Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Security Threat Intelligence Report
September 2020
In this issue
Trickbot malware targets Linux
Internet Explorer script-based malware emerges
Business email compromise attacks bypass MFA
Zoom phishing campaign harvesting Office 365 credentials
Agent Tesla RAT adds new features
Message from Mark Hughes
The shift to remote work has seen a considerable uptick in targeting remote access solutions. A new Zoom phishing campaign is harvesting Office 365 credentials while new business email compromise attacks can bypass multifactor authentication. We must
ensure identity and access management are tight, and cyber hygiene is an ongoing focus. We also must continue to educate teams to keep a diligent eye on ongoing phishing schemes and malware.
Mark Hughes Senior Vice President and General Manager of Security DXC Technology
About this report
Fusing a range of public and
proprietary information feeds,
including DXC’s global network
of security operations centers
and cyber intelligence services,
this report delivers an overview
of major incidents, insights into
key trends and strategic threat
awareness.
This report is a part of DXC Labs |
Security, which provides insights
and thought leadership to the
security industry.
Intelligence cutoff date:
August 24, 2020
Threat Updates
TrickBot’s Anchor malware platform targets Linux
devices
Business email compromise attacks bypass MFA
Zoom phishing campaign harvesting O365
credentials
Agent Tesla RAT adds new features
Multi-industry
Multi-industry
Multi-industry
Multi-industry
Table of contents
3
6
7
9
Vulnerability Updates
Internet Explorer scripting malware emerges Multi-industry 12
Incidents/breaches
Carnival Corporation suffers ransomware attack Travel Industry 15
Nation State and Geopolitical
U.S. Justice Department seizes cryptocurrency
accounts of 3 suspected terrorist groups
Multi-industry 16
Security Threat Intelligence Report
2
https://www.dxc.technology/security/insights/146282-dxc_labs_securityhttps://www.dxc.technology/security/insights/146282-dxc_labs_security
Threat UpdatesTrickBot’s Anchor malware platform targets Linux devices Discovered by Stage 2 researcher Waylon Grange, TrickBot’s Anchor malware is
still in the early stages of development. Intel is limited at this time. Updates will be
reported as they become available.
TrickBot is a multipurpose Windows malware platform that uses different modules
to perform various malicious activities, including information stealing, password
stealing, Windows domain infiltration and malware delivery.
TrickBot is rented by threat actors who use it to infiltrate a network and harvest
anything of value. It is then used to deploy ransomware such as Ryuk and Conti to
encrypt the network’s devices as a final attack.
Anchor_Linux will configure itself to run every minute using the following crontab
entry: */1 * * * * root [filename]
Attack VectorAccording to Stage 2, this malware is often delivered as part of a ZIP file and is a
lightweight Linux backdoor. Upon execution it installs itself as a cron job, determines
the public IP for the host and then begins to beacon via DNS queries to its C2 server.
Dropper functionality includes:
• The ability to drop other malware on Linux devices and execute it
• An embedded Windows TrickBot executable
• A Linux embedded binary that serves as new lightweight TrickBot malware
• Code connections to older TrickBot tools
This malware can be used to infect Windows machines on the same network. This is
the Windows infection process:
• Anchor_Linux will copy the embedded TrickBot malware to Windows hosts on the
same network using SMB and $IPC
Figure 1. Setting up persistence via CRON
Source: Vitali Kremez
Security Threat Intelligence Report
3
• When successfully copied to a Windows device, Anchor_Linux will configure it as a
Windows service using:
– The Service Control Manager Remote protocol
– SMB SVCCTL named pipe
Upon startup, the Windows machine will connect to the C2 for instructions.
Linux versionThe Linux version allows threat actors to target non-Windows environments with a
backdoor. If successful, attackers can pivot to Windows devices on the same network.
It uses an attack vector outside of email phishing for Windows infection. The Linux
backdoor has a persistence mechanism as seen in the cron job. It functions in the
UNIX environment and targets devices in the UNIX environment, including:
• Routers
• VPN devices
• NAS devices run on Linux operating systems
IoT devices also require security controls and monitoring to detect Anchor_Linux.
Figure 2. Copying a file via SMB
Source: Waylon Grange
Figure 3. TrickBot’s Anchor framework
Source: SentinelOne
ATM makers address illegal cash
withdrawals
ATM manufacturers Diebold Nixdorf
and NCR have fixed a number
of software vulnerabilities that
have allowed attackers to execute
arbitrary code with or without system
privileges. Hackers made illegal cash
withdrawals by committing deposit
forgery and manipulating underlying
systems by issuing valid commands
to dispense currency.
Security Threat Intelligence Report
4
HuntingAnchor_Linux will create a log file at: /tmp/anchor.log
There is a high probability that the name of the log file will change as the malware
development progresses. If this file exists, a complete audit of the system for the
presence of the Anchor_Linux malware should be conducted. It is expected that
TrickBot will continue its development to make it a full-featured addition to its Anchor
framework.
IoCs – Courtesy of Stage 2 Security
Hashes:
55754d178d611f17efe2f17c456cb42469fd40ef999e1058f2bfe44a503d877c
C721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
7686a3c039b04e285ae2e83647890ea5e886e1a6631890bbf60b9e5a6ca43d0
Domains:
*.biillpi[.]com
IPs:
23.95.97[.]59
Yara:
rule anchor_linux_dns
{
meta:
author = “Stage 2 Security”
description = “Trickbot anchor_linux”
strings:
$hdr = {7f 45 4c 46}
$x1 = {80 74 0? ?? b9}
$x2 = “anchor_l”
$x3 = “getaddrinfo”
$x4= “IPC$”
$x5 = {48 ?? 2f 74 6d 70 2f 00 00 00}
$x6 = “test my ip”
$x7 = {73 6d 62 32 5f [4–7] 5f 61 73 79 6e 63 20}
$x8 = “Kernel32.dll”
$x9 = “libcurl”
$x10 = “/1001/”
condition:
$hdr at 0 and 7 of ($x*)
}
Security Threat Intelligence Report
5
ImpactTrickbot was first detected in 2016 and has developed its capabilities extensively over
the years. Trickbot can disable antivirus systems, propagate throughout a network,
perform man-in-the-middle attacks and drop other malware. The latest Trickbot
update means the malware has a completely new attack vector targeting Linux and
Unix devices. Based on its success with Windows machines, the impact rating to
organizations should be considered critical.
TrickBot has been seen in the wild dropping Ryuk and GlobeImposter ransomware.
Multiple malware infections greatly complicate the remediation process. It has
successfully disabled endpoint antivirus applications, allowing the infection to spread
across the network, compromising over a hundred systems.
Note that Trickbot began as a banking trojan and is proficient at harvesting and
exfiltrating data from infected systems prior to deploying ransomware, which is a
tactic adopted by most ransomware groups in 2020.
DXC perspectiveTrickbot is used by multiple threat actor groups due to its success rate and its
ability to propagate throughout the environment and drop other malware. Groups
using Trickbot are financially motivated, and successful intrusions will result in the
exfiltration of data. Security controls should be tuned to alert on abnormal outbound
traffic. It may also deliver disruptive malware such as ransomware and system-wiping
malware.
The recent addition of this new Trickbot attack vector will require security teams to
tune security monitoring tools to detect intrusions as well as hunt for existing
network presence of previous non-detected intrusions.
Sources: Stage 2 Security Intezer Labs Sans
Business email compromise attacks bypass MFA Business email compromise (BEC) campaigns are increasing in frequency, and
compromise success rates are up, with reports of email accounts being taken over
despite multifactor authentication (MFA) and conditional access.
It is not possible to enforce MFA when a user signs into an account using legacy
email protocols, including IMAP, SMTP, MAPI and POP. Office 365 licenses provide
the ability to configure conditional access policies, which block access from legacy
applications. However, attackers are bypassing conditional access controls by
obscuring (renaming) the app being used. Credential stuffing campaigns have been
seen in the wild using legacy applications in attempts to bypass MFA.
iOS SDK breach surfaces
Researchers discovered malicious
functionality within the iOS
MintegralAdSDK (aka SourMint)
distributed by Chinese company
Mintegral. The malicious functionality
enabled ad fraud on hundreds of
iOS apps and brought major privacy
concerns to consumers. It allows
spying on user link click activity
within thousands of iOS apps that
use the SDK, tracking requests
performed by the app and reporting
it back to Mintegral’s servers..
Security Threat Intelligence Report
6
https://www.dxc.technology/security/offerings/140115/140189-secured_infrastructurehttps://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30https://twitter.com/VK_Intel/status/1288541754728341505https://www.sans.org/reading-room/whitepapers/malicious/paper/36097
ImpactThe motivation behind BEC attacks is financial and can impact organizations at
various levels:
• Credential harvesting and data exfiltration
• Financial losses from company fund transfer requests
• GDPR fines associated with PII data being exfiltrated
• Reputational damage resulting from any of the above
DXC perspectiveEven the most highly trained and vigilant employee will get fooled by the variety
of tactics that threat actors use. Security controls such as secure email gateways
(SEGs) should be used to prevent such emails from reaching the legitimate users.
SEGs are helpful in filtering out inbound emails containing malicious files, URLs and
known abusive senders. However, SEGs will not help with well-planned and -crafted
social engineering tactics.
Internal controls should be in place to limit or completely avoid a single point of
failure within all departments. Special emphasis should be placed on requiring
multiple signoffs on sending company funds externally.
Organizations should consider the following:
• Secure email gateways
• A privileged access management solution
• Endpoint protection that detects and stops abnormal behavior
Sources: ProofpointFBI InfraGard: Membership Distribution
Zoom phishing campaign harvesting Office 365 credentials Attackers sending phishing emails to Zoom users aimed at credential harvesting. The
messages contain a meeting invitation that includes a file to download to access
details about a meeting invitation and start the meeting.
The email messages originated from hijacked accounts and newly purchased domain
names (zoomcommuncations.com and zoomvideoconfrence.com), with identification
information appearing to be legitimate:
Security Threat Intelligence Report
7
https://www.dxc.technology/security/offerings/144342/144344-privileged_account_managementhttps://www.dxc.technology/security/offerings/144345/144350-managed_endpoint_protectionhttps://www.proofpoint.com/us/threat-reference/business-email-compromise
Instead of harvesting Zoom credentials, the main goal of the campaign is to harvest
Office 365 credentials by redirecting users to a Microsoft Office 365 or Outlook
login page. HTML, JavaScript and PHP code is encoded on the page and unreadable
to humans and automated security tools. It remains undetectable and evades URL
reputation checkers.
Figure 4.
Figure 5.
RDP used by Iranian actors in
international Dharma ransomware
attacks
Iranian actors leveraged the remote
desktop protocol (RDP) as part
of an international campaign to
target companies with Dharma
ransomware. Artifacts found by
the investigating organization,
Group-IB, indicated that the group
attempted to distribute Dharma on
an affected company’s networks
in Russia, Japan, China and India.
The attackers used Advanced Port
Scanner to map the compromised
network for available hosts
moving laterally by abusing RDP.
Ransomware demands ranged from
1 to 5 BTC.
Security Threat Intelligence Report
8
ImpactThe Zoom platform has seen a dramatic increase in traffic due to the increase in
remote workers. This exploit gives attackers the ability to enter organization meetings
and steal proprietary information as well as credentials.
DXC perspectiveNo single security control is enough to stop a well-crafted attack such as this one.
Key tactics include secure email gateways and timely threat intelligence combined
with user education on what to expect from various virtual meeting vendors.
Source: INKY – Bukar Alibe
Agent Tesla RAT adds new features Agent Tesla is emerging as an inexpensive and easy-to-use malware aimed at
stealing information. It is attractive to low-skilled threat actors, and many versions
now exist based on the original code.
The malware first appeared on the agenttesla.com site, which is now closed. Varying
levels of code were sold for $12 to $35:
Agent Tesla is delivered via email, and those attacked were observed spreading it via
COVID-19-themed messages, often masquerading as information or updates from
the World Health Organization.
Recent Agent Tesla upgrades include:
• More robust spreading and injection methods
• Discovery and theft of wireless network details and credentials
• Harvest configuration data and credentials from:
– VPN clients
– FTP and email clients
– Web browsers
– Extract credentials from the registry and related configuration files
Figure 6.
Security Threat Intelligence Report
9
https://www.inky.com/blog/zoom-doom-how-inky-unraveled-a-credential-harvesting-phishing-scam
List of targeted software
360 Browser CoreFTP Liebao SeaMonkey
Apple Safari CyberFox Microsoft IE & Edge Sleipnir 6
Becky! Internet
Epic Privacy Microsoft Outlook SmartFTP
BlackHawk Elements Mozilla Firefox Sputnik
Brave FileZilla Mozilla
Thunderbird
Tencent
QQBrowser
CentBrowser FlashFXP Elements The Bat! Email
CFTP Flock OpenVPN Torch
Chedot Google Chrome Opera Trillian Messenger
Chromium
(general)
IceCat Opera Mail UCBrowser
Citrio IceDragon Orbitum Uran
Claws Mail IncrediMail PaleMoon Vivaldi
Coccoc Iridium Postbox WaterFox
Comodo Dragon KMeleon QIP Surf WinSCP
CoolNovo Kometa Qualcomm Eudora Yandex
The harvested data is transmitted to the C2 via SMTP or FTP. The transfer method is
hardcoded in the malware’s internal configuration and includes credentials (FTP or
SMTP) for the C2. New variants can drop or retrieve secondary executables.
Samples of this malware have been seen creating hidden folders and processes in
%temp%. The persistent process set via Registry:
/c copy “C:/Users/admin1/Desktop/tes_10.exe” “%temp%\FolderN\name.exe” /Y
ExecutionThis malware gathers local system information, installs the keylogger module, and
initializes routines for discovering and harvesting data. This process includes basic
WMI queries. Examples include:
• start iwbemservices::execquery - select * from win32_operatingsystem
• start iwbemservices::execquery - select * from win32_processor
Figure 7.
Russia’s GRU military unit behind
Linux malware attacks
Russia’s GRU military unit is
suspected to be behind Drovorub,
a Linux malware toolset consisting
of an implant coupled with a kernel
module rootkit, a file transfer and
port forwarding tool, and a C2
server. Identifying this malware
is difficult. Packet inspection at
network boundaries is useful in
detecting Drovorub on networks,
including probing, security products,
live response, memory analysis and
media (disk image) analysis.
Security Threat Intelligence Report
10
For wireless network settings and credential discovery, the malware launches an
instance of netsh.exe. The syntax utilized initially is:
• Netsh.exe wlan show profile
Upon launch, an instance of the malware is dropped into %temp% as a hidden file, in
a hidden folder:
• /c copy “C:/Users/admin1/Desktop/tes_10.exe” “%temp%\FolderN\name.exe” /Y
The following command is then used to create the autorun registry key:
• /c reg add “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows” /v
Load /t REG_SZ /d “%temp%\FolderN\name.exe.lnk” /f
MITRE ATT&CK mapping:• Modify registry (T1112)
• Subvert trust controls: Install root certificate (T1553.004)
• Hide artifacts: NTFS file attributes (T1564.004)
• Hijack execution flow: DLL search order hijacking (T1574.001)
• Process injection: Process hollowing (T1055.012)
• Data from information repositories (T1213)
• Boot or logon autostart execution: Registry run keys/startup folder (T1547.001)
• Process injection (T1055)
• Unsecured credentials: Credentials in files (T1552.001)
• System information discovery (T1082)
• Query registry (T1012)
• OS credential dumping (T1003)
• Scheduled task (T1053)
ImpactAgent Tesla was first seen in the wild in 2014. It is a .NET-based keylogger and remote
access trojan (RAT) that beacons data back to a C2 server. Recent developments
have increased its capabilities extensively. Current versions have improved
persistence and the ability to harvest data from more services.e
DXC perspectiveAgent Tesla is easily accessible and is used by many threat actor groups due to its
success rate and ability to exfiltrate data without notice. Groups using Agent Tesla
are both financially and espionage motivated, which means successful intrusions
will result in the exfiltration of data. Expect to see more malspam campaigns that will
Security Threat Intelligence Report
11
attempt to distribute Agent Tesla. Cyber defense security controls should be tuned
to alert on abnormal outbound traffic.
Sources: Malpedia Check Point Bleeping Computer
Vulnerability UpdatesInternet Explorer scripting malware emergesRecent samples of script-based malware through the Internet Explorer (IE) browser
exploits Windows OS users. Observed in the wild over the past 2 months, two distinct
samples have been obtained from compromised machines:
Sample 1:
• JScript Remote Access Trojan (RAT)
• Persistence mechanism enabled
• Uses encoded network connection to connect to the attacker
• Attackers execute arbitrary commands on the target machine
Sample 2:
• AutoIT downloader
• Uses network connection and script functions to download and execute malware
• Capable of loading a variety of malware types
Based on the c.js JScript RAT downloaded from the assurancetemporaireenligne.
com domain on April 18, the PowerShell command used to exploit the CVE-2019-0752
vulnerability is:
Persistence mechanismThe c.js script creates and sets a new value for the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This value, named loaderName, is set with a path to a certain loader.jse file.
Figure 8.
Security Threat Intelligence Report
12
https://www.dxc.technology/security/offerings/140115/140163-cyber_defensehttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_teslahttps://blog.checkpoint.com/2020/05/11/april-2020s-most-wanted-malware-agent-tesla-remote-access-trojan-spreading-widely-in-covid-19-related-spam-campaigns/https://www.bleepingcomputer.com/news/security/upgraded-agent-tesla-malware-steals-passwords-from-browsers-vpns/
The run key causes programs to run each time a user logs on. The loader.jse script,
which is not created yet, will run automatically each time the Windows OS boots. For
the next step of the persistence process, the c.js creates the actual loader.jse file.
The following image shows the loader.jse script is created in the AppData folder. This
is a hidden folder by default on Windows OS:
When the loader.jse is run, it opens the registry key HKCU\Software\loaderName and
runs the code contained in the data value.
The packed code in the registry key loaderName contains function (p,a,c,k,e,d)
pattern, which indicates the Dean Edwards packer was used to obfuscate the code.
This packer is outdated now but was commonly used in the past by benign scripts
and therefore whitelisted by many kinds of detection technologies.
The attacker can perform the following tasks on the target system:
• Execute commands
• Download files
• Reboot the Windows OS
• Terminate processes
• Shut down Windows OS
Figure 10.
Figure 9.
Security Threat Intelligence Report
13
AutoIT downloaderThis is the 2.exe file downloaded from the dark.crypterfile.com domain using the
same vulnerability CVE-2019-0752:
The AutoIT code retrieves the system information, which is stored in the $asysinfo
array. Then there is a check on the sixth element of this array, which corresponds to
the number of logical processors.
The check verifies whether the number of logical processors is greater than or
equal to four, and then malicious files download. Using the InetGet and Run AutoIT
functions, the malicious script downloads and executes multiple files on the target
system.
The last file downloaded is stored in the Current User Startup folder. The file will
execute each time the user logs in to the Windows OS.
Impact per MicrosoftCVE-2020-1380 has received a CVSS score of 7.5,\ according to Microsoft. A remote
code execution vulnerability exists in the way that the scripting engine handles
objects in memory in Internet Explorer. The vulnerability could corrupt memory
in such a way that an attacker could execute arbitrary code in the context of
the current user. An attacker who successfully exploited the vulnerability could
gain the same user rights as the current user. If the current user is logged on with
administrative user rights, an attacker could take control of an affected system. An
attacker could then install programs; view, change or delete data; or create new
accounts with full user rights.
DXC perspectivePatching vulnerabilities of this nature needs to be a high priority for all organizations.
This exploit that contains multiple facets — including a remote access trojan, a
downloader and an effective persistence mechanism — have the potential to cause
extensive damage within an IT environment. Patching or other mitigation techniques,
although difficult at times, is the best option.
According to Microsoft, in a web-based attack scenario, an attacker could host a
specially crafted website that is designed to exploit the vulnerability through Internet
Figure 11. Command used to download and launch the AutoIT
downloader sample.
Figure 12.
Security Threat Intelligence Report
14
Explorer and then convince a user to view the website. An attacker could also embed
an ActiveX control marked “safe for initialization” in an application or Microsoft
Office document that hosts the IE rendering engine. The attacker could also take
advantage of compromised websites, including those that accept or host user-
provided content or advertisements. These websites could contain specially crafted
content that could exploit the vulnerability.
The security update addresses the vulnerability by modifying how the scripting
engine handles objects in memory.
Sources: Microsoft Mitre Trend Micro
Incidents/breachesCarnival Corporation suffers ransomware attackCarnival disclosed a ransomware attack that impacted one of its subsidiaries.
Carnival has not disclosed which division was the target of that attack or if other
divisions were subsequently affected.
Carnival’s brands include Princess Cruises, Holland America Line, P&O Cruises, Costa
Cruises, AIDA Cruises and Cunard.
The attack appears to have exfiltrated customer and employee data. In a Form 8-K
regulatory filing, Carnival said its investigation so far shows no other systems were
impacted.
“While the investigation of the incident is ongoing, the company has implemented
a series of containment and remediation measures to address this situation and
reinforce the security of its information technology systems,” Carnival stated.
The Prevailion company was tracking C2 activity across the internet and observed
suspicious activity to and from Carnival’s network between February and early June
of this year.
During that period, an IP address belonging to Carnival was observed regularly
communicating with malicious C2 servers outside the company. High levels of
communication were observed between April 11 and June 5.
Prevailion tracked over 46,000 attempted connections from the Carnival IP address
to the C2 servers.
Prevailion identified the activity as associated with Ramnit malware, which most
recently was used for credential theft.
The above C2 activity cannot be definitely linked to the August 2020 ransomware
attack, but it should be noted that ransomware groups have changed their tactics
from encrypting data upon entry to maintaining a stealth presence within the
Investment scam sites shut down
The National Cyber Security Centre
(NCSC) has shut down more than
300,000 URLs found to be linked
to investment scams in a four-
month period. Many of these ruses
began with fake news articles that
promoted investment advice from
celebrities. As most common with
phishing, the news articles sought
to trick readers into visiting hoax
websites claiming methods to help
the user “get rich quick.”
Source: Tripwire
Security Threat Intelligence Report
15
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1380https://blog.trendmicro.com/trendlabs-security-intelligence/august-patch-tuesday-fixes-critical-ie-important-windows-vulnerabilities-exploited-in-the-wild/https://www.tripwire.com/state-of-security/security-data-protection/ncsc-shut-down-300k-urls-linked-to-investment-scams-4-months/
compromised environment. The goal is to exfiltrate sensitive and proprietary data
and use that as leverage to obtain the requested ransom
ImpactDetails regarding this attack, the second successful breach this year at Carnival,
are limited. Carnival did initiate an internal investigation that included notifying law
enforcement and engaging an external security firm.
Reports note that Carnival’s internal security team and controls were able to prevent
the entire network from being compromised. The ransomware encryption process
was halted but the impact on customer and employee data is not known, nor has
the attack vector been disclosed. Carnival has indicated that it expects to see claims
arising from customers’ data being exposed.
DXC perspectiveRansomware attacks are on the rise and will continue given how lucrative such
attacks are. Financially motivated threat actors have no reason to stop attacks that
have such a high success rate.
Preparation and planning are key components to stopping ransomware attacks.
It is highly recommended that all organizations obtain a copy of the U.S. Secret
Service’s “Preparing for a Cyber Incident – A Guide to Ransomware.” The document
contains valuable information that can be useful in combatting all types of malware
attacks.
Another factor to consider is that this was the second successful attack at Carnival in
a matter of months. It is not uncommon for threat actors to initiate secondary attacks
to test if the environment is still vulnerable.
Sources: Prevailion Security Affairs
Nation State and GeopoliticalU.S. Justice Department seizes cryptocurrency accounts of three suspected terrorist groups The U.S. Justice Department announced it has seized a record $2 million in
cryptocurrency intended to finance the activities of al-Qaida, the al-Qassam
Brigades and the Islamic State.
U.S. authorities obtained warrants to seize the money and to dismantle 300
cryptocurrency accounts. Warrants also took down four websites and four Facebook
pages the three terror groups used as part of their cyber campaigns to generate
funds.
Other news
• Utah Gun Exchange breached -
Security Boulevard
• Canada revenue agency discloses
credential stuffing attack -
Security Boulevard
• Nine leaky GitHub repos affecting
200K U.S. residents - Security
Boulevard
Security Threat Intelligence Report
16
https://www.dxc.technology/security/offerings/140115/145734-dxc_cyber_reference_architecturehttps://www.prevailion.com/carnival-cruise-lines-long-running-breach-problem/https://securityaffairs.co/wordpress/107263/cyber-crime/carnival-corporation-ransomware-attack.html?utm_source=rss&utm_medium=rss&utm_campaign=carnival-corporation-ransomware-attackhttps://securityboulevard.com/2020/08/utah-gun-exchange-confirms-data-breach-after-bad-actors-publishes-stolen-customer-records-online/https://securityboulevard.com/2020/08/canada-revenue-agency-discloses-credential-stuffing-attack-on-5500-service-accounts/https://securityboulevard.com/2020/08/researcher-discloses-9-leaky-github-repos-affecting-200k-u-s-residents-and-possibly-many-more/https://securityboulevard.com/2020/08/researcher-discloses-9-leaky-github-repos-affecting-200k-u-s-residents-and-possibly-many-more/
ImpactFederal prosecutors said the three campaigns relied on sophisticated cyber tools to
generate cryptocurrency donations to finance their operations.
Officials also noted that donations were not anonymous. Agents with the Internal
Revenue Service, Homeland Security Investigations and the FBI tracked and seized
150 cryptocurrency accounts that laundered funds for the terrorist groups. Agents
also executed criminal search warrants for the people and organizations that
donated money from within the United States.
DXC perspectiveThe Department of Homeland Security has an ongoing campaign called, “If You See
Something, Say Something.”
As information technology and cybersecurity professionals, we are in a unique
position to come across intelligence that may be valuable in preventing a terrorist
attack. Share the intel.
Sources: United States Department of Justice Department of Homeland Security – Membership distribution
Security Threat Intelligence Report
17
https://www.justice.gov/opa/pr/global-disruption-three-terror-finance-cyber-enabled-campaigns
Learn moreThank you for reading the Security Threat Intelligence Report. Learn more about
security trends and insights from DXC Labs | Security.
DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent
potential attack pathways, reduce cyber risk, and improve threat detection and
incident response. Our expert advisory services and 24x7 managed security services
are backed by 3,000 experts and a global network of security operations centers.
DXC provides solutions tailored to our clients’ diverse security needs, with areas of
specialization in Cyber Defense, Digital Identity, Secured Infrastructure and Data
Protection. Learn how DXC can help protect your enterprise in the midst of large-
scale digital change. Visit www.dxc.technology/security.
Stay current on the latest threats at www.dxc.technology/threats.
Get the insights that matter.www.dxc.technology/optin
About DXC Technology
DXC Technology (NYSE: DXC) helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability across public, private and hybrid clouds. With decades of driving innovation, the world’s largest companies trust DXC to deploy our enterprise technology stack to deliver new levels of performance, competitiveness and customer experiences. Learn more about the DXC story and our focus on people, customers and operational execution at www.dxc.technology.
©2020 DXC Technology Company. All rights reserved. September 2020
Security Threat Intelligence Report
https://www.dxc.technology/security/insights/146282-dxc_labs_securityhttp://www.dxc.technology/securityhttp://www.dxc.technology/threatshttp://www.dxc.technology/threatshttp://www.dxc.technology/optinhttps://www.linkedin.com/company/dxctechnology/https://twitter.com/dxctechnologyhttps://www.facebook.com/DXCTechnology/http://www.dxc.technology