Published On : 2022-09-02
Threat Actor in Focus: Chinese Threat Actor Group’s Espionage Operation in the South China Sea
Suspected Threat Actors: TA423 / Red Ladon (aka APT40, Leviathan, GADOLINIUM)
- Attack Type: Phishing, Impersonation, Malware Implants, Data Exfiltration, RTF Template Injection
- Objective: Espionage, Data Theft
- Target Technology: Email, Microsoft Word, Windows
- Targeted Industry: Government, Media, Manufacturing (Heavy Industry), Energy
- Target Geography: Australia, Malaysia, Europe, Others
- Business Impact: Data Loss
Summary:
As per the new report from researchers, the China-linked threat actor group is seeking information related to the South China Sea and targeting organizations in countries across the Pacific Ocean. The espionage campaign is targeting government agencies and organizations in Australia, Malaysia, and Europe, as well as other entities operating in the South China Sea. According to researchers, the campaign is suspected to be active in 2021 and attributed to APT40 by multiple governments.
The report focused on a reconnaissance framework known as ScanBox which was deployed in phishing campaigns from 12 April 2022 to mid-June 2022. The primary targets of this campaign included:
- Local and federal Australian Governmental agencies
- Australian news media companies
- Global heavy industry manufacturers who conduct maintenance of fleets of wind turbines in the South China Sea
The phishing emails used a variety of subject headers such as ‘Sick Leave’, ‘User Research’, and ‘Request Cooperation’ containing links to malicious websites controlled by TA423. When accessed, they lead victims to fake websites that deliver a ScanBox malware payload.
Insights:
- ScanBox reconnaissance framework has been detailed in open source by other researchers. It is a JavaScript-based web reconnaissance and exploitation framework which allows attackers to profile their targets, and deliver additional malware to selected targets of interest. Researchers assess that there is a high probability of ScanBox being shared privately amongst multiple Chinese threat actor groups. It has been leveraged by the following Chinese threat actor groups:
- Red Sylvan (a.k.a. APT3, Gothic Panda)
- Red Apollo (a.k.a. APT10, Stone Panda)
- Red Phoenix (a.k.a. APT27, Emissary Panda)
- TA423 / Red Ladon (a.k.a. APT40, Leviathan, GADOLINIUM)
- Red Dev 16 (a.k.a. Evil Eye, Earth Empusa, Poison Carp)
- TA413 / White Dev 9 (a.k.a. LuckyCat)
- This campaign is reported to be ongoing and has a global reach. The TA is targeting entities involved in strategic projects in the South China Sea. Researchers suspect the intelligence gathering to continue and TA423 may further penetrate Australia, Europe, and the United States.
Latest Cyber-Attacks, Incidents, and Breaches: Malicious Chrome Extensions with 1.4M Installations
- Attack Type: Malware Implants, Impersonation
- Objective: Unauthorized Access, Data Theft
- Target Technology: Google Chrome
- Target Geography: Global
- Business Impact: Potential Data Loss, Potential Financial Loss
Summary:
While investigating several malicious extensions, researchers identified five extensions that have a total of over 1,400,000 installs. Alongside offering various legitimate functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots, they are also keeping track of the user’s browsing activity. Every website visited by the user is sent to the author of the extension. According to the researchers, the attacker’s intention is to insert code into ECommerce websites. This will allow the TA to modify the cookie and receive affiliate payments if there is a purchase made.
Insights:
- To avoid being detected in automated analysis, the authors of these extensions devised an interesting trick. A time check is done before they perform any malicious actions. This is achieved by checking if the current date was greater than 15 days from the time when the extension was installed.
- The users need to remain cautious before installing any chrome extension. As this example shows, even extensions with a large number of installs can turn out to be malicious. Users should also carefully review and assess the permission being requested.
Vulnerabilities and Exploits: Researchers Disclose Details of Vulnerabilities Exploited in ICS Hacking Competition
- Attack Type: Vulnerabilities & Exploits, DoS
- Target Technology: OPC UA (Open Platform Communications United Architecture)
- Vulnerability: CVE-2022-29866 (CVSS Score:7.5)
- Vulnerability Type: Uncontrolled Resource Consumption
- Impact: Confidentiality (None), Integrity (None), Availability (High)
Summary:
Researchers have recently disclosed details of multiple vulnerabilities affecting the OPC UA protocol. The disclosure also included vulnerabilities that were exploited by researchers at a hacking competition earlier this year. They discovered several bugs in OPC UA and disclosed some of them at the Pwn2Own Miami 2022 competition held in April. The researchers presented two of the vulnerabilities at the event which can be leveraged to crash the OPC UA server. The DoS exploits target the OPC UA .NET Standard server, an open-source server used by hundreds of other repositories on GitHub, and the Unified Automation OPC UA C++ demo server. The two vulnerabilities are as follows:
- Denial of Service on the OPC UA C++ server
- Denial of Service on the OPC UA .NET server (CVE-2022-29866)
Insights:
OPC UA is a machine-to-machine communication protocol used for industrial automation and to ensure interoperability between various types of ICS systems. DoS vulnerabilities of this type may turn devastating, especially for ICS systems since they can hamper critical operations in the production lines or use for kinetic attacks.