June 2019

MAN-

UFACTUR-

ING/PUBLIC

SECTOR

Threat Intelligence Report

IN THIS ISSUE• New supply chain threats• Ransomware exploits Oracle WebLogic• Hacktivism on the rise• WhatsApp risks to mobile devices• New Lazarus Trojan discovered

June 2019

Threat updates

Multi-industry

Public Sector, Healthcare, Educa-tion

Retail

Table of ContentsNew ransomware variant exploits Oracle Web-

Logic vulnerability

Hacktivism increases in the first quarter of 2019

but is less effective

E-commerce attacks more valuable than ever

Advanced supply-chain attacks attributed to

Chinese group dubbed Barium

Lazarus group develops new Trojan malware

dubbed ELECTRICFISH

WhatsApp vulnerability leads to compromise of

mobile devices in highly targeted attack

50,000 enterprises may be at risk to potential

SAP software vulnerabilities

MIRRORTHIEF targets 201 online campus stores

with card-skimming attack

Possible MegaCortex ransomware attack

disrupts accounting software provider Wolters

Kluwer

CITYCOMP breach exposes financial data of

numerous enterprises

Multi-industry

Public Sector Manu-facturing, Technolo-gy & Research

Multi-industry

Multi-industry

Retail

Multi-industry

Multi-industry

Nation state & geopoliticalupdates

Vulnerabilityupdates

Incidents/Breaches

Supply chain vulnerabilities expose critical assets

We’ve seen another active month with third-party security risks playing a role in major

breaches, meaning it is more critical than ever to understand supply chain exposure.

Ransomware continues to be a growing threat, with an increasing number of attacks

against enterprise environments, often referred to as big game hunting.

Hacktivist groups are also very active, but the good news is these attacks are becoming

less effective where proper security controls are in place. I encourage you to read more

about the latest threats.

Mark HughesSenior Vice President and General Manager of Security DXC Technology

About this report

Fusing a range of public and proprietary information feeds, including DXC’s global network of security operations centers and cyber intelligence services, this report delivers a overview of major incidents, insights into key trends and strategic threat awareness.

This report is a part ofDXC Labs | Security, which provides insights and thought leadership to the security industry. Intelligence cutoff date: May 24, 2019

June 2019

Threat updatesNew ransomware variant exploits Oracle WebLogic vulnerability Attackers are using vulnerability CVE-2019-2725 to facilitate the spread of a new ransomware

variant dubbed Sodinokibi.

Impact

The critical vulnerability affects Oracle WebLogic servers, used for building and deploying en-

terprise applications, allows for unauthenticated remote code execution. Attackers require no

user interaction to deploy the ransomware. Once installed, the ransomware instructs victims to

transfer bitcoin to a specified address in return for the decryptor.

Notable features of the ransomware include the use of vssadmin.exe to delete automatic sys-

tem backups and attackers that follow up the Sodinokibi deployment with attempts to infect

the same target with GandCrab ransomware. Industries and organizations targeted remain

out of the public domain, although Cisco Talos suggests there have been numerous victims.

Source: Threatpost, Cisco Talos

DXC perspective

Organizations using Oracle WebLogic are urgently encouraged to patch servers. The flaw was

not patched in the standard quarterly update in April.

Hacktivism increases in first quarter of 2019 Prominent hacktivist collectives such as Anonymous, LulzSec and various newer groups con-

tinue to use relatively low-skill attack vectors — such as distributed denial of service (DDoS),

website defacement, and exploitation of misconfigured databases — to gain attention and

support their various ideologies and causes.

Impact

Attack success rates vary, typically in relation to the cyber defense maturity of the targeted

organization. Recent successes have been seen against government departments in Africa,

where Ghost Squad Hackers continued a campaign against the Sudanese government. In

early April, Ghost Squad and others claimed to be launching DDoS attacks against 260 do-

mains a day, leading up to the removal of the autocratic president Omar al-Bashir. Anony-

mous launched similar attacks on departments of the Zimbabwe government in late 2018.

Other hacktivist collectives, particularly those operating in high-income countries, have

reportedly had more difficultly when targeting government and media interests. Many groups

now focus on low-hanging fruit, such as government subsections or universities.

Source: Wired

DXC perspective

Hacktivist campaigns will continue targeting multiple industry verticals with public sector,

energy, education and healthcare at heightened risk. The attackers typically will be

motivated by political, social and environmental issues.

Faced with maturing cyber defenses, hacktivists may seek to increase social engineering

activities and use novel methods to disrupt targets. Misinformation campaigns, aimed at dam-

aging a target’s “brand,” could further provide hacktivists opportunities to cause

disruption outside of the scope of traditional cyber defenses.3

Attack motivations

81% Cybercrime

14% Espionage

3%Cyberwarfare

1%Hacktivism Source: Hackmageddon

Most targeted industries

1. Multi-industry attacks

2. Public Sector

3. Communications, Entertainment & Tech

4. Health & Life Sciences

5. Banking & Capital Markets

June 2019

Who are they?• Advanced adversary that uses

supply chain compromise to enable

highly focused targeting. Also

known as Wicked Panda or Shad-

owHammer.

Where do they operate? • Intelligence and analysis suggest

they are likely Chinese-speaking.

They target globally.

What do they want? • Barium appears to focus on target-

ed espionage, most likely in support

of Chinese strategic goals. Intellec-

tual property, sensitive government

documents and research are likely

objectives.

Do they work alone? • Probably not. They have links to

state-sponsored Chinese group APT

17 and potentially cybercriminal

group Winniti.

How can I stop them? • Defense in depth and mature tech-

nology solutions are required. Fun-

damental security solutions include

understanding your supply chain

risk and effective mailbox, endpoint

and network protections.

E-commerce attacks more valuable than ever Payment card information stolen from online stores is increasing in value as demand for card

verification value (CVV) numbers is outstripping supply.

Impact

CVV resale prices have now risen to match those of cloned payment cards used at physical

point-of-sale (POS) terminals.

Previously, data stolen with “card present” — where criminals create physical clones of cards —

was considerably more valuable than cards used only online. POS card clones were $15 to $20

a card, whereas CVVs ranged from $2 to $8.

However, recent monitoring of dark web marketplaces shows CVVs are now as valuable as POS

data sets. A single CVV will routinely cost in excess of $20. The principal drivers for this dymanic

are likely an increased demand for stolen card data on the dark web and increased difficulty in

cloning physical cards due to wider chip-and-pin adoption in G20 nations.

Source: Gemini Advisory

DXC perspective

This situation may partly explain the increased prevelance of attacks on e-commerce sites in

the last 12 months, with a number of prominent card-skimming campaigns hitting online stores

across various industries.

Nation state and geopolitical updatesAdvanced supply chain attacks attributed to Chinese group dubbed BariumThe group is believed to be responsible for the significant breaches of ASUS in March 2019 and

Avast’s CCleaner software, affecting 500,000 and 700,000, respectively.

Impact

Barium uses supply chain attacks to compromise hosts en masse, but actively exploits only a

small number of preselected targets. Of the half-million devices implicated in the ASUS breach,

the malware activated on only 600, based on predefined MAC addresses written into the exploit

code. Similarly, only 70 of those compromised by CCleaner saw secondary spyware down-

loads.

Features

The group typically exploits trusted models to deploy malware. Notably, it compromises update

servers of suppliers and uses them to push out malicious payloads under the guise of being

legitimate updates. The group’s access to the suppliers enables it to use genuine signatures and

certificates, making detection early in the kill chain extremely challenging. Evidence suggests

Barium also links supply chain attacks to gain deeper or more advantageous access. The com-

promise of CCleaner, for example, was used to target ASUS.

Though Barium’s ability to compromise major software and hardware suppliers has given it

access to more than a million devices, the group appears to show little interest in destructive

actions. Instead, it focuses on highly targeted espionage operations. Its targets are not known,

but intelligence points toward the group being aligned with Chinese state interests. Barium may

also operate as part of a wider collective of advanced adversaries. Its code shares

Barium APT

4

June 2019

Though best known for financially

motivated attacks, Lazarus has devel-

oped capabilities to conduct sophisti-

cated espionage.

fingerprints with code previously used by the state-sponsored Chinese group APT 17, and it

shares tooling with cybercriminal group Winnti.

Source: Kaspersky, Wired

DXC perspective

Barium poses a serious and credible risk to public sector, research and technology enterprises

holding intellectual property that would be advantageous to Chinese strategic aims. It also

poses a serious threat to suppliers of hardware and software, which it will seek to compromise

to gain access to their true targets.

For the true target, preventing Barium from gaining initial access may prove challenging.

Through compromise of supply chains, the group can package its well-obfuscated malicious

payloads within legitimate activities and with genuine certificates.

More crucial is the ability to detect and disrupt malicious activity within your networks at the

earliest opportunity. Next-generation endpoint detection systems, well-configured security

information and event management (SIEM) and user-entity-behavior analytics can assist in

detection. Diligent privilege and account management, coupled with network segmentation, is

an effective method of disrupting adversaries in their efforts to navigate internal networks to

obtain sensitive information.

Lazarus group develops new Trojan malware dubbed ELECTRICFISHThough best-known for attacks aimed at financial gain, Lazarus retains its capability to con-

duct advanced espionage operations. Its latest backdoor Trojan, ELECTRICFISH, was discov-

ered following joint work of the U.S. Department of Homeland Security and the Federal Bureau

of Investigation.

Impact

The malware is predominately an application to tunnel traffic between a specified source and

a destination IP address. It uses a custom protocol to tunnel traffic and continuously attempts

to reach out from both the source and the destination systems, allowing either side to initiate a

tunneling session.

The malware can be configured with a proxy server/port and proxy username and password,

which allows the adversary to bypass the compromised system’s required authentication to

reach outside of the network. Indicators of compromise are available.

Source: US Cert

DXC perspective

Lazarus is likely to target organizations that hold information that may aid North Korean stra-

tegic interests. This may include public sector organizations in North America, Europe and the

Asia-Pacific region, and global manufacturing, technology and research organizations.

Although this spyware appears to hold greatest utility in espionage operations, Lazarus has

traditionally been oriented toward financial gain. It remains possible this tooling could be used

to support data-theft-for-ransom attacks. This risk will heighten should the economic situation

in North Korea continue to degrade.

5

June 2019

Vulnerability updatesWhatsApp vulnerability leads to compromise of mobile devices in highly targeted attackWhatsApp pushed an update to its 1.5 billion users after it became aware of a buffer over-

flow vulnerability that allowed the installation of spyware on mobile devices.

Impact

The vulnerability exists in the WhatsApp voice over IP (VoIP) stack and allows remote code

execution via a specially crafted series of Secure Real-time Transport Control Protocol

(SRTCP) packets sent to a target phone. Threat actors have already exploited the flaw to

install spyware on devices without the need for user interaction. It is widely reported that

various journalists, NGOs and human rights activists were principal targets in this cam-

paign.

The exploit was reportedly developed by the Israeli technology company NSO Group. The

NSO Group is believed to supply spyware techonology to a range of governments globally.

The NSO Group says it doesn’t operate any of the tools it develops.

Source: ArsTechnica, Infosecurity Magazine

DXC perspective

Exploitation of this vulnerability has been highly targeted to date. However, the WhatsApp

security update could be reverse engineered, putting exploits into the hands of more adver-

saries.

Organizations should ensure that staff are using the latest WhatsApp version on both work

and personal devices to mitigate the risk of this exploit.

50,000 enterprises may be at risk to potential SAP software vulnerabilitiesPotential vulnerabilities in some SAP software leave enterprises exposed, according to

Onapsis Research Labs.

Impact

An exploit tool called “10KBLAZE” utilizes errors in SAP NetWeaver configurations to gain

unrestricted access to SAP systems. . As well as data theft and destruction, attackers could

manipulate transaction data by creating vendors, releasing shipments and making fraudu-

lent payments. It is estimated that 50,000 enterprises may be affected by this vulnerability.

Source: SAP, Reuters

DXC perspective

Adversaries will quickly look to identify and exploit this vulnerability, and exploit source

code is already available. SAP recommends that organizations comply with SAP Security

Notes #821875, #1408081 and #1421005. SAP’s patch for this vulnerability should be applied

as a critical priority.

6

LockerGaga• Targeted manufacturing and

industrial enterprises. Operated by

an advanced actor that combined

automated and manual techniques

to maximize infection scale.

Ryuk • Initially thought to be a revised Her-

mes ransomware strain, operated

by a North Korean group. However,

new intelligence suggests it is oper-

ated by a prominent Russian cyber

criminal. Targets enterprise-scale

organizations using Emotet for

initial access.

PewCryp • Bizarrely does not require a finan-

cial ransom, rather wanting victims

to subscribe to YouTuber PewDiePie

in order to receive a decryptor.

Distributed via spam.

Katyusha • First appeared in late 2017 and

uses the EternalBlue and Dou-

blePulsar exploits to propagate.

Primarily delivered via spam.

GandCrab • Widely seen in 2018, with its

ransomware-as-a-service model

popular with cybercriminals. Still a

principal threat in 2019. Bitdefender

has recently released an updated

decryptor.

Prominent ransomeware (2019)

June 2019

Incidents and breachesMirrorthief targets 201 online campus stores with card-skim-ming attackTrendMicro reported that the Mirrorthief group’s latest round of card-skimming attacks,

a tactic often referred to by the umbrella term “Magecart,” has affected 201 campus

e-commerce stores.

Impact

As with previous Magecart incidents, payment card data was copied and exfiltrated to a

malicious server at the point of user entry to the payment page.

Mirrorthief compromised PrismWeb, the e-commerce platform used by the stores, to inject

its malicious code. Victim numbers remain unknown.

Source: TrendMicro

DXC perspective

Third-party contributor or supplier compromise remains a highly effective way for adver-

saries to inject skimming code into an array of stores by simply compromising a single

platform. The enduring success of this model will likely see it increase in prevalence.

The security of third-party contributors is integral to the security of an e-commerce plat-

form. Organizations should include third-party security considerations within their wider

security architecture.

Possible MegaCortex ransomware attack disrupts accounting software provider Wolters KluwerAccess to software giant Wolters Kluwer’s CCH Axcess product, a cloud-based tax prepa-

ration, compliance and workflow management solution, was disrupted in early May due

to what the organization initially described as “technical anomalies.” Though it ultimately

admitted experienceing a malware incident, Wolters Kluwer stressed that no sensitive data

had been stolen and customers had not been otherwise affected.

Impact

Although formal details of the malware are not in the public domain, intelligence suggests

the company suffered a MegaCortex ransomware attack. MegaCortex, much like oth-

er prominent malware types such as Ryuk and LockerGoga, leverages both automated

scripts and manual activity to maximize the number of victims and scale of infection. There

is some suggestion that MegaCortex may use the Emotet or Qbot malware to aid in gain-

ing initial network access, a tactic not uncommon in ransomware aimed at enterprise-level

targets.

The similarities between MegaCortex and other prominent ransomware families go further.

At least one command-and-control (C2) address is shared and the list of processes and

services in the batch file is nearly identical to LockerGoga infections.

Source: SecurityWeek, Sophos

DXC perspective

Ransomware targeted at enterprise environments is a growing trend dubbed “big game

hunting.” Adversaries typically infect en masse using automated vectors, often using

Trojan malware delivered by spam or drive-by download, and then laterally move through

networks to compromise domain controllers using manual techniques. Once domain con-7

June 2019

trollers are accessed, the ransomware binaries can be pushed out to the network, maxi-

mizing the scale of infection.

The best defense for enterprises is preventing initial compromise through mailbox filtering,

perimeter defenses and endpoint security solutions. Next-generation endpoint security

and SIEM can also detect suspicious internal actions prior to the ransomware binaries

being pushed out by domain controllers, thereby increasing the organization’s ability to

disrupt adversaries early in the kill chain.

CITYCOMP breach exposes financial data of numerous enterprises CITYCOMP, an IT supplier to multiple blue chip organizations, suffered a significant

data-theft-for-ransom attack in late April. Details of how the attackers gained access to

CITYCOMP are not in the public domain at this time.

Impact

The attackers stole significant amounts of data pertaining to key clients, including

Oracle, Toshiba, Volkswagen and Airbus. The attackers attempted to extort CITYCOMP

by threatening to release the data if a ransom was not paid. When CITYCOMP did not

comply, the data was released to the dark web.

Source: Sophos

DXC perspective

Ransomware is only one type of extortion attack. Data theft for ransom remains a credi-

ble threat, often proving more lucrative for attackers than data theft for resale.

Learn moreThank you for reading the Threat Intelligence Report. Learn more about security trends

and insights from DXC Labs | Security:

DXC Labs | Security

DXC Labs delivers thought leadership technology prototypes to enable enterprises to thrive in the digital age.

DXC Labs | Security brings together our world-class advisors to develop strategic and architectural insights to reduce digital risk. DXC’s Cyber Reference Architecture is at the heart of our research, providing clients with detailed guidance on methods to efficiently resolve the most challenging security problems. We help clients minimize risk while taking maximum advantage of the digital commons.

Lean more at www.dxc.technology/securitylabs

June 2019

DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent po-

tential attack pathways, reduce cyber risk, and improve threat detection and incident

response. Our expert advisory services and 24x7 managed security services are backed

by 3,500+ experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of spe-

cialization in Intelligent Security Operations, Identity and Access Management, Data Pro-

tection and Privacy, Security Risk Management, and Infrastructure and Endpoint Security.

Learn how DXC can help protect your enterprise in the midst of large-scale digital change.

Visit www.dxc.technology/security.

About DXC Technology As the world’s leading independent, end-to-end IT services company, DXC Technology

(NYSE: DXC) leads digital transformations for clients by modernizing and integrating their

mainstream IT, and by deploying digital solutions at scale to produce better business

outcomes. The company’s technology independence, global talent, and extensive partner

network enable 6,000 private and public-sector clients in 70 countries to thrive on change.

DXC is a recognized leader in corporate responsibility. For more information, visit

www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for

changemakers and innovators.

© Copyright 2019 DXC Technology Company. All rights reserved.

Stay current on the latest threatswww.dxc.technology/threats

8