Threat Intelligence ReportApril 2020
In this issue
Coronavirus-themed attacks observed globally
Remote code execution vulnerability in SMBv3
Unsecured database contains details on 900,000 Virgin Media customers
Campaign targets North American aviation sector
Message from Mark Hughes
The coronavirus outbreak has swept across the globe causing unprecedented shutdowns in many industries and a huge move to home working. This shift has not gone unnoticed by cyber criminals, with an estimated 80 percent of the threat landscape using coronavirus as
a theme for phishing emails, spoof websites and other attacks. Included are tips for staying safe and secure during these unprecedented times.
Mark Hughes Senior Vice President and General Manager of Security DXC Technology
About this report
Fusing a range of public and
proprietary information feeds,
including DXC’s global network of
security operations centers and
cyber intelligence services, this
report delivers a overview of major
incidents, insights into key trends
and strategic threat awareness.
This report is a part of DXC Labs |
Security, which provides insights
and thought leadership to the
security industry.
Intelligence cutoff date:
30 March 2020
Threat Updates
Multiple coronavirus-themed attacks observed
globally
Multi-industry
Table of contents
3
Vulnerability Updates
Microsoft discloses two unpatched vulnerabilities in
Type Manager Library
Remote code execution vulnerability found in SMBv3
Multi-industry
Multi-industry
6
7
Incidents/breaches
Data on 538 million Weibo users for sale on the dark
web
Unsecured database contains details on 900,000
Virgin Media customers
Technology
Telecommunications
8
9
Nation State and Geopolitical
Campaign targets North American aviation sector Aviation 9
Threat Intelligence Report
2
Threat UpdatesMultiple coronavirus-themed attacks observed globally Multiple threat actors are using the global media attention surrounding the novel
coronavirus (COVID-19) global pandemic to launch campaigns designed to distribute
malware to unsuspecting users. At least 15 distinct campaigns have been identified
associated with 11 threat actors or groups and distributing 39 different malware
families. The range of malware families being distributed in these campaigns includes
AgentTesla, AZORult, BabyShark, Cerberus, CoronaVirus Ransomware, CovidLock
Android malware, Crimson RAT, Emotet, GuLoader, Kpot Infostealer, Lokibot,
Nanocore RAT, NetWalker Ransomware, Parallax RAT, Redline Stealer, Remcos, and
Trickbot.
Additionally, several threat actors and groups reportedly associated with China,
North Korea, Pakistan and Russia have been observed participating in COVID-19
themed malicious activity.
Virus-themed phishing tacticsIn early March, security company Checkpoint reported that coronavirus-themed
domain registrations were 50 percent more likely to be fraudulent when compared
to all other topics. This indicates a growing trend in COVID-19 themed phishing and
website spoofing, with a capacity that has not been fully utilized. Other indicators
include:
• Folding@home brand, a distributed computing project for disease research, was
abused as part of a phishing campaign that distributed a new malware family
named RedLine Stealer, according to Proofpoint. This malware, which targeted
primarily U.S.-based healthcare and manufacturing organizations, captures
login, autocomplete, passwords and credit card information from the browser of
its victim and is currently available on Russian criminal underground forums as a
subscription service for as little as $100 a month.
• Security researchers discovered replica websites that mimicked the Johns Hopkins
COVID-19 map. The sites prompt viewers to download and run a Windows
application to remain updated on the latest information. Users installing the
application are infected with AZORult malware, which is used to steal personal and
sensitive information such as passwords and credit card data. This malware also
acts as a dropper to install additional malware and create hidden backdoors to
gain further access to the victim’s system.
• The Mongolian public sector was targeted with coronavirus-themed phishing emails
using the “Royal Road” Rich Text Format (RTF) weaponizer. Royal Road has been
previously attributed to multiple China-based threat groups and has reportedly
targeted organizations in Belarus, Russia and Ukraine prior to these latest attempts
against Mongolia.
15Number of distinct campaigns related
to COVID-19
11Number of threat actors observed
using COVID-19 tactics
39Number of malware families being
used to support COVID-19 campaigns
Threat Intelligence Report
3
• As the number of reported cases of COVID-19 rose in the United States in mid-
March, the Champaign-Urbana (Illinois) Public Health District fell victim to a
ransomware attack using NetWalker (also known as Mailto or Kazakavkovkiz),
a relatively new form of malware that targets enterprises running on Microsoft
Windows 10.
• The University Hospital Brno, a Czech Republic hospital conducting COVID-19
testing, was also a victim of an unspecified ransomware attack.
• A long-standing cyber espionage actor, APT36, which conducts intelligence
collection in support of Pakistani military and diplomatic interests, distributed a
fake COVID-19 health advisory purportedly from the Indian government as a means
for distributing variants of the Crimson RAT.
• A wave of 2,500 infections of two strains of malware was delivered in COVID-
19-themed emails within a 7-hour period, marking a massive uptick in COVID-
19-related activity, according to security company ESET. This wave of infections
specifically targeted Spain, Portugal, Czech Republic, Malaysia and Germany.
• Researchers independently confirmed a large spike in activity over the same time
frame by known threat actors TA505 and TA564, targeting users in the United
States and Canada. According to researchers, the most affected U.S. industries are
healthcare, manufacturing and pharmaceuticals.
Potential for hacktivist activityBased on hacktivist operations over the previous few weeks, DXC Technology
anticipates that hacktivism, particularly in Latin America and Europe, is likely to
spike during the global COVID-19 outbreak. Over the past year, rates of hacktivism in
Latin America have been higher than normal, due mostly to political unrest in much
of the region. These attacks consist of low-level activity such as denial of service or
web defacements and are likely to increase as widespread demonstrations and large
gatherings are prohibited by governments.
CyberTeam, a group that claims to have members in Europe and Latin America,
conducted multiple website defacements under the COVID-19 hashtag in mid-March.
Their targets included websites in both Portugal and Brazil.
Threat highlight: PhishingPhishing continues to be the primary initial attack vector used in coronavirus-related
campaigns by both cyber criminal and nation-state threat actors. These phishing
tactics, which use lures related to health guidance and infection rate news, are
expected to pose a significant threat in the coming months.
In addition to health-related lures, it is considered highly likely that threat actors
could take advantage of the shift to remote working using lure documents related
to corporate guidance and procedures, and human resources and leadership
correspondence.
Threat Intelligence Report
4
Scam websitesDXC has observed a large number of COVID-19 related domain names being
purchased. While the intent of use for these sites is not clear at the time of writing,
it is highly likely that these domains will be used in various scam operations or
to further distribute malware. Scam websites are likely to be used to promote
fake charities, fraudulent health products (including face masks, COVID-19 tests
and vaccinations), or ask for donations to fundraising efforts to support vaccine
development.
Cyber crime activityA significant amount of criminal activity has surfaced across all industry verticals
and geographic regions related to the pandemic. Campaigns have been observed
in multiple languages, using multiple attachment types and varying types of
information related to the outbreak. This activity demonstrates that the wide scope of
criminal activities. Virus-based lure documents have been used to distribute Emotet,
TrickBot and other malware. There have also been instances of criminal groups
attempting to sell COVID-19 themed tools.
Nation-state threatsDespite the impact on their respective countries, multiple nation-state threat actors
have been observed using virus-themed operations, with actors working on behalf of
North Korea and China.
Remote working threatsWith so many employees working from home, organizations are increasing their
dependence on remote access services. Deploying additional remote access services
in a short window could pose a security risk when combined with the potential for
human error-enabled security lapses.
Recent months have seen an increase in the number of high and critical severity
vulnerabilities in several corporate VPN solutions. The urgent need for additional
remote access resources may result in an increase in vulnerable services being
deployed in a rush to meet business demand.
Criminal threat actors continually collect credentials for remote access services that
could provide them with access to accounts and internal corporate systems. The
cyber criminal big game hunting (BGH) ransomware industry in particular leverages
remote desktop protocol (RDP) brute forcing and password spraying as initial attack
vectors. As many such agents are active, it is considered highly likely that they will
try to capitalize on the potential increase in remote access services to escalate their
activity.
DXC perspective DXC assesses that malicious cyber threat actors will continue to take advantage of
the global COVID-19 outbreak during the spread of the virus. As such, it is imperative
that businesses and employees remain aware of the potential threats they face while
they make transitions to alternative business continuity plans.
More COVID-19 threat news
• Attackers spoofing Zoom
domains to target remote
workers - https://techerati.
com/news-hub/hackers-are-
spoofing-zoom-domains-to-
target-remote-workers/
• Attackers target World Health
Organization - https://tech.
newstatesman.com/security/
who-cyber-attack-covid19
• Ransomware groups promise
not to hit hospitals - https://
www.wired.com/story/
ransomware-magecart-
coronavirus-security-news/
• New York attorney general
looks into Zoom’s privacy
and security practices -
https://www.nytimes.
com/2020/03/30/
technology/new-york-
attorney-general-zoom-
privacy.html?auth=linked-
Threat Intelligence Report
5
DXC recommends adopting a strong defensive posture by ensuring that remote
services, VPNs, and multifactor authentication solutions are fully patched and
properly integrated, and by providing security awareness for employees working
from home. Other recommendations include:
• Ensure that all remote access systems are patched to current levels.
• Confirm the configuration of any remote access solutions recently deployed to
meet increased demand.
• Ensure the use of multifactor authentication for all remote workers to mitigate the
potential misuse of compromised credentials.
• Educate users to regard unsolicited emails, especially medical advisory emails, with
caution, especially if they have links or attachments.
• Wherever possible, dedicated corporate devices should be provided to employees
working from home. This ensures that good endpoint security can be maintained.
• If dedicated corporate endpoint devices are not available, consider the use of
multifactor authentication-protected remote desktop protocol services to process
corporate information without removing it from the organization’s network borders.
Sources: Johns Hopkins University, Wall Street Journal and BBC News
Vulnerability UpdatesMicrosoft discloses two unpatched vulnerabilities in Type Manager LibraryMicrosoft is warning customers about two newly discovered remote code execution
vulnerabilities in Windows that are related to the Adobe Type Manager.
ImpactThe vulnerabilities affect most of the currently supported versions of Windows
desktop and server. Microsoft has rated the bugs as critical for all of the affected
releases. Successful exploitation would require a remote attacker to persuade a user
to open a specially crafted document leading to memory corruption and executing
arbitrary code on the system. This may result in complete compromise of vulnerable
systems.
Microsoft is aware of some targeted attacks that are exploiting these vulnerabilities
on Windows 7, 8.1, Server 2008 and Server 2012 platforms. Microsoft is not aware
of any attacks against the Windows 10 platform. The threat is considered low for
systems running Windows 10.
An update to address the security vulnerabilities is expected to be released on update
Tuesday, the second Tuesday of each month.
>100,000Number of domains registered
containing terms linked to COVID-19
in the past month.
513Number of malware files detected
containing “coronavirus” in the title
80%Estimated share of overall threat
landscape using COVID-19 as a theme
Threat Intelligence Report
6
DXC perspectiveWhile it’s described as a remote code execution vulnerability, successful exploitation
would require a user to download and open, or view, a corrupted font file to make
exploitation possible. Microsoft indicated that targets of active exploitation have
so far been limited to Windows 7 and that mitigations in Windows 10 and related
operating systems prevent an affected application from escaping the Windows
sandbox, limiting the scope of this attack. IT administrators running Windows 10
should not implement the mitigation guidance described in the advisory, according to
Microsoft. DXC recommendations include:
• Escalate patching of vulnerable systems in line with suitable regression testing
practices.
• Users of older installation of the Windows operating systems should consider
following Microsoft guidelines for mitigation by disabling preview panes.
• Where possible, users of older Windows platform installations should upgrade to
Windows 10.
Source: Microsoft - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200006
Remote code execution vulnerability in SMBv3Microsoft recently released a security advisory regarding a remote code execution
vulnerability in its Server Message Block (SMB) version 3 protocol.
The vulnerability affects client and server machines and could allow an
unauthenticated remote attacker to take full control of vulnerable systems.
ImpactTo exploit SMB server systems, an unauthenticated attacker would need to send a
maliciously crafted packet to an SMBv3 server. To exploit an SMB client system, an
unauthenticated attacker would need to configure a malicious SMBv3 server and
persuade a client system to connect to it.
Microsoft has released KB4551762 as an out-of-band security update to counter
the vulnerability. This security update can be installed by checking for updates via
Windows Update or by manually downloading it from the Microsoft Update Catalog.
DXC perspectiveThere are currently no reports of this vulnerability being exploited in the wild;
however, as it is possible to trigger this vulnerability remotely and without credentials
or user interaction, it has the potential to be exploited as part of fast-moving, global
malware attacks. In the past few years, SMB-based exploits have been used in some
of the largest ransomware infections, such as WannaCry and NotPetya.
It is considered highly likely that public exploits for these vulnerabilities will be
available within weeks or days. Historically, unauthenticated remote code execution
Threat Intelligence Report
7
vulnerabilities such as this one are prime targets for inclusion in automated and
worm-based attacks. DXC recommendations include:
• Escalate patching of vulnerable systems in line with suitable regression testing
practices.
• Block TCP port 445 at perimeter firewalls. Note that systems will still be vulnerable
to attacks from within the enterprise perimeter.
• Consider following Microsoft guidelines for disabling SMBv3 compression on
vulnerable SMB server systems if patching is not immediately possible and if
suitable for the environment. Exercise caution as this workaround may have
adverse effects on the volume and performance of SMB traffic on the network.
Source: Microsoft Microsoft Advisory - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005Microsoft Guidance - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796 Microsoft Update Catalog - https://www.catalog.update.microsoft.com/Search.aspx?q=KB4551762
Incidents/breachesData on 538 million Weibo users for sale on the dark web According to several Chinese media outlets, data on 538 million Weibo users,
including 107 million records containing personal data and account information, have
recently been put up for sale on dark web forums. Advertisements published by the
seller claim that the data was stolen from the site in mid-2019.
ImpactWeibo is a popular Chinese microblogging website. Personal details for sale from the
site include full names, geographic location, user ID, gender and more for 107 million
users.
The breach is not thought to contain any password information. The company has
notified the authorities, and an investigation into the breach in ongoing.
DXC perspective The presence of private user details, including gender and location, suggests the
attackers had accessed the company database rather than simply scraping data
from the site.
While the information stolen does not appear to include passwords, it does present
a potentially significant risk to the users, as it can be employed to conduct further
attacks. Targeted phishing attacks or other email-based scams often continue long
after the information is stolen.
Source: Security Affairs - https://securityaffairs.co/wordpress/100243/data-breach/weibo-data-dark-web.html
Threat Intelligence Report
8
Unsecured database contains details on 900,000 Virgin Media customersA database containing the personal details of 900,000 Virgin Media customers was
left unsecured and accessible online for 10 months.
It is reported that the database was used for marketing purposes and contained
phone numbers, home addresses and email addresses, but did not include passwords
or financial details.
Virgin Media has notified the Information Commissioner’s Office as required under UK
law and has launched a forensic investigation.
DXC perspectiveThis exposure is the most recent example of data being publicly stored online without
suitable protection. Although usually caused by human error rather than malicious
intent, these types of data exposures have been a recurring theme in recent years.
Implementation of security fundamentals, such as appropriate authentication
configuration, patch management and the visibility and audit of assets are a
necessity and could have prevented this and many other exposures.
Organizations with databases holding sensitive information should further harden
their defenses by preventing public IP access where possible, avoiding common ports,
closing unnecessary services and requiring the use of proxies for access.
Source: BBC - https://www.bbc.co.uk/news/business-51760510
Nation State and GeopoliticalCampaign targets North American aviation sector Reports by DXC partner CrowdStrike suggest an ongoing campaign of network
compromise attempts against a number of organizations in the aviation sector during
February and March 2020. The activity is thought to be conducted by Berserk Bear, a
nation-state adversary associated with the Russian Federal Security Service (FSB).
This campaign has involved the use of SQL injection (SQLi) techniques against
publicly accessible servers with the intent of establishing code execution. Targeted
systems are reported to be associated with organizations across North America that
support the aviation and transportation sector. While the full intent of this campaign
is not currently known, initial indications show the activity may be aimed at collecting
information about employees of these organizations.
Other news
• Google confirms 40,000
nation-state cyber attack
warnings issued - https://
www.forbes.com/sites/
daveywinder/2020/03/27/
hacker-threat-google-
confirms-40000-nation-
state-cyber-attack-warnings-
issued/#49b60173b71f
• FIN7 Group sending malware-
infected USB drives with Best
Buy gift cards - https://www.
hackread.com/hackers-send-
malware-infected-usbs-best-
buy-gift-cards/
Threat Intelligence Report
9
DXC perspectivePrevious monitoring shows that the Berserk Bear group’s operations generally align
with the objectives of the Russian intelligence services. Recently the U.S. Computer
Emergency Readiness Team (US-CERT) reported the targeting of critical national
infrastructure organizations, including the U.S. aviation sector, that can be attributed
to Berserk Bear with moderate confidence.
The targeting of the aviation industry during a period of significant travel disruption
due to the global outbreak of COVID-19 may be indicative of an operational surge
in reconnaissance activity to gather intelligence on the sector to determine how it is
affected by the crisis. However, previous observations of similar targeting suggest
this recent activity may be a continuation of long-term operations conducted by the
Russian government.
Threat Intelligence Report
10
Learn moreThank you for reading the Threat Intelligence Report. Learn more about security
trends and insights from DXC Labs | Security.
DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent
potential attack pathways, reduce cyber risk, and improve threat detection and
incident response. Our expert advisory services and 24x7 managed security services
are backed by 3,500+ experts and a global network of security operations centers.
DXC provides solutions tailored to our clients’ diverse security needs, with areas of
specialization in Cyber Defense, Digital Identity, Secured Infrastructure and Data
Protection. Learn how DXC can help protect your enterprise in the midst of large-
scale digital change. Visit www.dxc.technology/security.
Stay current on the latest threats at www.dxc.technology/threats
Get the insights that matter.www.dxc.technology/optin
About DXC Technology
DXC Technology (NYSE: DXC) helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability across public, private and hybrid clouds. With decades of driving innovation, the world’s largest companies trust DXC to deploy our enterprise technology stack to deliver new levels of performance, competitiveness and customer experiences. Learn more about the DXC story and our focus on people, customers and operational execution at www.dxc.technology.
©2020 DXC Technology Company. All rights reserved. April 2020
Threat Intelligence Report