A Chinese cyber espionage group is using a fake news site to infect government and energy industry targets in Australia, Malaysia and Europe with malware, according to a blog posted online on Tuesday by Proofpoint and PwC Threat Intelligence .
The group is known by several names, including APT40, Leviathan, TA423 and Red Ladon. Four of its members were indicted by the US Department of Justice in 2021 for hacking several companies, universities and governments in the United States and around the world between 2011 and 2018.
The United States Department of Justice indicted APT40 members in 2021 / Image Credit: FBI
The group is using its fake Australian news site to infect visitors with the Scanbox exploit framework. “Scanbox is a reconnaissance and exploitation framework deployed by an attacker to collect a variety of information, such as the target’s public-facing IP address, the type of web browser used, and its configuration,” Proofpoint Vice President for Threat Research and Detection Sherrod explained DeGripo.
“It serves as a setup for the information gathering steps that follow and potential follow-up exploits or compromises, where malware is deployed to gain persistence on the victim’s system and allow the attacker to carry out espionage activities.” can be done,” she told TechNewsWorld.
“It creates a perception of the victim’s network that the actors then study and determine the best path forward for further compromise,” she said.
“Watering hole” attacks that use Scanbox appeal to hackers because the point of compromise is not within the victim’s organization, added John Bumbleneck, a principle threat hunter at Netenrich, a San Jose, California-based IT and digital security operations company. .
“Therefore, it is difficult to detect that information is being stolen,” he told TechNewsWorld.
modular attack
According to the Proofpoint/PwC blog, the TA423 campaign primarily targeted local and federal Australian government agencies, Australian news media companies and global heavy industry manufacturers, which maintain a fleet of wind turbines in the South China Sea.
It noted that the phishing emails for the campaign were sent from Gmail and Outlook email addresses, which Proofpoint believes were created by attackers with “moderate trust.”
Subject lines in phishing emails included “sick leave,” “user research,” and “request collaboration.”
Threatened actors often pose as employees of the fictional media publication “Australian Morning News”, the blog explained, and provide a URL to their malicious domain, to view their website or share research material that the website is publishing. Ask for goals.
If someone clicks on the target URL, they will be redirected to a fake news site and without their knowledge, the Scanbox malware will be introduced. To give credibility to their fake website, opponents posted content from legitimate news sites such as the BBC and Sky News.
Scanbox can distribute its code in one of two ways: in a single block, which gives an attacker instant access to the full functionality of the malware, or as a plug-in, modular architecture. The TA423 crew chose the plug-in method.
According to PwC, the modular route can help avoid accidents and errors that would alert a target that their system is under attack. It is also a way for researchers to reduce the visibility of the attack.
phishing boom
As such campaigns show, phishing remains the tip of the spear used to break into many organizations and steal their data. “Phishing sites will see an unexpected increase in 2022,” said Monia Deng, director of product marketing at Bolster, a provider of automated digital risk protection in Los Altos, Calif.
“Research has shown that this problem will increase tenfold in 2022 because this method is easy, effective and a perfect storm to deploy in the post-work digital age,” she told TechNewsWorld.
DeGripo said phishing campaigns continue to work as threat actors adapt. “They use current affairs and holistic social engineering techniques, at times hunting down target fear and a sense of urgency or importance,” she said.
A recent trend among threat actors, he continued, is attempting to increase the effectiveness of their campaigns by building trust with intended victims through extended interactions with individuals or through existing interactions between coworkers. .
Roger Grimes, a defense campaigner with KnowBe4, a security awareness training provider in Clearwater, Fla., stressed that social-engineering attacks are particularly resistant to technical security.
“Try as much as you can, there is no great technical defense so far that prevents all social engineering attacks,” he told TechNewsWorld. “This is especially difficult because social engineering attacks can come across email, phone, text messages and social media.
Even though social engineering is involved in 70% to 90% of all successful malicious cyber attacks, it is the rare organization that spends more than 5% of its resources to mitigate this, he continued.
“It’s the number one problem, and we treat it like a small part of the problem,” he said. “It’s the fundamental disconnect that allows attackers and malware to be so successful. Until we see this as the number one problem, it will continue to be the primary way attackers attack us. It’s just math.” “
two things to remember
While TA423 used email in its phishing campaign, Grimes notes that opponents are moving away from that approach.
“Attackers are using other methods, such as social media, SMS text messages, and voice calls to do their social engineering more often,” he explained. “This is because many organizations focus almost exclusively on email-based social engineering and the training and tools to combat social engineering on other types of media channels are not at the same level of sophistication in most organizations.”
“That’s why it’s important that every organization builds an individual and organizational culture of healthy skepticism,” he adds, “where everyone is taught how to recognize the signs of a social engineering attack, no matter how it comes.” , web, social media, SMS messages or phone calls – and it doesn’t matter who it appears to be sent by.”
He explained that most social engineering attacks have two things in common. First, they come unexpectedly. The user was not expecting this. Second, it is asking the user to do something that the sender – whatever he is pretending to be – has never asked the user to do it before.
“This may be a valid request,” he continued, “but all users should be taught that any message with those two traits is at very high risk of being a social engineering attack, and should be verified using a reliable method. as if calling that person directly on a known good phone number.”
“If more organizations taught two things to remember,” he said, “the online world would be a much safer place to calculate.”