Threat Intelligence ReportJanuary 2020

In this issue

Hacktivist threats emerge amid Iranian crisis

Multiple vulnerabilities in Cisco Data Center Network Manager

Travelex Services crippled by ransomware attack

Targeted attack against Austrian foreign ministry

Message from Mark Hughes

2019 was a turbulent year with an unprecedented rise in attacks against private and public sector organizations of all sizes and industries, and 2020 shows no sign of slowing.

Security is improving every day as more organizations better understand the threats they face. However, with increased cyber/physical convergence and deployment of new technologies, new threats are continually emerging.

Many of the incidents last year could have been prevented by improving basic cyber security measures. Get these right and you make the job of the attacker much more difficult.

Mark Hughes Senior Vice President and General Manager of Security DXC Technology

About this report

Fusing a range of public and

proprietary information feeds,

including DXC’s global network of

security operations centers and

cyber intelligence services, this

report delivers a overview of major

incidents, insights into key trends

and strategic threat awareness.

This report is a part of DXC Labs |

Security, which provides insights

and thought leadership to the

security industry.

Intelligence cutoff date:

09 January 2020

Threat updates

Hacktivist threats emerge amid Iranian crisis

REvil Ransomware targets unpatched VPN servers

Multi-industry

Multi-industry

Table of contents

3

4

Vulnerability updates

Multiple vulnerabilities in Cisco Data Center Network

Manager

CVE-2019-19781 – Critical Citrix/Netscaler

Vulnerability

Multi-industry

Multi-industry

4

5

Incidents/breaches

Travelex services crippled by ransomware attack Finance/Currency

Exchange

6

Nation State and Geopolitical

Targeted attack against Austrian foreign ministry Public Sector 7

Threat Intelligence Report

2

Threat updatesHacktivist threats emerge amid Iranian crisis The U.S. Department of Homeland Security (DHS) has issued a terrorism advisory

bulletin warning of cyber attacks following the death of Iran’s Islamic Revolutionary

Guard Corps (IRGC) Quds Force Commander Qassem Soleimani in a January 2

drone strike.

Iran responded with missle strikes on U.S. military bases six days later, but Chris

Krebs, director of the Cybersecurity and Infrastructure Security Agency at DHS,

said Jan. 18 that the threat alert remains active. While no cyber attacks have been

reported, he said adversaries may be working on a cyber response, warning that

“new access takes time.”

ImpactDXC Intelligence partners have observed specific threats of retaliation by nonstate

Iranian cyber threat actors, including pro-IRGC hacktivists, and the defacement of

several sites belonging to U.S.-based entities. While no specific, credible threat has

yet been observed emanating from Iranian state-linked adversaries, it is likely that

Iran will use a broad range of cyber capabilities against U.S. and allied interests in the

wake of Soleimani’s death.

Threats have also been observed by Iranian cyber criminals. Criminal forums and

discussion groups used by Iranian actors involved in ransomware and financial fraud

campaigns shared a brief statement threatening U.S., Israeli and Saudi sites with

defacement and calling for an increase in ransomware attacks.

This activity is expected to increase in the coming months.

DXC perspective Iran has a long history of conducting large-scale cyber campaigns, and DXC

considers it likely that these capabilities will be used in response to the recent

escalation, most likely against government and critical infrastructure.

However, in addition to the threat from nation-state and state-backed threat actors,

the death of Soleimani has caused significant anger in the civilian population, which

is driving hacktivist and criminal attacks against private sector organizations with

significant inks to the United States and allied countries.

The majority of hacktivist attacks can be mitigated by improving basic security.

By ensuring all internet-facing infrastructure is accounted for and included in

vulnerability and patch management systems, organizations can avoid becoming

easy targets.

Sources: DHS - https://www.dhs.gov/sites/default/files/ntas/alerts/20_0104_ntas_bulletin.pdf TechCrunch - https://techcrunch.com/2020/01/06/homeland-security-iran-cyberattacks/

Threat Intelligence Report

3

REvil Ransomware targets unpatched VPN serversCyber criminals using the REvil (Sodinokibi) ransomware are targeting unpatched

Pulse VPN servers to gain a foothold in environments before installing ransomware.

ImpactThe REvil ransomware strain that was targeting a vulnerability in Oracle WebLogic

systems as an infection vector has been repurposed to target unpatched Pulse VPN

servers.

The ransomware uses a vulnerability made public April 24, 2019, to connect to remote

networks before gaining administrative access and using administrative tools to

spread around the network and deploy the ransomware.

There is no known publicly available decrypter for this strain of malware, and

affected companies would need to recover from system backups.

DXC perspectiveThis updated campaign illustrates the tactical changes commonly made by criminal

threat actors and the need for effective vulnerability management and patching

regimens when combating these threats.

DXC recommends that all organizations maintain regular vulnerability scanning in

concert with strict patching routines to ensure that known vulnerabilities are closed

before they can be used to effect damage by criminals.

Source: ZDNet - https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/

Vulnerability UpdatesMultiple Vulnerabilities in Cisco Data Center Network ManagerCisco published six advisories to address 12 vulnerabilities in its Data Center Network

Manager (DCNM) system on January 2. Of these 12 vulnerabilities, six were given

“critical” severity ratings, seven were classified as “high” severity ratings, and two

were identified as “medium.”

ImpactDCNM is the management system for Cisco’s Unified Fabric and provides dashboard

capabilities for data center operators to provision, manage and maintain network

infrastructure.

Three of the vulnerabilities were categorized as critical, scoring 9.8 on the 10-point

Common Vulnerability Scoring System (CVSS), and could allow a remote attacker to

2019First appearance of REvil (Sodinokibi)

ransomware

$11.5BEstimated value of ransoms paid to

cybercriminals in 2019

365%Increase in ransomware detections

against businesses 2018-19

April

Threat Intelligence Report

4

bypass authentication and gain administrative privileges on affected systems.

• CVE-2019-15975 – Affects the REST API endpoint

• CVE-2019-15976 – Affects the SOAP API endpoint

• CVE-2019-15977 – Affects the DCNM web-based management interface. This

vulnerability is related to hard-coded authentication credentials within the

application.

Of the seven high-severity vulnerabilities, three were identified as path traversal

vulnerabilities, two were listed as SQL injection vulnerabilities, and two were listed as

command injection vulnerabilities. The two medium vulnerabilities were identified as

read-access and unauthorized-access vulnerabilities.

Neither Cisco nor DXC has seen evidence that these vulnerabilities are being actively

exploited at this time.

DXC perspectiveThere are no workarounds for these vulnerabilities, and the patches should be applied

immediately. Waiting for scheduled updates is not recommended.

Source: Cisco –https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypasshttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-injecthttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-path-travhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-comm-injecthttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-xml-ext-entityhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-unauth-accesshttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codexhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass

CVE-2019-19781 – Critical Citrix/Netscaler vulnerabilityA critical vulnerability in Citrix Application Delivery Controller (NetScaler ADC) and

Citrix Gateway (NetScaler Gateway), tracked as CVE-2019-19781, could be exploited

by attackers to access company networks.

It has been estimated that 80,000 companies in 158 countries are potentially at risk,

most of them in the United States (38%), followed by the United Kingdom, Germany,

the Netherlands and Australia.

ImpactIf exploited, the vulnerability could allow an attacker direct access to the company’s

internal networks from the internet.

Threat Intelligence Report

5

The vulnerability affects all supported versions of the product and all supported

platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler

Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler

Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.

The attack does not require authentication credentials and could therefore be

triggered by any external attacker.

Citrix has released advice to mitigate the flaw and recommends that all users update

all vulnerable software versions.

DXC perspectiveCustomers should immediately implement the mitigation advice from Citrix and

upgrade vulnerable appliances with updated versions of the firmware. Details on final

fixes for CVE can be found here: https://www.citrix.com/blogs/2020/01/24/citrix-

releases-final-fixes-for-cve-2019-19781/

Source: Citrix – https://support.citrix.com/article/CTX267027 https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/

Incidents/breachesTravelex services crippled by ransomware attack Sodinokibi ransomware infected Travelex systems, encrypting critical business files

December 31, prompting the company to take its systems offline.

ImpactSince taking systems offline, Travelex customers have been unable to use web

services or the mobile application for transactions or to make card payments at any

Travelex stores globally.

In addition to a reported $3 million ransom being demanded, the attackers claim

to have copied over 5 gigabytes of customer data, including dates of birth, Social

Security numbers, card information and other data, and say the data will be

published on the internet if Travelex fails to pay.

The incident is ongoing at the time of this writing and has been linked to the updated

REvil campaign reported earlier in this update.

DXC perspective The ransomware trend of recent years shows little sign of subsiding in the foreseeable

future, with cyber criminals continuing to profit at the expense of ill-prepared

companies.

$3.92MAverage cost of a data breach in 2019

Threat Intelligence Report

6

The United Kingdom’s National Crime Agency (NCA) and the U.S. Federal Bureau of

Investigation (FBI) both advise not to pay ransoms, as it encourages attackers to

continue such campaigns and there is no guarantee a decryption key will be supplied

or that it will work.

The final decision on whether to pay or not can be difficult when the organization

is facing crippled IT infrastructure and concerned shareholders. The opportunity to

recover quickly and get the business functioning again can be irresistible, even when

there is a chance the gamble may not pay off.

Whether the ransom is paid or not, it is essential that targeted organizations recover

in a controlled way, removing the ransomware infection from the environment and

putting measures in place to prevent repeat attacks.

Both technical solutions and staff training measures should be employed to block

phishing attacks, and vulnerability management and patching regimes must be

enacted to counter exploitation of known security vulnerabilities. Endpoint security

measures should be employed to detect and prevent infection through web browsing

activities.

Source: Bleeping Computer - https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/

Nation State and GeopoliticalTargeted attack against Austrian foreign ministry A press release from the Austrian Ministry of the Interior and Austrian Foreign ministry

on January 4 reported the discovery of a targeted cyber attack against the foreign

ministry’s computer systems in Vienna.

The release states that the activity is similar to attacks seen against other European

countries and suggests a nation state threat actor may be responsible.

ImpactForeign ministries are a natural target for espionage-focused nation state activities,

and other European countries have been targeted in recent years.

DXC perspectiveRussian state actors are known to have been particularly active against European

government entities in recent years, having several high-profile attacks attributed to

them. However, from the limited information available it is not possible to attribute the

current attack in Vienna to any particular state or group.

Source: BBC - https://www.bbc.co.uk/news/world-europe-50997773

Other news

• Cyber attack hits Las Vegas

during CES show - https://

www.trustedreviews.com/

news/cyber-attack-las-

vegas-ces-3968075

• Early signs of cyber attacks

against Tokyo 2020 Olympic

games - https://www.

cpomagazine.com/cyber-

security/state-backed-cyber-

attacks-expected-at-tokyo-

2020-games/

• Oddly specific cyber attack

targets Alaskan airline Ravn

Air - https://www.theregister.

co.uk/2020/01/02/ravnair_

ransomware_dhc_dash_8/

• Microsoft phishing scam

exploits Iran cyber attack

scare - https://www.

bleepingcomputer.com/

news/security/microsoft-

phishing-scam-exploits-iran-

cyberattack-scare/

• German bicycle manufacturer

targeted by cyber

criminals - https://www.

securitymagazine.com/

articles/91507-german-

bicycle-manufacturer-

targeted-by-cyberattack

Threat Intelligence Report

7

Learn moreThank you for reading the Threat Intelligence Report. Learn more about security

trends and insights from DXC Labs | Security.

DXC in SecurityRecognized as a leader in security services, DXC Technology helps clients prevent

potential attack pathways, reduce cyber risk, and improve threat detection and

incident response. Our expert advisory services and 24x7 managed security services

are backed by 3,500+ experts and a global network of security operations centers.

DXC provides solutions tailored to our clients’ diverse security needs, with areas of

specialization in Intelligent Security Operations, Identity and Access Management,

Data Protection and Privacy, Security Risk Management, and Infrastructure and

Endpoint Security. Learn how DXC can help protect your enterprise in the midst of

large-scale digital change. Visit www.dxc.technology/security.

Stay current on the latest threats at www.dxc.technology/threats

Get the insights that matter.www.dxc.technology/optin

About DXC Technology

DXC Technology (NYSE: DXC) helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability across public, private and hybrid clouds. With decades of driving innovation, the world’s largest companies trust DXC to deploy our enterprise technology stack to deliver new levels of performance, competitiveness and customer experiences. Learn more about the DXC story and our focus on people, customers and operational execution at www.dxc.technology.

©2020 DXC Technology Company. All rights reserved. January 2020

Threat Intelligence Report