threat intelligence summary - fidelis cybersecurity

www.fidelissecurity.com

Threat Intelligence Summary

Fidelis Threat Research Team

June 2020

© Fidelis Cybersecurity 2 www.fidelissecurity.com

Table of Contents Executive Summary .................................................................................................................... 3 Fidelis TRT Assessment and Probability Statements ............................................................. 4 Key Vulnerabilities ...................................................................................................................... 5 Malware, Tools, and Attack Trends ........................................................................................... 9 Threat Actor Trends ................................................................................................................. 13 Business Vertical Updates ....................................................................................................... 15 References ................................................................................................................................ 19


Executive Summary The Fidelis Threat Research Team (TRT) monitors and collects information on external threats which may pose a risk to Fidelis customers. Collection and analysis efforts are driven by criticality and relevance as prescribed by TRT’s Priority Intelligence Requirements and Specific Intelligence Requirements (SIRs).

The purpose of the monthly Fidelis Threat Intelligence Summary is to provide readers timely information and situational awareness of ongoing relevant threats and an overall intelligence assessment of the potential risk from these threats. The information and intelligence presented also contributes to the overall threat landscape as observed by Fidelis TRT collection and analysis efforts and telemetry data pertaining to threat actor and adversary activity, tools, tactics, techniques, and procedures (including malware, infrastructures, and vulnerabilities exploited), and observed or assessed impact to organizations and business verticals being targeted.

The below trends and observations summarize the threat landscape in terms of vulnerabilities, threat actors, malware developments, and other significant activity and events.

Key Findings and Recommendations:

1. Exploit attempts against unpatched vulnerabilities in VPN products as well as againstunpatched vulnerabilities in older, popular software packages remain common and atelevated levels. Recommendation: Aside from detection support from Fidelis for many ofthese vulnerabilities, enterprises and end-users must ensure software is patched andupdated.

2. Ransomware operators were observed to shift focus towards targeting employees workingfrom home, which Fidelis TRT assessed as a Likely Course of Action in the previous month’sIntelligence Summary. Inconsistencies in security policies and defenses of at-home systemsand networks may allow for a broader target area which may be difficult for enterprises tocentrally manage. Recommendation: Risk can be significantly reduced by ensuring thatwork at home endpoint systems are properly updated and patched, endpoint systems arerunning up to date anti-virus and anti-malware software, and default passwords are changedon home networking gear.

3. Exploit kits continue to be observed in active campaigns. RIG Exploit Kit is among the moreactive and commonly seen strain; however, June also saw limited activity of older and lesscommon exploit kits like Capesand and Fallout Exploit Kits. Vulnerabilities in Adobe Flashand Internet Explorer (IE) remain the go-to techniques in exploit kit campaigns, thereforeRecommendation: Fidelis TRT encourages end-users and enterprises to limit use of theInternet Explorer browser, especially versions prior to IE 11, and to ensure all browsers andbrowser plugins are patched and updated. Limiting use of IE will also reduce exposure andreliance on Adobe Flash, which is set to reach End-of-Life (EoL) on 31 December 2020.Security professionals and IT teams are also encouraged to implement least-privilegepolicies to help prevent a browser-based compromise of an account with elevated privileges.

4. Emerging malware campaigns continue to leverage older vulnerabilities in popular softwarelike Internet Explorer, Oracle WebLogic, and content management systems (CMS) providerslike WordPress and Drupal. Fidelis TRT assessed in previous blog posts and the MayIntelligence Summary that this tactic of exploiting older vulnerabilities will continue to remaina popular tactic by adversaries. Recommendation: Fidelis TRT encourages a disciplined


approach to proper patch management and maintaining terrain visibility to significantly reduce risk of compromise from many ongoing, and future, malware campaigns.

5. Risk of impact of attacks against healthcare, transportation, retail, and municipal governmentverticals assessed by TRT to remain elevated, given current global political and economicevents, with ransomware and destructive/wiper malware posing the highest risk.Recommendation: Employees of all business industries should remain vigilant againstcommon adversary techniques, notably phishing and business-email compromise attempts.IT departments are encouraged to ensure least-privilege policies are enforced across theuser base and systems to prevent browser-based exploitation and unwanted endpointprocesses from running. Proper network segmentation and software updates are alsostandard recommendations to reduce lateral movement and propagation.

Fidelis TRT Assessment and Probability Statements This section presents Fidelis TRT’s assessment of cyber adversary and threat activity going forward. Assessments are presented as Most Likely Course of Action (MLCOA) and Most Dangerous Course of Action (MDCOA) statements. MLCOA focuses on the expected and probable tactics, techniques, or actions taken by adversary groups, while MDCOA considers tactics, techniques, or actions that could result in a worst-case scenario outcome regardless of likelihood.

Most Likely Course of Action TRT assesses that exploitation of older, common vulnerabilities in popular services and software will continue to be popular attack vectors for initial access and lateral movement. TRT previously assessed in the May 2020 Threat Intelligence summary that attractive targets for adversaries will include consumer products and services utilized by work-from-home employees. This was supplemented by recent reporting in June regarding adversaries targeting enterprise employees working from home with ransomware. TRT continues to assess that vulnerabilities in products like VPN clients and software, web browsers, consumer-grade routers, networked and cloud storage, and even specific software like OWA, Microsoft Sharepoint, and video conferencing/communication software (e.g.: Zoom, WebEx, RingCentral, etc.) will continue be leveraged against home-based employees to deliver commodity malware like remote access tools and spyware as well as ransomware.

Exploitation of web browser and browser extension vulnerabilities will also increase risk as the popularity in Internet Explorer wanes and the end of support and use of Adobe Flash sets in after 31 December 2020; however, Internet Explorer 11 is slated to continue to be supported on Windows 10 operating systems, which will extend the risk beyond Flash’s EoL as many organizations’ and developer’s sites remain supported by Internet Explorer. In addition to targeting Internet Explorer, adversaries will pivot efforts towards exploiting code-execution and memory corruption weaknesses in browsers like Mozilla Firefox and Google Chrome. The anonymizing Tor Browser is also built on Mozilla Firefox ESR, which could compromise the purpose and intent of using Tor in the first place. Therefore, it is imperative to ensure browsers remain up to date and patched when available, and browser extensions and plug-ins are downloaded from reputable sources and patched when available.

Commodity malware will continue to trend at elevated levels regardless of global events, including older and well-document remote access malware and exploit kits. Exploit kits like RIG, Fallout, and Spelevo may continue to be updated with newer capabilities to exploit different vulnerabilities to deliver follow-on payloads like ransomware, spyware, and coin-miners, which TRT also assessed in


the previous month’s report and was supplemented by observations and analysis of exploit kit samples in June 2020.

Ransomware operators will continue to focus on targeting large enterprises due to potentially larger attack surface and higher ransom amounts that can be demanded from higher-revenue organizations. GDPR regulations may also put organizations operating in Europe in a difficult situation as they deal with not only a ransomware infection but also the data-leak component of the attack, resulting in stiff fines under GDPR rules. Ransomware operators and developers will continue to update strains with new capabilities, which recently included sandbox escaping and targeted software hardcoded in the malware itself. As NetWalker Ransomware campaigns gained traction from late-May and June, Sodinokibi/REvil, Maze, Ryuk, DoppelPaymer, and Nemty will continue to remain the most active. Emerging strains include Ekans (aka: Snake) and Ako Ransomware.

Cyber-criminals and nation-state actors will continue to leverage the CoVID-19 situation in phishing attempts; however, they will begin to utilize new topics and events as they arise including government stimulus programs, vaccine and treatment developments, unemployment concerns (using fake job postings or career site lures and government employment and welfare schemes), and fake retail and shopping lures as major retailers face bankruptcy and businesses begin to reopen. Recent conflicts at the India-China border may also provide fodder for adversary phishing campaigns.

Most Dangerous Course of Action TRT assesses that a resurgence or use of wiper malware against organizations in critical business verticals like healthcare, transportation, government, or retail could cause a short-term disruption to supply-chain, public service/safety, and consumer retail operations. The risk of this type of disruption remains elevated given the current situation related to CoVID-19 and with local and national economies slowly beginning to reopen.

In regards to code execution vulnerabilities in browsers, government agencies of oppressive countries will also adapt to the shift from targeting Internet Explorer to Google Chrome and Firefox (and consequently, the Tor Browser), which not only can jeopardize the privacy of citizens but also allow local law enforcement of these repressive regimes to expand their surveillance programs by exploiting these vulnerabilities.

Ongoing political and social unrest in the United States also provides ransomware operators and nation-state actors an opportunity to exploit the ongoing events and sentiment, and local and municipal Government entities may be viewed as potential targets. Protest-related phishing themes may include news and updates related to activist movements, riot tracking apps, or police support/brutality. As emotions run high during times like this, it is imperative to maintain vigilance against opportunistic threats.

Key Vulnerabilities This section discusses the emergence of critical new vulnerabilities that may impact a significant portion of Fidelis customers, as well as the status of countermeasures against the vulnerabilities. The Vulnerabilities section also extends to exploitation attempts against older vulnerabilities that continue to be leveraged in recent campaigns and attacks.


Vulnerability Events Observed During the period 1 - 30 June 2020, the top vulnerability threats consisted of vulnerability exploit attempts against high-profile VPN vulnerabilities in the following products:

- Citrix ADC/Gateway (CVE-2019-19781)- Pulse Secure Secure Connect (CVE-2019-11510), and- Fortinet Fortigate (CVE-2018-13379).Threats also show attempts against older vulnerabilities in popular software and services from atleast two years ago, including:

- Apache Struts (CVE-2017-5638, CVE-2017-12611, CVE-2018-11776), and- Microsoft Windows SMB protocol (MS17-010 series).

Vulnerabilities assessed as high-impact by Fidelis TRT that were targeted to a lesser extent include:

- A deserialization vulnerability in Oracle WebLogic (CVE-2019-2725)- Microsoft Office Equation Editor (CVE-2017-11882), and- InfiniteWP (CVE-2020-8772), a popular WordPress plugin.

The following chart shows the top vulnerability threats as observed by the Fidelis Threat Research Team.


Fidelis Telemetry, Vulnerability Events, June 2020


Top Priority Vulnerabilities The following are the top vulnerabilities that are observed and assessed as posing current risks to enterprises and end users. The top Trending Vulnerabilities are based on current observations and ongoing trends of commonly targeted and exploited vulnerabilities from both external research and Fidelis customer telemetry. The Emerging Vulnerabilities are vulnerabilities that are assessed by Fidelis TRT, based off criticality and potential impact, to pose a high risk to enterprises and end users, but are less active than Trending Vulnerabilities. These vulnerabilities have the potential to gain more popularity in the future or result in a high-impact incident, even if active scanning or exploitation has not yet been observed. The Emerging Vulnerabilities also serves as a “be-on-the-lookout” (BOLO) list for patching and countermeasures purposes.

Trending Vulnerabilities, as of June 2020

Vulnerability Product Associated Threats Active

Exploitation or Scanning

MS17-010 Series Microsoft Windows SMB APT3, APT27, WannaCry, NotPetya, BuleHero Yes

CVE-2017-11882 Microsoft Office

SideWinder, APT27, Kimsuky, DarkHotel,

Cobalt Group, FareIT/Pony, Agent Tesla,

AsyncRAT

Yes

CVE-2019-0604 Microsoft Sharepoint Fin7, APT27, APT34,

ChinaChopper, ZeroCleare

Yes

CVE-2019-11510 Pulse Connect Secure VPN Sodinokibi/REvil, APT33, APT34, Fox Kitten Yes

CVE-2019-19781 Citrix ADC Gateway VPN Maze Ransomware,

Sodinokibi/REvil, Ragnarok Ransomware

Yes

CVE-2017-5638 Apache Struts BuleHero, Cerber Ransomware, PerlBot Yes

CVE-2020-0796 Microsoft Windows SMB AveMaria RAT Yes

CVE-2018-7600 Drupal “Drupalgeddon 2” CoinHive, Satan/Lucifer DDoS, XMRig Yes

Fidelis TRT Comments and Recommended Action: ! Vulnerabilities in VPN services will continue

to be leveraged by nation-state and cyber-criminal adversaries for espionage or todeliver ransomware and coin miners.

! Older vulnerabilities continue to be exploitedby adversaries due to the success rate andlower barrier to entry than attempting toexploit zero-days or developing proofs ofconcept (POCs) for more recentvulnerabilities.

! TRT maintains its assessment that olderunpatched vulnerabilities and risks inMicrosoft Office, Internet Explorer, AdobeFlash, Oracle WebLogic, content-management services (e.g.: Drupal,WordPress plugins, Joomla, SiteCore), andhigh-risk protocols including RDP, SMB,and UPnP will remain attractive targets.

! TRT recommends ensuring positive terrainvisibility and that all software and productsare patched and updated.


Emerging & BOLO Vulnerabilities, as of June 2020

Vulnerability Product Associated Threats Active

Exploitation or Scanning

CVE-2019-2725 Oracle WebLogic Sodinokibi/REvil, BuleHero, Muhstik Bot Yes

CVE-2020-1088 Microsoft Windows Error Reporting No

CVE-2020-8772 InfiniteWP WordPress Plug-In Yes

CVE-2019-17026 Mozilla Firefox/Firefox ESR DarkHotel Yes

CVE-2020-11651/11652 SaltStack Framework Yes

CVE-2019-7192/7194/7195 QNAP NAS Devices QSnatch, eCh0raix No

CVE-2020-1056 Microsoft Internet Explorer No

CVE-2019-13693 bbPress WordPress Plug-in No

CVE-2020-12695 UPnP “CallStranger” Yes

CVE-2020-13663 Drupal CMS DOM-based XSS Yes

CVE-2020-2021 PaloAlto SAML-enabled Products Yes

CVE-2020-2100 Jenkins Servers Yes

CVE-2020-3757 Adobe Flash Yes

Malware, Tools, and Attack Trends This section discusses new observations or updates to trending tools, attack patterns, and malware campaigns/families that may potentially pose a threat to Fidelis customers. TRT strives to track and update key malware trends and tools for potential countermeasures and detection efforts.

Fidelis Malware Events Observed The following chart shows the top malware threats as observed by the Fidelis Threat Research Team. During the month of June 2020, the top malware threats consisted of popular and well-document malware strains including Gh0stRAT, njRAT, Trickbot, and Fareit/PonyLoader. Telemetry


data also showed an uptick in Vawtrak activity during the month of June 2020 compared to the previous month.

Fidelis Customer Telemetry by Malware Threats, June 2020


Fidelis Email Malware and Phishing Attempts Observed The following chart shows the top malware threats delivered via email as observed by the Fidelis Threat Research Team. During the month of June 2020, the top phishing campaigns consisted of common “Purchase Order/PO”, “Invoice/Faktura”, and mail/shipment themed messages with various attachments and links. While many of the email messages consisted of malicious attachments including spyware, document exploits, and Trojan droppers, malicious URLs and links directing to fake sign-on pages for credential harvesting and stealing were also among the most common techniques observed. These HTML pages mimicked popular brands and services related to banking/payment services, streaming services, and webmail providers. While most of the known and attributed document exploits from the data were identified as attempts against the Microsoft Office Equation Editor vulnerability (CVE-2017-11882), another popular and commonly exploited Office document vulnerability frequently observed via external reporting is CVE-2017-0199.

Fidelis Telemetry by Malware Threats via Email, June 2020

Fidelis TRT Comments and Recommended Actions: Aside from exercising standard email hygiene and security awareness, which includes checking and validating the sender address, validating URLs and hyperlinks before clicking, and refraining from opening attachments from unknown senders, adversaries behind malware and ransomware campaigns are also known to leverage compromised email accounts to conduct email-thread attacks. This type of tactic involves attackers leveraging compromised email accounts and jumping into existing email threads and


sending their payloads to victim’s contacts or posing as customers and sending the payloads to enterprises and vendors. This tactic is observed in business email compromise (BEC) campaigns and also a tactic used by the Evil Corp Group, the actors responsible for the Dridex banking trojan and the BitPaymer and WastedLocker Ransomware strains.

RIG Exploit Kit Remains Active; Older Strains Reemerge, Deliver Dropper and Stealer Malware On 4 June, researchers observed and analyzed a sample of RIG Exploit Kit (EK) leveraging CVE-2019-0752, a scripting engine memory corruption vulnerability in Microsoft Internet Explorer. This new update to RIG EK’s capabilities may allow RIG to expand its effectiveness against browser vulnerabilities in Internet Explorer 10.

On 9 and 11 June 2020, respectively, researchers analyzed malware samples which were observed to be RIG Exploit Kit (EK) delivering the Socelars stealer and Dridex banking trojan.

As of 12 June 2020, the following EKs were observed delivering various other dropper malware, spyware, and remote access trojans (RATs):

• Capesand EK exploiting Microsoft Internet Explorer vulnerability, CVE-2019-0752, anddelivering njRAT.

• Fallout EK was observed delivering the Raccoon Stealer malware.

• Kaixin EK was observed delivering Dupzom downloader.

Additionally, on 22 and 23 June 2020, researchers observed a malvertising campaign redirecting victims to a landing page for the Fallout Exploit Kit (EK). Upon successful compromise, the SmokeLoader Trojan was delivered which then further downloaded the Ursnif (aka: Dreambot) spyware.

Fidelis TRT Comments and Recommended Action: The trend in EK activity continues from Fidelis TRT’s previous Threat Intelligence Summary, where RIG EK was one of the more commonly observed kits between April – May 2020. Although EKs are not at the peak levels of activity as seen in 2016 and earlier, there has been a steady uptick in observed activity since reaching a low point between 2017 – 2018. TRT has previously assessed that these kits will continue to remain a relevant threat as they adjust and update their modules to exploit newer and larger numbers of vulnerabilities in common and popular software and services.

CVE-2019-0752 was also reported to be leveraged by Capesand EK in early October 2019 to deliver njRAT and DarkRAT. TRT has tracked and associated the Capesand EK to six (6) different vulnerabilities and Kaixin EK to five (5) vulnerabilities. Fallout EK is associated to three (3) Adobe Flash and Microsoft Internet Explorer vulnerabilities. By comparison, RIG EK is known to exploit 21 vulnerabilities.

Fidelis currently has detections in place to detect for potential Fallout, RIG, and KaiXin EK related events, including recent and trending indicators of compromise (IOCs), vulnerability detections, and protocol rules.


Satan DDoS Malware Leverages Legacy Vulnerabilities to Deliver Cryptocurrency Miners and Propagate Laterally A new strain of malware identified as Satan DDoS (dubbed “Lucifer”, due to the fact that “Satan” may be confused with the Satan Ransomware of the same name), was observed in late May 2020. Campaigns associated with the malware were observed until 10 June, and then resumed on 11 June following an update to its capabilities. The Lucifer malware strain can exploit 11 different vulnerabilities, many of them from 2018 and prior, to deliver the Monero coin miner known as XMRig as well as exploit SMB vulnerabilities to propagate laterally across the infected network. The malware also gives the attacker the ability to execute other arbitrary commands. Some of the vulnerabilities observed to be exploited by the Satan/Lucifer DDoS malware are CVE-2014-6287 (Rejetto HFS), CVE-2018-1000861 (Jenkins Stapler Framework), CVE-2017-10271 (Oracle WebLogic), CVE-2018-20062 (ThinkPHP RCE), CVE-2018-7600 (Drupalgeddon 2, Drupal), CVE-2017-9791, CVE-2019-9081, PHPStudy Backdoor RCE, CVE-2017-0144 (EternalBlue, Windows SMB), CVE-2017-0145 (EternalRomance, Windows SMB), and CVE-2017-8464.

Fidelis TRT Comments and Recommended Actions: While patches are readily available for each of these vulnerabilities, the Satan/Lucifer malware campaigns supports TRT’s previous assessment that older vulnerabilities in common and popular software and services will continue to be exploited by adversaries and malicious campaigns. Fidelis TRT previously assessed that high-risk and high-priority software and services including (but not limited to) Oracle WebLogic, protocols like SMB and RDP, and content-management services (CMS) like Drupal will continue to be targeted due to the ubiquity and impact a successful exploitation would allow. In addition to terrain mapping and visibility, proper patch management and authentication measures must be taken into consideration to limit the impact from these types of campaigns.

Gh0stRAT Used to Compromise South Korean Bank PoS Systems On 16 June 2020, Seoul Metropolitan Police (South Korea) and a partnering security firm reported that a custom version of Gh0stRAT was used against KEB Hana Bank’s point of sale network by a perpetrator in June 2019 (information and report of the incident was put out a year after the incident). The research and analysis results come after police apprehended the individual attempting to hack into Hana Bank’s systems last year and discovering a 1.5TB hard-drive containing multiple gigabytes of credit card and personally identifiable information as a result of the compromise

Fidelis TRT Comments and Recommended Action: Gh0stRAT is an old family of stealer/spyware that allows an attacker remote access and C2 functionality to victim’s systems. Gh0stRAT is often reported to be developed in China, but has seen multiple variations and customizations when deployed. The successful deployment of such an old strain of malware supplements TRT’s previous assessment that old, common malware and vulnerabilities will continue to be leveraged by threat actors due to the low-cost and low barrier of entry to deploy and run malicious campaigns using these methods.

Threat Actor Trends This section discusses developing Threat Actors or Groups that TRT will maintain manual focus and collection against. This section will primarily concentrate on actors or groups that are not often


reported in highly publicized releases but have demonstrated the capability and intent to mature into priority threats that may impact Fidelis customers.

Lazarus Continues To Leverage Employment-Themed Phishing Lures During the first week of June 2020, multiple malware samples were observed and attributed to the nation-state backed APT adversary, Lazarus Group. The samples were Word documents using job employment themes as part of a phishing campaign to trick their victims into downloading malicious scripts. Walt Disney was among the companies leveraged for the theme. The documents were also analyzed and determined to have been built using code from an open-source project for PCRE builds.

Fidelis TRT Comments and Recommended Action: In May 2020, Lazarus Group-attributed malware was also observed to leverage employment themes as part of the campaigns. Jobs with defense and aerospace companies were leveraged during this time, including Boeing, BAE, Lockheed Martin, and Korea Hydro-Nuclear.

Fidelis TRT Adversary Risk Matrix Score, Lazarus Group

Adobe Will Begin Prompting Users to Uninstall Flash as End of Life Approaches Adobe will begin taking aggressive steps to deter users from continuing to use Adobe Flash and Flash-supported products as the End of Life for Flash approaches on 31 December 2020. Adobe will remove any links to download Flash from its website and also disable any content that relies on Flash to run or function. Adobe is one of the most heavily targeted and exploited software, and this “time-bomb” approach will bring an abrupt end to the software. Browsers and other content platforms have been migrating to HTML5 and JavaScript since 2017 when Adobe first announced the EoL plans.

Fidelis TRT Comments and Recommended Action: Despite the impending end-of-life and overall decrease in use and support for Flash since 2017, threat actors will likely continue to leverage browser-based vulnerabilities in Flash until the very end. Additionally, TRT assesses with moderate

The graphic to the left is the Adversary Risk Matrix calculated for the Lazarus Group. The Adversary Risk Matrix is a qualitative intelligence-based risk scoring system developed by TRT members that serves to represent the overall risk presented by an adversary based off specific and observed attributes. The score is out of a maximum 100, representing the highest risk. Adversary Risk Matrices are also provided for threat actors discussed later in this report.


confidence that malicious phishing campaigns may even leverage Adobe Flash’s approaching EoL as a theme for the campaigns where criminals and other adversaries may use subject-lines or filenames pertaining to uninstalling or updating Adobe Flash due to the official ending of continued support.

Business Vertical Updates Monthly Total Events by Vertical The below chart illustrates the top Fidelis customer business verticals by unique malware event count in June 2020. The chart shows that the largest number of unique malware events during the previous month were observed in Fidelis customers within the Healthcare/Pharma/Biotechnology sector followed by Technology/Manufacturing and Critical Infrastructure, which replaced the Government sector as the vertical with the third-highest number of events.

Fidelis Total Event Data by Business Vertical, June 2020

Based on the current political and economic situation from the fallout of the CoVID-19 pandemic as well recent protests/rioting in many cities, Fidelis TRT assesses that any disruption or compromise of confidentiality, integrity, and availability of data and services provided by organizations in healthcare, retail, and transportation may likely aggravate local and domestic stress. Government systems and


assets are also at risk of being targeted by hacktivists because of the ongoing protests and unrest following the death of George Floyd. Companies and organizations in these verticals play a particularly crucial role in ensuring the health and safety of the public as well as ensuring supply lines and products remain open and available. Because of this, cyber-criminals may find these verticals as attractive targets for ransomware demands as well as opportunities for nation-state actors for espionage due to potential ongoing vaccine and disease research. Additionally, the threat from ransomware campaigns, often resulting in a data-breach situation, also remains elevated across all industries, as illustrated by the Maze Ransomware group discussed previously in this report.

Tool Made Available to Instantly Email Local Councilmen On 4 June, a project was released by an anonymous engineer which allows local citizens to mass email all local city councilmen. On its website, www.defund12.org allows visitors to select their city (the list which is constantly growing based off crowd submission on GitHub, https://github.com/defund12/defund12.org/issues) and send a bulk email to their local politicians with one click. The links on the website prefill an email template which allows the sender to quickly send off a message within seconds and with little effort. The project was started in support of a recent trend which has been involved in anti-police protests and calling for defunding of local law enforcement.

Fidelis TRT Comments and Recommended Action: TRT assesses with high confidence this project poses a high risk to the recipients on the list due to the access and ease which spammers, cyber-criminals, and ransomware operators can deliver their phishing emails and subsequent payloads. This should serve as a reminder to ensure proper security awareness and vigilance is maintained when handling emails from unknown or suspicious senders.

Email Template Generate From defund12.org


Defund12.org Webpage with Links to Local Government Departments for Maryland

DDoS Attacks Against Human Rights/Anti-Racist Advocacy Groups Increase Beginning 29 May 2020, distributed denial of service (DDoS) attacks against advocacy group sites increased by a factor of 1000x. DDoS attacks against these types of groups and websites went from insignificant in April 2020, to episodes that saw thousands of requests per second between late May and the first week of June 2020. This follows similar availability-impacting attacks against government and law enforcement websites during the same period, including the DDoS attack against the website of the Minneapolis Police Department.


HTTP Requests to Multiple Anti-Racist Advocacy Sites, Cloudflare


References

1. https://www.nytimes.com/2020/06/25/us/politics/russia-ransomware-coronavirus-work-home.html

2. https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

3. https://twitter.com/VK_Intel/status/1268829889618235394

4. https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-capesand-reuses-old-and-new-public-exploits-and-tools-blockchain-ruse/

5. https://twitter.com/MBThreatIntel/status/1271202125519794176

6. https://twitter.com/nao_sec/status/1269233263974903808

7. https://www.zdnet.com/article/adobe-wants-users-to-uninstall-flash-player-by-the-end-of-the-year/

8. https://threatpost.com/self-propagating-lucifer-malware-targets-windows-systems/156883/

9. https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/

10. https://www.news1.kr/articles/?3966098

11. https://twitter.com/RedDrip7/status/1270201358721769475

12. https://github.com/kiyolee/pcre-win-build

13. https://www.vice.com/en_us/article/889gva/defund12-tool-emails-city-councilmembers-with-one-click

14. https://blog.cloudflare.com/cyberattacks-since-the-murder-of-george-floyd/


Fidelis Cybersecurity is a leading provider of threat detection, hunting and response solutions. Fidelis combats the full spectrum of cyber-crime, data theft and espionage by providing full visibility across hybrid cloud / on-prem environments, automating threat and data theft detection, empowering threat hunting and optimizing incident response with context, speed and accuracy.

By integrating bi-directional network traffic analysis across your cloud and internal networks with email, web, endpoint detection and response, and automated deception technology, the Fidelis Elevate™ platform captures rich metadata and content that enables real-time and retrospective analysis, giving security teams the platform to effectively hunt for threats in their environment. Fidelis solutions are delivered as standalone products, an integrated platform, or as a 24×7 Managed Detection and Response service that augments existing security operations and incident response capabilities. Fidelis is trusted by Global 1000s and Governments as their last line of defense. Get in the hunt. www.fidelissecurity.com

threat intelligence summary - fidelis cybersecurity

Documents