Over the last several months a slew of organizations, many tied to human and civil rights, have fallen victim to a new campaign carried out by the advanced persistent threat (APT) group OceanLotus.
While the group isn’t new, Volexity, a cyber incident response firm based in Washington, D.C. said Monday that its been tracking this most recent campaign, which the firm is calling "sophisticated and extremely widespread," since it first identified it back in May.
The digital surveillance campaign has hit over 100 websites, with the lion’s share - roughly 80 of them - based in Vietnam. Sites based in Cambodia – like the country’s Ministries of Foreign Affairs, Environment, and Civil Service, China – like the country’s National United Oil Corporation, Laos, and the Philippines, have also been hit. The website belonging to the Association of Southeast Asian Nations (ASEAN), an organization devoted to promoting pan-Asianism and intergovernmental cooperation is arguably the highest profile site to be hit.
The group, a.k.a. APT32, is believed to be Vietnamese. Per Dave Lassalle, Sean Koessel, Steven Adair, researchers at the firm, OceanLotus developed rapidly over the summer. When it comes to the sheer size of this campaign, the trio of researchers stress OceanLotus could just be second to that of Turla, a Russian-language speaking APT that's existed for over 10 years.
360 SkyEye Labs, a research team at Qihoo 360, first identified the APT back in 2015. Researchers with FireEye published a report about the group in May and warned that OceanLotus' campaign of choice at the time was using phishing emails with weaponized attachments. Once opened the attachments, usually ActiveMime format files containing OLE files, tricked users into enabling macros to further infection.
“While actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye, APT32 reflects a growing host of new countries that have adopted this dynamic capability,” Nick Carr, FireEye's Senior Manager of Security Consulting and Incident Response said at the time.” APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper investment and the flexibility to embrace newly-available tools and techniques."
Where OceanLotus has excelled with this current campaign is tricking victims via social engineering, namely into conning Google users into giving up their Gmail credentials.
Similar to the massive Google Docs phishing scam carried out last May, OceanLotus attackers have been utilizing custom Google app popups that look real but actually redirect to an OAuth page. Once prompted the victim is tricked to authorize their Gmail account, something which of course grants the attacker access to the users' email and contacts.
Attackers behind the group are reportedly also spreading malware via phony but realistic looking Internet Explorer, Chrome, and Firefox updates, and via legitimate looking Amazon S3 buckets. Other domains used to dupe users include sites designed to look like services AddThis, Disqus, Akamai, Cloudflare, and Facebook, as well.
While social engineering has been the group’s favorite attack vector, it hasn’t been the only one. Some organizations the firm has been followin have been hit by spear phishing campaigns designed to install backdoors on systems.
Researchers posit that once attackers phish away credentials, they're used to infiltrate these organizations’ websites. In other instances, the attackers simply exploit vulnerabilities in a site's CMS, plugins or core components. Once in, the attackers add PHP webshells and modify files already on infected sites' webservers in order to maintain persistence.
Compromised websites then become part of the APT's infrastructure and are used to launch further attacks. In order to fingerprint each site visitor, OceanLotus attackers use a JavaScript framework to help track, profile, and target site potential victims.
The firm warns attacks are ongoing and says domains being leveraged by the campaign should use blocks or sinkholes in order to thwart future attacks. Web admins who haven't already are being urged to deploy Google's two factor authentication to prevent password compromises as well.
Image copyright: lkunl / 123RF Stock Photo