A Chinese cyber espionage group has been using a fake news site to infect government and energy industry targets in Australia, Malaysia and Europe with malware, according to a blog posted online Tuesday by Proofpoint and PwC Threat Intelligence.
The group is known by several names, including APT40, Leviathan, TA423 and Red Ladon. Four of its members were indicted by the U.S. Department of Justice in 2021 for hacking a number of companies, universities and governments in the United States and worldwide between 2011 and 2018.
APT40 members indicted by United States Department of Justice in 2021 / Image Credit: FBI
The group is using its fake Australian news site to infect visitors with the ScanBox exploitation framework. “ScanBox is a reconnaissance and exploitation framework deployed by the attacker to harvest several types of information, such as the target’s public-facing IP address, the type of web browser used and its configuration,” explained Proofpoint Vice President for Threat Research and Detection Sherrod DeGrippo.
“This serves as a setup for the stages of information gathering that follow and potential follow-on exploitation or compromise, where malware could be deployed to gain persistence on the victim’s systems and allow the attacker to perform espionage activities,” she told TechNewsWorld.
“It creates an impression of the victim’s network that the actors then study and decide the best route to take to achieve further compromise,” she said.
“Watering Hole” attacks that use ScanBox appeal to hackers because the point of compromise isn’t within a victim’s organization, added John Bambenek, a principle threat hunter at Netenrich, a San Jose, Calif.-based IT and digital security operations company.
“So, there is difficulty detecting that information is being discretely stolen,” he told TechNewsWorld.
According to the Proofpoint/PwC blog, the TA423 campaign primarily targeted local and federal Australian government agencies, Australian news media companies, and global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea.
It noted that phishing emails for the campaign were sent from Gmail and Outlook email addresses, which Proofpoint believes with “moderate confidence” were created by the attackers.
Subject lines in the phishing emails included “Sick Leave,” “User Research,” and “Request Cooperation.”
The threat actors would frequently pose as an employee of the fictional media publication “Australian Morning News,” the blog explained, and provide a URL to their malicious domain, soliciting targets to view their website or share research content that the website would publish.
If a target clicked the URL, they’d be sent to the fake news site and be served up, without their knowledge, the ScanBox malware. To give their bogus website credibility, the adversaries posted content from legitimate news sites, such as the BBC and Sky News.
ScanBox can deliver its code in two ways: in a single block, which gives an attacker access to the malware’s full functionality immediately, or as a plug-in, modular architecture. The TA423 crew chose the plug-in method.
According to PwC, the modular route can help avoid crashes and errors that would alert a target that their system is under attack. It’s also a way to reduce the visibility of the attack to researchers.
Surge in Phishing
As these kinds of campaigns show, phishing remains the tip of the spear used to penetrate many organizations and steal their data. “Phishing sites have seen an unexpected surge in 2022,” observed Monnia Deng, director of product marketing at Bolster, a provider of automated digital risk protection, in Los Altos, Calif.
“Research has shown that this problem has skyrocketed tenfold in 2022 because this method is easy to deploy, effective and a perfect storm in a post-pandemic digital era of work,” she told TechNewsWorld.
DeGrippo maintained that phishing campaigns continue to work because threat actors are adaptive. “They use current affairs and overall social engineering techniques, many times preying off a target’s fears and sense of urgency or importance,” she said.
A recent trend among threat actors, she continued, is attempting to increase the effectiveness of their campaigns by building trust with intended victims through extended conversations with individuals or through existing conversation threads between colleagues.
Roger Grimes, a defense evangelist with KnowBe4, a security awareness training provider, in Clearwater, Fla. asserted that social-engineering attacks are particularly resistant to technical defenses.
“Try as hard as we might, so far, there have been no great technical defenses that prevent all social engineering attacks,” he told TechNewsWorld. “It’s particularly hard because social engineering attacks can come over email, phone, text message, and social media.
Even though social engineering is involved in 70% to 90% of all successful malicious cyberattacks, it’s the rare organization that spends more than 5% of its resources to mitigate it, he continued.
“It’s the number one problem, and we treat it like a small part of the problem,” he said. “It’s that fundamental disconnect that allows attackers and malware to be so successful. As long as we don’t treat it as the number one problem, it will continue to be the primary way that attackers attack us. It’s just math.”
Two Things To Remember
While TA423 used email in its phishing campaign, Grimes noted that adversaries are moving away from that approach.
“Attackers are using other avenues, such as social media, SMS text messages, and voice calls more often to do their social engineering,” he explained. “That’s because many organizations focus almost exclusively on email-based social engineering and the training and tools to fight social engineering on the other types of media channels are not at the same level of sophistication in most organizations.”
“That is why it is crucial that every organization create a personal and organizational culture of healthy skepticism,” he continued, “where everyone is taught how to recognize the signs of a social engineering attack no matter how it arrives — be it email, web, social media, SMS message or phone call — and no matter who it appears to be sent by.”
He explained that most social engineering attacks have two things in common. First, they arrive unexpectedly. The user wasn’t expecting it. Second, it’s asking the user to do something the sender — whomever they are pretending to be — has never asked the user to do before.
“It could be a legitimate request,” he continued, “but all users should be taught that any message with those two traits is at a far higher risk of being a social engineering attack, and should be verified using a trusted method, such as directly calling the person on a known good phone number.”
“If more organizations taught the two things to remember,” he said, “the online world would be a far safer place to compute.”