of their attacks. We see that
mature defenses can disrupt these campaigns, but organizations still must have robust
incident response and contingency plans in place. Advanced persistent threats that
employ spear phishing continue to target long-standing vulnerabilities, underscoring the
need for email protection and patching as the forefront of our cyber defense. Learn more
about the latest threats in this issue.
Mark HughesSenior Vice President and General Manager of Security DXC Technology
About this report
Fusing a range of public and proprietary information feeds, including DXC’s global network of security operations centers and cyber intelligence services, this report delivers a overview of major incidents, insights into key trends and strategic threat awareness.
This report is a part ofDXC Labs | Security, which provides insights and thought leadership to the security industry.
Intelligence cutoff date: June 24 2019
MuddyWater campaign targets university in
Jordan and Turkish government
Microsoft and NSA stress importance of
patching BlueKeep RDP vulnerability
Microsoft releases Sysmon v10 event logging
features
Multi-industry
Leading aerospace supplier ASCO suffers a
major ransomware infection
Baltimore IT chief apologizes following crippling
RobinHood ransomware attack
Fin8 group targets hospitality industry
Point-of-sale malware hits Checkers food chain
Healthcare breaches gain lawmakers’ attention
Multi-industry
Multi-industry
Manufacturing
Public Sector
Multi-industry
Travel and Transportation
Retail
Healthcare
Multi-industry
Multi-industry
2
July 2019
Threat updatesAdversaries combine open source tools to avoid attribution in Frankenstein campaign The highly targeted Frankenstein campaign has been active since January 2019, according
to Cisco Talos. Very few malware or document samples associated with it have been found in
public repositories.
Impact
The Frankenstein threat actor is reasonably sophisticated, highly resourceful and focuses on
obscuring activity. Frankenstein employs multiple anti-detection techniques, such as checking
for analysis tools, encrypting data and responding to GET requests only with predefined fields.
Malware also feigns legitimacy by posing as a Kaspersky or U.S. government organization file.
This makes identifying indicators of compromise or attack more challenging.
The initial attack vector of the campaign is likely spear phishing emails containing a Trojanized
Microsoft Word document. Compromise is achieved via the initial Trojan fetching a remote
template that enables exploitation of a known vulnerability in Microsoft Office (CVE-2017-
11882).
DXC perspective
Most sophisticated adversaries use open source and administration tooling at some stage in
their kill chain. Distinguishing legitimate internal use of tools from malicious activity is chal-
lenging; however, next-generation antivirus tooling and properly configured security informa-
tion and event management (SIEM) solutions can assist in early identification.
Source: Cisco Talos
Exploit permits Microsoft Active Directory (AD) users to gain domain administrator privilegesAmong the June 2019 Windows updates, Microsoft released patches for CVE-2019-1040, a vul-
nerability in the NT LAN Manager (NTLM) message integrity code (MIC) protection mechanism.
Impact
MIC exists to mitigate the relay and spoofing of Active Directory authentication messages
on the network. Security researchers devised a bypass technique that circumvents MIC and
permits tampering with NTLM AD authentication.
Another security researcher has combined this technique with weaknesses in Microsoft’s
Exchange Server default configuration and network firewall policy to publish proof of concept
(PoC) exploit code. Using the PoC code, an unprivileged user may exploit Microsoft Exchange
Server and gain full AD domain administrator rights in the local domain or even in a trusted
domain.
DXC perspective
Organizations should prioritize testing and release of the June 2019 Windows updates. Further
mitigations include reducing Exchange Server AD permissions (KB4490059) and enforcing
LDAP channel binding (KB4034879). Segregation of Windows client and server network seg-
ments — including restriction of outbound port 445 traffic from Windows servers into client
space — will further reduce the attack surface and prevent similar future exploits.
Sources: Dirk-jan Mollema, Microsoft3
• An article to detect when samples are being run in a virtual machine (VM)
• A GitHub project that lever-ages MSBuild to execute a PowerShell command
• A component of a GitHub project called “FruityC2” to build a stager
• A GitHub project called “PowerShell Empire” for agents
Open source components used in Frankenstein
July 2019
Targeted spear phishing leverages lesser-known file typesIn June, DXC malware research uncovered some targeted campaigns — likely spear phishing —
using uncommon file types to bypass security filters and deliver first-stage malware infections.
The first was a Microsoft HTML Application (HTA) file purporting to be a U.S. White House Coun-
cil of Economic Advisers’ job-posting web page. A second sample uses a Microsoft Symbolic
Link (SYLK) file.
Impact
The use of legacy and lesser-known file types may enable spear phishing and malicious link
campaigns to bypass email and web security filters, particularly in scenarios where more com-
mon file types are blacklisted.
Depending on the configuration and version of Microsoft Windows being used, an HTA file may
open by default in Internet Explorer, the MSHTA utility, or the Windows Script Host (CScript/
WScript) utility, and may or may not include a user warning. Embedded in this HTA file is Visual
Basic Script (VBScript) to contact a command and control (C2) server on a White House look-
alike domain for additional instructions.
By default, SLK files will open in Microsoft Excel if it is installed. Depending on the version and
security settings of Excel, an “Active Content” warning may be displayed. Contained within
the SLK file we found was code instructing Microsoft PowerShell to download and execute the
popular Pony Infostealer.
DXC perspective
A whitelist approach is much more effective against this type of campaign, but with a trade-off
in system usability. Defense-in-depth strategy dictates multiple countermeasures, including
email scanners and web filters, along with continuous user training to identify spear phishing
and social engineering attempts against an organization.
Source: DXC Technology
Nation state and geopolitical updatesMuddyWater campaign targets university in Jordan and Turkish government The Iranian advanced persistent threat (APT) MuddyWater has been linked to a new campaign
that leverages compromised accounts and a PowerShell backdoor.
Impact
Previous MuddyWater campaigns used account spoofing to deliver malicious phishing email,
but the group has recently changed its operations to target account compromise techniques.
MuddyWater has also released updated malware and other tooling used in kill chain activities.
The campaign’s primary payload is PowerStats V3, a new PowerShell multistage backdoor de-
livered through exploitation of the same Microsoft Office vulnerability used in the Frankenstein
campaign (CVE-2017-11882). Four Android malware variants, linked to MuddyWater through
infrastructure and code, have also been discovered by Trend Micro researchers.
Much like the Frankenstein campaign, MuddyWater is layering numerous open source tools,
which include Empire, Mimikatz, FruityC2, PowerSploit and Meterpreter, all of which have been
33 Million
4
Cyberattacks against Iran’s national firewall thwarted in the past year. Read More.
• New Office 365 phishing cam-
paign
• HiddenWasp malware targets
Linux
• Crypto-mining containers target
docker hosts with exposed APIs
Other threat updates
July 2019
Russia claims U.S. attacks are targeting its critical infrastructure.
used in post-exploitation activity.
The campaign appears to be targeting entities that may hold sensitive information of interest
to the Iranian regime, most notably the Turkish government and a university in Jordan.
DXC perspective
MuddyWater continues to demonstrate its propensity to use account-compromise techniques
to deliver exploits for existing vulnerabilities. Account and mailbox security are critical to dis-
rupting these kinds of initial attack vectors. Two-factor authentication, email account auditing,
sandboxing and advance prefilters are all effective mitigation actions.
Though highly targeted, increased tensions between Iran and the West are likely to bring a
dramatic increase in MuddyWater activity. Such tensions may also lead to wider targeting of
global public sector, oil and gas, education and defense sectors.
Source: Trend Micro
Vulnerability and Resource UpdatesMicrosoft and NSA stress importance of patching BlueKeep remote desktop protocol (RDP) vulnerability Microsoft, the U.S. National Security Agency and other national security authorities have issued
alerts urging users to update their legacy Windows machines as soon as possible due to the se-
verity of the BlueKeep vulnerability and the way it can be weaponized to create a self-spread-
ing “wormable” exploit. Parallels have been drawn with the notorious Windows exploit Eternal-
Blue, which was instrumental in the WannaCry ransomware outbreak in May 2017.
Impact
Microsoft has released a patch for the CVE-2019-0708 vulnerability, which affects Remote
Desktop Services (formerly Terminal Services) on several legacy Windows operating systems.
The vulnerability is a pre-authentication remote code execution flaw that requires no user
interaction.
PoC code designed to exploit the flaw is under active development, and some has been
successfully tested, security researchers claim. Threat actors will almost certainly target this
vulnerability in the next few weeks, although these are likely to be focused attacks rather than
a wide-scale campaign.
The NSA says it is “only a matter of time” before exploit code is finalized and attacks begin to
leverage the vulnerability. The agency is particularly concerned the vulnerability will be used to
increase the deployment of exploit kits and ransomware campaigns.
DXC perspective
Exploits targeting this vulnerability in the wild are imminent and may be used to launch new
campaigns or reformed versions of existing exploit kits. DXC Technology has already suc-
cessfully tested denial-of-service exploits targeting this vulnerability to crash Windows 7 and
Windows Server 2008 operating systems.
Organizations must gain visibility of their exposure and apply the patch as a priority. When 5
Devices are still vulnerable to BlueKeep
1 Million
Time period between EternalBlue patch release and the start of WannaCry
60 Days
July 2019
patching is not achievable, other mitigations include blocking access to TCP port 3389 with pe-
rimeter defenses, enabling network-level authentication and disabling remote desktop services
where they are not required.
Sources: Microsoft, U.S. National Security Agency
Microsoft releases Sysmon v10.2 event-logging features A free add-on from Microsoft for both Windows clients and servers, Sysmon Version 10.2
gains improved security with DNS logging and OriginalFileName reportng. Sysmon installs
as a Windows system service and device driver that persists across reboots. It logs various
system activities to the Windows event log.
These events can then be collected using Windows Event Collection and SIEM/Syslog
agents, or can be analyzed using endpoint threat-detection products. Logged activities
include process creation, loading of drivers and DLLs, raw disk accesses, and network
connections.
Impact
Among the new features included in v10 is the ability to log the details of a process making
a DNS request, including the query itself, the query status code, the query result and the
process path that made the query. This information is valuable in detecting malicious ac-
tivity, especially activity from advanced adversaries using “living off the land” techniques
or advanced DNS tunneling malware.
The new version also records “OriginalFileName” in logged events. OriginalFileName is an
optional hard-coded field in executable files implemented by all Microsoft-provided bina-
ries. This event field can help analysts and incident response teams identify when legiti-
mate system files have been copied or renamed to disguise malicious usage.
DXC perspective
Security monitoring and alerting are only as good as the indicators and events they can
observe. Sysmon is a free addition to Windows-based environments that can greatly
enrich event logging. With more malware and open source toolkits using DNS tunneling
by default, visibility of this activity via DNS logging is is becoming increasingly important.
Source: Microsoft
Incidents and breachesLeading aerospace supplier ASCO hit by rancomware Aircraft parts and aviation equipment maker ASCO was hit by a large-scale ransomware
attack that caused serious disruption of all activities and affected communications sys-
tems. Although the specific ransomware variant used is not public knowledge, initial reports
on the nature of the incident have led to speculation that it may be a form of LockerGoga.
Impact
Production was halted in factories across four countries, following the initial infection at a
plant in Belgium. More than 70 percent of the ASCO workforce was sent home for a week
while the organization attempted to recover systems. The ransomware appears to have af-
fected only production networks, with corporate offices unaffected. 6
July 2019
DXC perspective
Ransomware targeting industrial control systems and operational technology is becoming
increasingly common and is likely to continue. The ability to disrupt production at scale
offers potentially lucrative opportunities to ransomware attackers.
The less-developed cyber defenses generally employed in these industrial control systems/
operational technology (ICS/OT) environments aid attackers in successfully deploying
across organizations.
Most ransomware targeting manufacturing processes use a combination of automatic and
manual techniques. Spam campaigns typically leverage Trojanized documents to deliver
malware such as Emotet or TrickBot, which are then used for initial access to the environ-
ment.
Attackers then establish a foothold and expand their access to systems before attempting
to compromise domain controllers and ICS systems. This approach allows attackers to
instantaneously deploy ransomware binaries across environments, crippling the network
and creating a strong position to leverage ransom.
Defense in depth is required to detect and disrupt these kinds of intrusions. Mailbox pro-
tections, security monitoring and endpoint security are all important elements in protect-
ing, detecting and disrupting these attacks. Using new technologies to understand and
monitor internet of things/operational technology (IoT/OT) network activity in enterprises
can also assist in hardening production environments.
Source: ZDNet
Baltimore IT chief apologizes for crippling RobinHood ransomware attack Baltimore CIO Frank Johnson offered “sincere apologies” to city council members, accept-
ing that residents and city leaders did not receive enough information about the attack
that crippled the city’s IT systems for a month.
Impact
A ransomware attack using the “RobinHood” strain of malware forced the shutdown of
most of the City of Baltimore’s servers following an initial infection on May 7. The city
refused to pay the $76,000 bitcoin ransom and for over a month city government suffered
significant disruption to email, telecommunications, real estate transactions and bill pay-
ments. City offices were forced to rely on Gmail and Google Voice accounts to conduct
daily business and support residents.
RobinHood attempts to disable security applications and backup systems, making re-
covery significantly more challenging and increasing the likelihood of victims paying the
ransom.
Despite some media sources claiming the attack used EternalBlue, analysis of the ran-
somware does not support this. Initial access to the target environments was more likely
achieved through exploiting RDP and stolen credentials.
The RobinHood malware appears to have been controlled via a “ransomware as a service”
(RaaS) provider, as the panel interface used by the attacker to communicate with the city
in the wake of the attack contained signs of a service model. 7
• Fin8 group targets hospitality
industry
• Point-of-sale malware hits
Checkers food chain
• Healthcare breaches gain law-
maker attention
Other incidents and breaches
July 2019
8
DXC Labs | Security
DXC Labs delivers thought leadership technology prototypes to enable enterprises to thrive in the digital age.
DXC Labs | Security brings together our world-class advisors to develop strategic and architectural insights to reduce digital risk. DXC’s Cyber Reference Architecture is at the heart of our research, providing clients with detailed guidance on methods to efficiently resolve the most challenging security problems. We help clients minimize risk while taking maximum advantage of the digital commons.
Lean more at www.dxc.technology/securitylabs
This is consistent with a multi-tenant RaaS system, where malware is created and delivered
using web-based malware framework systems, according to Flashpoint.
DXC perspective
Prevention of initial access vectors for many such attacks can be disrupted through
adoption of multifactor authentication (MFA) systems and credential leakage monitoring.
Credential stuffing of remote access systems is currently a prominent attack vector.
To ensure effective incident response, planning must encompass a variety of domains
including containment, technical recovery, remediation, business continuity and communi-
cations.
Organizations should include third-party security considerations within their wider security
architecture.
Source: SFGate
Learn moreThank you for reading the Threat Intelligence Report. Learn more about security trends
and insights from DXC Labs | Security.
July 2019
DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent po-
tential attack pathways, reduce cyber risk, and improve threat detection and incident
response. Our expert advisory services and 24x7 managed security services are backed
by 3,500+ experts and a global network of security operations centers.
DXC provides solutions tailored to our clients’ diverse security needs, with areas of spe-
cialization in Intelligent Security Operations, Identity and Access Management, Data Pro-
tection and Privacy, Security Risk Management, and Infrastructure and Endpoint Security.
Learn how DXC can help protect your enterprise in the midst of large-scale digital change.
Visit www.dxc.technology/security.
About DXC Technology As the world’s leading independent, end-to-end IT services company, DXC Technology
(NYSE: DXC) leads digital transformations for clients by modernizing and integrating their
mainstream IT, and by deploying digital solutions at scale to produce better business
outcomes. The company’s technology independence, global talent, and extensive partner
network enable 6,000 private and public-sector clients in 70 countries to thrive on change.
DXC is a recognized leader in corporate responsibility. For more information, visit
www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for
changemakers and innovators.
© Copyright 2019 DXC Technology Company. All rights reserved.
Stay current on the latest threatswww.dxc.technology/threats
9