Security Threat Intelligence Report...Security Threat Intelligence Report September 2020 In this issue Trickbot malware targets Linux Internet Explorer script-based malware emerges

Security Threat Intelligence Report

September 2020

In this issue

Trickbot malware targets Linux

Internet Explorer script-based malware emerges

Business email compromise attacks bypass MFA

Zoom phishing campaign harvesting Office 365 credentials

Agent Tesla RAT adds new features

Message from Mark Hughes

The shift to remote work has seen a considerable uptick in targeting remote access solutions. A new Zoom phishing campaign is harvesting Office 365 credentials while new business email compromise attacks can bypass multifactor authentication. We must

ensure identity and access management are tight, and cyber hygiene is an ongoing focus. We also must continue to educate teams to keep a diligent eye on ongoing phishing schemes and malware.

Mark Hughes Senior Vice President and General Manager of Security DXC Technology

About this report

Fusing a range of public and

proprietary information feeds,

including DXC’s global network

of security operations centers

and cyber intelligence services,

this report delivers an overview

of major incidents, insights into

key trends and strategic threat

awareness.

This report is a part of DXC Labs |

Security, which provides insights

and thought leadership to the

security industry.

Intelligence cutoff date:

August 24, 2020

Threat Updates

TrickBot’s Anchor malware platform targets Linux

devices

Business email compromise attacks bypass MFA

Zoom phishing campaign harvesting O365

credentials

Agent Tesla RAT adds new features

Multi-industry

Multi-industry

Multi-industry

Multi-industry

Table of contents

3

6

7

9

Vulnerability Updates

Internet Explorer scripting malware emerges Multi-industry 12

Incidents/breaches

Carnival Corporation suffers ransomware attack Travel Industry 15

Nation State and Geopolitical

U.S. Justice Department seizes cryptocurrency

accounts of 3 suspected terrorist groups

Multi-industry 16


2

https://www.dxc.technology/security/insights/146282-dxc_labs_securityhttps://www.dxc.technology/security/insights/146282-dxc_labs_security

Threat UpdatesTrickBot’s Anchor malware platform targets Linux devices Discovered by Stage 2 researcher Waylon Grange, TrickBot’s Anchor malware is

still in the early stages of development. Intel is limited at this time. Updates will be

reported as they become available.

TrickBot is a multipurpose Windows malware platform that uses different modules

to perform various malicious activities, including information stealing, password

stealing, Windows domain infiltration and malware delivery.

TrickBot is rented by threat actors who use it to infiltrate a network and harvest

anything of value. It is then used to deploy ransomware such as Ryuk and Conti to

encrypt the network’s devices as a final attack.

Anchor_Linux will configure itself to run every minute using the following crontab

entry: */1 * * * * root [filename]

Attack VectorAccording to Stage 2, this malware is often delivered as part of a ZIP file and is a

lightweight Linux backdoor. Upon execution it installs itself as a cron job, determines

the public IP for the host and then begins to beacon via DNS queries to its C2 server.

Dropper functionality includes:

• The ability to drop other malware on Linux devices and execute it

• An embedded Windows TrickBot executable

• A Linux embedded binary that serves as new lightweight TrickBot malware

• Code connections to older TrickBot tools

This malware can be used to infect Windows machines on the same network. This is

the Windows infection process:

• Anchor_Linux will copy the embedded TrickBot malware to Windows hosts on the

same network using SMB and $IPC

Figure 1. Setting up persistence via CRON

Source: Vitali Kremez


3

• When successfully copied to a Windows device, Anchor_Linux will configure it as a

Windows service using:

– The Service Control Manager Remote protocol

– SMB SVCCTL named pipe

Upon startup, the Windows machine will connect to the C2 for instructions.

Linux versionThe Linux version allows threat actors to target non-Windows environments with a

backdoor. If successful, attackers can pivot to Windows devices on the same network.

It uses an attack vector outside of email phishing for Windows infection. The Linux

backdoor has a persistence mechanism as seen in the cron job. It functions in the

UNIX environment and targets devices in the UNIX environment, including:

• Routers

• VPN devices

• NAS devices run on Linux operating systems

IoT devices also require security controls and monitoring to detect Anchor_Linux.

Figure 2. Copying a file via SMB

Source: Waylon Grange

Figure 3. TrickBot’s Anchor framework

Source: SentinelOne

ATM makers address illegal cash

withdrawals

ATM manufacturers Diebold Nixdorf

and NCR have fixed a number

of software vulnerabilities that

have allowed attackers to execute

arbitrary code with or without system

privileges. Hackers made illegal cash

withdrawals by committing deposit

forgery and manipulating underlying

systems by issuing valid commands

to dispense currency.


4

HuntingAnchor_Linux will create a log file at: /tmp/anchor.log

There is a high probability that the name of the log file will change as the malware

development progresses. If this file exists, a complete audit of the system for the

presence of the Anchor_Linux malware should be conducted. It is expected that

TrickBot will continue its development to make it a full-featured addition to its Anchor

framework.

IoCs – Courtesy of Stage 2 Security

Hashes:

55754d178d611f17efe2f17c456cb42469fd40ef999e1058f2bfe44a503d877c

C721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc

7686a3c039b04e285ae2e83647890ea5e886e1a6631890bbf60b9e5a6ca43d0

Domains:

*.biillpi[.]com

IPs:

23.95.97[.]59

Yara:

rule anchor_linux_dns

{

meta:

author = “Stage 2 Security”

description = “Trickbot anchor_linux”

strings:

$hdr = {7f 45 4c 46}

$x1 = {80 74 0? ?? b9}

$x2 = “anchor_l”

$x3 = “getaddrinfo”

$x4= “IPC$”

$x5 = {48 ?? 2f 74 6d 70 2f 00 00 00}

$x6 = “test my ip”

$x7 = {73 6d 62 32 5f [4–7] 5f 61 73 79 6e 63 20}

$x8 = “Kernel32.dll”

$x9 = “libcurl”

$x10 = “/1001/”

condition:

$hdr at 0 and 7 of ($x*)

}


5

ImpactTrickbot was first detected in 2016 and has developed its capabilities extensively over

the years. Trickbot can disable antivirus systems, propagate throughout a network,

perform man-in-the-middle attacks and drop other malware. The latest Trickbot

update means the malware has a completely new attack vector targeting Linux and

Unix devices. Based on its success with Windows machines, the impact rating to

organizations should be considered critical.

TrickBot has been seen in the wild dropping Ryuk and GlobeImposter ransomware.

Multiple malware infections greatly complicate the remediation process. It has

successfully disabled endpoint antivirus applications, allowing the infection to spread

across the network, compromising over a hundred systems.

Note that Trickbot began as a banking trojan and is proficient at harvesting and

exfiltrating data from infected systems prior to deploying ransomware, which is a

tactic adopted by most ransomware groups in 2020.

DXC perspectiveTrickbot is used by multiple threat actor groups due to its success rate and its

ability to propagate throughout the environment and drop other malware. Groups

using Trickbot are financially motivated, and successful intrusions will result in the

exfiltration of data. Security controls should be tuned to alert on abnormal outbound

traffic. It may also deliver disruptive malware such as ransomware and system-wiping

malware.

The recent addition of this new Trickbot attack vector will require security teams to

tune security monitoring tools to detect intrusions as well as hunt for existing

network presence of previous non-detected intrusions.

Sources: Stage 2 Security Intezer Labs Sans

Business email compromise attacks bypass MFA Business email compromise (BEC) campaigns are increasing in frequency, and

compromise success rates are up, with reports of email accounts being taken over

despite multifactor authentication (MFA) and conditional access.

It is not possible to enforce MFA when a user signs into an account using legacy

email protocols, including IMAP, SMTP, MAPI and POP. Office 365 licenses provide

the ability to configure conditional access policies, which block access from legacy

applications. However, attackers are bypassing conditional access controls by

obscuring (renaming) the app being used. Credential stuffing campaigns have been

seen in the wild using legacy applications in attempts to bypass MFA.

iOS SDK breach surfaces

Researchers discovered malicious

functionality within the iOS

MintegralAdSDK (aka SourMint)

distributed by Chinese company

Mintegral. The malicious functionality

enabled ad fraud on hundreds of

iOS apps and brought major privacy

concerns to consumers. It allows

spying on user link click activity

within thousands of iOS apps that

use the SDK, tracking requests

performed by the app and reporting

it back to Mintegral’s servers..


6

https://www.dxc.technology/security/offerings/140115/140189-secured_infrastructurehttps://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30https://twitter.com/VK_Intel/status/1288541754728341505https://www.sans.org/reading-room/whitepapers/malicious/paper/36097

ImpactThe motivation behind BEC attacks is financial and can impact organizations at

various levels:

• Credential harvesting and data exfiltration

• Financial losses from company fund transfer requests

• GDPR fines associated with PII data being exfiltrated

• Reputational damage resulting from any of the above

DXC perspectiveEven the most highly trained and vigilant employee will get fooled by the variety

of tactics that threat actors use. Security controls such as secure email gateways

(SEGs) should be used to prevent such emails from reaching the legitimate users.

SEGs are helpful in filtering out inbound emails containing malicious files, URLs and

known abusive senders. However, SEGs will not help with well-planned and -crafted

social engineering tactics.

Internal controls should be in place to limit or completely avoid a single point of

failure within all departments. Special emphasis should be placed on requiring

multiple signoffs on sending company funds externally.

Organizations should consider the following:

• Secure email gateways

• A privileged access management solution

• Endpoint protection that detects and stops abnormal behavior

Sources: ProofpointFBI InfraGard: Membership Distribution

Zoom phishing campaign harvesting Office 365 credentials Attackers sending phishing emails to Zoom users aimed at credential harvesting. The

messages contain a meeting invitation that includes a file to download to access

details about a meeting invitation and start the meeting.

The email messages originated from hijacked accounts and newly purchased domain

names (zoomcommuncations.com and zoomvideoconfrence.com), with identification

information appearing to be legitimate:


7

https://www.dxc.technology/security/offerings/144342/144344-privileged_account_managementhttps://www.dxc.technology/security/offerings/144345/144350-managed_endpoint_protectionhttps://www.proofpoint.com/us/threat-reference/business-email-compromise

Instead of harvesting Zoom credentials, the main goal of the campaign is to harvest

Office 365 credentials by redirecting users to a Microsoft Office 365 or Outlook

login page. HTML, JavaScript and PHP code is encoded on the page and unreadable

to humans and automated security tools. It remains undetectable and evades URL

reputation checkers.

Figure 4.

Figure 5.

RDP used by Iranian actors in

international Dharma ransomware

attacks

Iranian actors leveraged the remote

desktop protocol (RDP) as part

of an international campaign to

target companies with Dharma

ransomware. Artifacts found by

the investigating organization,

Group-IB, indicated that the group

attempted to distribute Dharma on

an affected company’s networks

in Russia, Japan, China and India.

The attackers used Advanced Port

Scanner to map the compromised

network for available hosts

moving laterally by abusing RDP.

Ransomware demands ranged from

1 to 5 BTC.


8

ImpactThe Zoom platform has seen a dramatic increase in traffic due to the increase in

remote workers. This exploit gives attackers the ability to enter organization meetings

and steal proprietary information as well as credentials.

DXC perspectiveNo single security control is enough to stop a well-crafted attack such as this one.

Key tactics include secure email gateways and timely threat intelligence combined

with user education on what to expect from various virtual meeting vendors.

Source: INKY – Bukar Alibe

Agent Tesla RAT adds new features Agent Tesla is emerging as an inexpensive and easy-to-use malware aimed at

stealing information. It is attractive to low-skilled threat actors, and many versions

now exist based on the original code.

The malware first appeared on the agenttesla.com site, which is now closed. Varying

levels of code were sold for $12 to $35:

Agent Tesla is delivered via email, and those attacked were observed spreading it via

COVID-19-themed messages, often masquerading as information or updates from

the World Health Organization.

Recent Agent Tesla upgrades include:

• More robust spreading and injection methods

• Discovery and theft of wireless network details and credentials

• Harvest configuration data and credentials from:

– VPN clients

– FTP and email clients

– Web browsers

– Extract credentials from the registry and related configuration files

Figure 6.


9

https://www.inky.com/blog/zoom-doom-how-inky-unraveled-a-credential-harvesting-phishing-scam

List of targeted software

360 Browser CoreFTP Liebao SeaMonkey

Apple Safari CyberFox Microsoft IE & Edge Sleipnir 6

Becky! Internet

Mail

Epic Privacy Microsoft Outlook SmartFTP

BlackHawk Elements Mozilla Firefox Sputnik

Brave FileZilla Mozilla

Thunderbird

Tencent

QQBrowser

CentBrowser FlashFXP Elements The Bat! Email

CFTP Flock OpenVPN Torch

Chedot Google Chrome Opera Trillian Messenger

Chromium

(general)

IceCat Opera Mail UCBrowser

Citrio IceDragon Orbitum Uran

Claws Mail IncrediMail PaleMoon Vivaldi

Coccoc Iridium Postbox WaterFox

Comodo Dragon KMeleon QIP Surf WinSCP

CoolNovo Kometa Qualcomm Eudora Yandex

The harvested data is transmitted to the C2 via SMTP or FTP. The transfer method is

hardcoded in the malware’s internal configuration and includes credentials (FTP or

SMTP) for the C2. New variants can drop or retrieve secondary executables.

Samples of this malware have been seen creating hidden folders and processes in

%temp%. The persistent process set via Registry:

/c copy “C:/Users/admin1/Desktop/tes_10.exe” “%temp%\FolderN\name.exe” /Y

ExecutionThis malware gathers local system information, installs the keylogger module, and

initializes routines for discovering and harvesting data. This process includes basic

WMI queries. Examples include:

• start iwbemservices::execquery - select * from win32_operatingsystem

• start iwbemservices::execquery - select * from win32_processor

Figure 7.

Russia’s GRU military unit behind

Linux malware attacks

Russia’s GRU military unit is

suspected to be behind Drovorub,

a Linux malware toolset consisting

of an implant coupled with a kernel

module rootkit, a file transfer and

port forwarding tool, and a C2

server. Identifying this malware

is difficult. Packet inspection at

network boundaries is useful in

detecting Drovorub on networks,

including probing, security products,

live response, memory analysis and

media (disk image) analysis.


10

For wireless network settings and credential discovery, the malware launches an

instance of netsh.exe. The syntax utilized initially is:

• Netsh.exe wlan show profile

Upon launch, an instance of the malware is dropped into %temp% as a hidden file, in

a hidden folder:

• /c copy “C:/Users/admin1/Desktop/tes_10.exe” “%temp%\FolderN\name.exe” /Y

The following command is then used to create the autorun registry key:

• /c reg add “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows” /v

Load /t REG_SZ /d “%temp%\FolderN\name.exe.lnk” /f

MITRE ATT&CK mapping:• Modify registry (T1112)

• Subvert trust controls: Install root certificate (T1553.004)

• Hide artifacts: NTFS file attributes (T1564.004)

• Hijack execution flow: DLL search order hijacking (T1574.001)

• Process injection: Process hollowing (T1055.012)

• Data from information repositories (T1213)

• Boot or logon autostart execution: Registry run keys/startup folder (T1547.001)

• Process injection (T1055)

• Unsecured credentials: Credentials in files (T1552.001)

• System information discovery (T1082)

• Query registry (T1012)

• OS credential dumping (T1003)

• Scheduled task (T1053)

ImpactAgent Tesla was first seen in the wild in 2014. It is a .NET-based keylogger and remote

access trojan (RAT) that beacons data back to a C2 server. Recent developments

have increased its capabilities extensively. Current versions have improved

persistence and the ability to harvest data from more services.e

DXC perspectiveAgent Tesla is easily accessible and is used by many threat actor groups due to its

success rate and ability to exfiltrate data without notice. Groups using Agent Tesla

are both financially and espionage motivated, which means successful intrusions

will result in the exfiltration of data. Expect to see more malspam campaigns that will


11

attempt to distribute Agent Tesla. Cyber defense security controls should be tuned

to alert on abnormal outbound traffic.

Sources: Malpedia Check Point Bleeping Computer

Vulnerability UpdatesInternet Explorer scripting malware emergesRecent samples of script-based malware through the Internet Explorer (IE) browser

exploits Windows OS users. Observed in the wild over the past 2 months, two distinct

samples have been obtained from compromised machines:

Sample 1:

• JScript Remote Access Trojan (RAT)

• Persistence mechanism enabled

• Uses encoded network connection to connect to the attacker

• Attackers execute arbitrary commands on the target machine

Sample 2:

• AutoIT downloader

• Uses network connection and script functions to download and execute malware

• Capable of loading a variety of malware types

Based on the c.js JScript RAT downloaded from the assurancetemporaireenligne.

com domain on April 18, the PowerShell command used to exploit the CVE-2019-0752

vulnerability is:

Persistence mechanismThe c.js script creates and sets a new value for the registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This value, named loaderName, is set with a path to a certain loader.jse file.

Figure 8.


12

https://www.dxc.technology/security/offerings/140115/140163-cyber_defensehttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_teslahttps://blog.checkpoint.com/2020/05/11/april-2020s-most-wanted-malware-agent-tesla-remote-access-trojan-spreading-widely-in-covid-19-related-spam-campaigns/https://www.bleepingcomputer.com/news/security/upgraded-agent-tesla-malware-steals-passwords-from-browsers-vpns/

The run key causes programs to run each time a user logs on. The loader.jse script,

which is not created yet, will run automatically each time the Windows OS boots. For

the next step of the persistence process, the c.js creates the actual loader.jse file.

The following image shows the loader.jse script is created in the AppData folder. This

is a hidden folder by default on Windows OS:

When the loader.jse is run, it opens the registry key HKCU\Software\loaderName and

runs the code contained in the data value.

The packed code in the registry key loaderName contains function (p,a,c,k,e,d)

pattern, which indicates the Dean Edwards packer was used to obfuscate the code.

This packer is outdated now but was commonly used in the past by benign scripts

and therefore whitelisted by many kinds of detection technologies.

The attacker can perform the following tasks on the target system:

• Execute commands

• Download files

• Reboot the Windows OS

• Terminate processes

• Shut down Windows OS

Figure 10.

Figure 9.


13

AutoIT downloaderThis is the 2.exe file downloaded from the dark.crypterfile.com domain using the

same vulnerability CVE-2019-0752:

The AutoIT code retrieves the system information, which is stored in the $asysinfo

array. Then there is a check on the sixth element of this array, which corresponds to

the number of logical processors.

The check verifies whether the number of logical processors is greater than or

equal to four, and then malicious files download. Using the InetGet and Run AutoIT

functions, the malicious script downloads and executes multiple files on the target

system.

The last file downloaded is stored in the Current User Startup folder. The file will

execute each time the user logs in to the Windows OS.

Impact per MicrosoftCVE-2020-1380 has received a CVSS score of 7.5,\ according to Microsoft. A remote

code execution vulnerability exists in the way that the scripting engine handles

objects in memory in Internet Explorer. The vulnerability could corrupt memory

in such a way that an attacker could execute arbitrary code in the context of

the current user. An attacker who successfully exploited the vulnerability could

gain the same user rights as the current user. If the current user is logged on with

administrative user rights, an attacker could take control of an affected system. An

attacker could then install programs; view, change or delete data; or create new

accounts with full user rights.

DXC perspectivePatching vulnerabilities of this nature needs to be a high priority for all organizations.

This exploit that contains multiple facets — including a remote access trojan, a

downloader and an effective persistence mechanism — have the potential to cause

extensive damage within an IT environment. Patching or other mitigation techniques,

although difficult at times, is the best option.

According to Microsoft, in a web-based attack scenario, an attacker could host a

specially crafted website that is designed to exploit the vulnerability through Internet

Figure 11. Command used to download and launch the AutoIT

downloader sample.

Figure 12.


14

Explorer and then convince a user to view the website. An attacker could also embed

an ActiveX control marked “safe for initialization” in an application or Microsoft

Office document that hosts the IE rendering engine. The attacker could also take

advantage of compromised websites, including those that accept or host user-

provided content or advertisements. These websites could contain specially crafted

content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the scripting

engine handles objects in memory.

Sources: Microsoft Mitre Trend Micro

Incidents/breachesCarnival Corporation suffers ransomware attackCarnival disclosed a ransomware attack that impacted one of its subsidiaries.

Carnival has not disclosed which division was the target of that attack or if other

divisions were subsequently affected.

Carnival’s brands include Princess Cruises, Holland America Line, P&O Cruises, Costa

Cruises, AIDA Cruises and Cunard.

The attack appears to have exfiltrated customer and employee data. In a Form 8-K

regulatory filing, Carnival said its investigation so far shows no other systems were

impacted.

“While the investigation of the incident is ongoing, the company has implemented

a series of containment and remediation measures to address this situation and

reinforce the security of its information technology systems,” Carnival stated.

The Prevailion company was tracking C2 activity across the internet and observed

suspicious activity to and from Carnival’s network between February and early June

of this year.

During that period, an IP address belonging to Carnival was observed regularly

communicating with malicious C2 servers outside the company. High levels of

communication were observed between April 11 and June 5.

Prevailion tracked over 46,000 attempted connections from the Carnival IP address

to the C2 servers.

Prevailion identified the activity as associated with Ramnit malware, which most

recently was used for credential theft.

The above C2 activity cannot be definitely linked to the August 2020 ransomware

attack, but it should be noted that ransomware groups have changed their tactics

from encrypting data upon entry to maintaining a stealth presence within the

Investment scam sites shut down

The National Cyber Security Centre

(NCSC) has shut down more than

300,000 URLs found to be linked

to investment scams in a four-

month period. Many of these ruses

began with fake news articles that

promoted investment advice from

celebrities. As most common with

phishing, the news articles sought

to trick readers into visiting hoax

websites claiming methods to help

the user “get rich quick.”

Source: Tripwire


15

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1380https://blog.trendmicro.com/trendlabs-security-intelligence/august-patch-tuesday-fixes-critical-ie-important-windows-vulnerabilities-exploited-in-the-wild/https://www.tripwire.com/state-of-security/security-data-protection/ncsc-shut-down-300k-urls-linked-to-investment-scams-4-months/

compromised environment. The goal is to exfiltrate sensitive and proprietary data

and use that as leverage to obtain the requested ransom

ImpactDetails regarding this attack, the second successful breach this year at Carnival,

are limited. Carnival did initiate an internal investigation that included notifying law

enforcement and engaging an external security firm.

Reports note that Carnival’s internal security team and controls were able to prevent

the entire network from being compromised. The ransomware encryption process

was halted but the impact on customer and employee data is not known, nor has

the attack vector been disclosed. Carnival has indicated that it expects to see claims

arising from customers’ data being exposed.

DXC perspectiveRansomware attacks are on the rise and will continue given how lucrative such

attacks are. Financially motivated threat actors have no reason to stop attacks that

have such a high success rate.

Preparation and planning are key components to stopping ransomware attacks.

It is highly recommended that all organizations obtain a copy of the U.S. Secret

Service’s “Preparing for a Cyber Incident – A Guide to Ransomware.” The document

contains valuable information that can be useful in combatting all types of malware

attacks.

Another factor to consider is that this was the second successful attack at Carnival in

a matter of months. It is not uncommon for threat actors to initiate secondary attacks

to test if the environment is still vulnerable.

Sources: Prevailion Security Affairs

Nation State and GeopoliticalU.S. Justice Department seizes cryptocurrency accounts of three suspected terrorist groups The U.S. Justice Department announced it has seized a record $2 million in

cryptocurrency intended to finance the activities of al-Qaida, the al-Qassam

Brigades and the Islamic State.

U.S. authorities obtained warrants to seize the money and to dismantle 300

cryptocurrency accounts. Warrants also took down four websites and four Facebook

pages the three terror groups used as part of their cyber campaigns to generate

funds.

Other news

• Utah Gun Exchange breached -

Security Boulevard

• Canada revenue agency discloses

credential stuffing attack -

Security Boulevard

• Nine leaky GitHub repos affecting

200K U.S. residents - Security

Boulevard


16

https://www.dxc.technology/security/offerings/140115/145734-dxc_cyber_reference_architecturehttps://www.prevailion.com/carnival-cruise-lines-long-running-breach-problem/https://securityaffairs.co/wordpress/107263/cyber-crime/carnival-corporation-ransomware-attack.html?utm_source=rss&utm_medium=rss&utm_campaign=carnival-corporation-ransomware-attackhttps://securityboulevard.com/2020/08/utah-gun-exchange-confirms-data-breach-after-bad-actors-publishes-stolen-customer-records-online/https://securityboulevard.com/2020/08/canada-revenue-agency-discloses-credential-stuffing-attack-on-5500-service-accounts/https://securityboulevard.com/2020/08/researcher-discloses-9-leaky-github-repos-affecting-200k-u-s-residents-and-possibly-many-more/https://securityboulevard.com/2020/08/researcher-discloses-9-leaky-github-repos-affecting-200k-u-s-residents-and-possibly-many-more/

ImpactFederal prosecutors said the three campaigns relied on sophisticated cyber tools to

generate cryptocurrency donations to finance their operations.

Officials also noted that donations were not anonymous. Agents with the Internal

Revenue Service, Homeland Security Investigations and the FBI tracked and seized

150 cryptocurrency accounts that laundered funds for the terrorist groups. Agents

also executed criminal search warrants for the people and organizations that

donated money from within the United States.

DXC perspectiveThe Department of Homeland Security has an ongoing campaign called, “If You See

Something, Say Something.”

As information technology and cybersecurity professionals, we are in a unique

position to come across intelligence that may be valuable in preventing a terrorist

attack. Share the intel.

Sources: United States Department of Justice Department of Homeland Security – Membership distribution


17

https://www.justice.gov/opa/pr/global-disruption-three-terror-finance-cyber-enabled-campaigns

Learn moreThank you for reading the Security Threat Intelligence Report. Learn more about

security trends and insights from DXC Labs | Security.

DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent

potential attack pathways, reduce cyber risk, and improve threat detection and

incident response. Our expert advisory services and 24x7 managed security services

are backed by 3,000 experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of

specialization in Cyber Defense, Digital Identity, Secured Infrastructure and Data

Protection. Learn how DXC can help protect your enterprise in the midst of large-

scale digital change. Visit www.dxc.technology/security.

Stay current on the latest threats at www.dxc.technology/threats.

Get the insights that matter.www.dxc.technology/optin

About DXC Technology

DXC Technology (NYSE: DXC) helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability across public, private and hybrid clouds. With decades of driving innovation, the world’s largest companies trust DXC to deploy our enterprise technology stack to deliver new levels of performance, competitiveness and customer experiences. Learn more about the DXC story and our focus on people, customers and operational execution at www.dxc.technology.

©2020 DXC Technology Company. All rights reserved. September 2020

https://www.dxc.technology/security/insights/146282-dxc_labs_securityhttp://www.dxc.technology/securityhttp://www.dxc.technology/threatshttp://www.dxc.technology/threatshttp://www.dxc.technology/optinhttps://www.linkedin.com/company/dxctechnology/https://twitter.com/dxctechnologyhttps://www.facebook.com/DXCTechnology/http://www.dxc.technology

Documents

Security Threat Intelligence Report...Security Threat Intelligence Report September 2020 In this issue Trickbot malware targets Linux Internet Explorer script-based malware emerges