Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
On November 6, 2017, cyber security company Volexity released a blog post highlighting an espionage campaign targeting ASEAN nations via compromised websites and typosquatting infrastructure. The campaign is believed to be linked to the OceanLotus Group, also known as APT 32, which has carried out targeted attacks against foreign governments, private companies, and journalists and dissidents—potentially on behalf of Vietnam. Because the group used compromised web infrastructure as its avenue of attack, RiskIQ’s global network of web crawlers yielded data that gave greater context around its campaign by shedding light on its scope and scale, including more than 140 compromised parent websites.
This data, which can be found in RiskIQ Community Edition, added several new layers to the investigation below.
Examining the associations between the infrastructure identified by Volexity and RiskIQ’s web crawling data available in RiskIQ Community Edition, we can surface connections that indicate that the campaign has been active since at least February of 2016. Investigating this malicious infrastructure for redirection sequences, links, and dependent requests in RiskIQ’s Host Pair data shows that the malicious domain ad[.]adthis[.]org has a script association to danchimviet[.]info, an online Vietnamese newspaper first seen by RiskIQ on February 1, 2016:
Fig-1 Host Pair data showing connection to a Vietnamese Newspaper
Additionally, another script association between malicious domain api[.]querycore[.]com and the National Rescue Party of Cambodia, one of two major political parties with a platform focused on human rights and democracy, can be firsts seen in our data set on February 5, 2016:
Fig-2 Host Pairs data showing another connection to the National Rescue Party of Cambodia on Feb. 5
Both of these websites match the targeting profile laid out in the Volexity report, i.e., consistent with Vietnam state interests.
Using the RiskIQ PassiveTotal Maltego transforms, we are quickly able to identify more than 140 compromised parent websites redirecting to the malicious infrastructure outlined in the Volexity report. The below Maltego chart visualizes the full extent of this infrastructure:
Fig-3 A visual of the threat infrastructure in Maltego
At the center of this infrastructure is a single domain, health-ray-id.com, which appears to connect all of the current active malicious infrastructure. As you can see by clicking on the Host Pairs tab in RiskIQ Community, these domains are connected to the domain in question via an XMLHttpRequest.
Fig-4 Host Pairs data showing the extent of the connections to “health-ray-id.com”
Looking at the sequence data as observed in RiskIQ’s web crawler, we can see the associations between the compromised website, the above domain, and the additional OceanLotus Infrastructure:
Fig-5 RiskIQ’s crawl shows the connection
In the above sequence, we can see that the compromised site reaches out to malicious URL hxxps://health-ray-id[.]com/robot.txt, which then drops a cookie that appears to imitate a legitimate Cloudflare service header (CF-Ray):
Fig-6 The cookie dropped by the malicious URL
This process is similar to the tactics outlined in the Volexity report in which they noted three other cookie names being used, “___APISID” , “___APISID2”, and “SAPIS_ID”, but shows a deeper level of detail in the operations, suggesting the actors may be evolving their techniques.
Fig-7 A pivot on a cookie mentioned in the Volexity report
Pivoting on the cookie name cloudflare-ray-uuid, we see that RiskIQ has observed this cookie associated with 274 domains and IP addresses in our cookie database. Filtering out the IP address associations, we find 99 instances where this cookie has been associated with a domain:
Fig-8 Pivoting on the cookie found by RiskIQ
As the Maltego chart below shows, RiskIQ was able to identify 78 unique domains with this cookie association, all connected to the health-ray-id domain.
Fig-9 Domains associated with the cookie
A quick review of the 78 domains associated with this cookie shows a mix of Asia Pacific-based blogs, news organizations, and government websites, which, again, appear to map to the targeting profile laid out by Volexity.
As tension rises in ASEAN, its members often turn to sponsoring cyber attacks that disrupt and spy on their neighbors. At the same time, many of these countries have poor cybersecurity practices and levels of awareness, both in the public and private sectors, that make their government and business organizations extremely susceptible to hacking groups like OceanLotus, which uses automation to launch sophisticated attacks cheaply by rotating and reusing undetected infrastructure.
However, defenders with access to internet data collected by web crawlers can detect unknown threats at the source and track how they change and spread. Correlating threat data extracted from a broad set of data sources across channels reveals the risk posed to an organization by a single piece of infrastructure—and how it’s used within a broader context. As can be seen from the above analysis, RiskIQ’s crawling infrastructure, indexed web data sets, and analyst-focused analysis platform allows organizations to quickly and effectively identify the scale of these strategic compromises and provide visibility that improves an organization’s ability to defend their network.
To understand the full scope of this attack campaign and continue the investigation, check out the PassiveTotal public project.
Interested in crawling specific parts of the Internet with RiskIQ technology? Now you can task our virtual users to work for you at scale. RiskIQ offers URL crawling through our Security Intelligence Services (SIS), so you can capture the same kind of data we used in this post. For more information and a quote, contact us today.
Another Magecart group has started to compromise misconfigured S3 buckets! Please secure your buckets.
We detailed how to secure your S3 Buckets in our original reporting: https://t.co/QKrZqWV506
The Columbus, OH #ThreatHunting community is out in full force for today's workshop! Together, we're powering better investigations through data.
Some insights based on reporting by @RiskIQ: Beyond Wipro: Meet the ‘Gift Cardsharks’ Behind the Massive Campaign Targeting Victims with Commercially Available Tools https://t.co/6Vxsnygp1z via @ooda
For today's executives, protecting your organization means protecting yourself—and knowing that personal security sits at the confluence of the physical and digital worlds. https://t.co/HShORi3X6j #ExecutiveProtection #ExecutiveSecurity
Overlap in RiskIQ's unique data sets uncovered a massive threat campaign using popular marketing and analytics tools to target gift card retailers, distributors, and processors. Here's what you need to know https://t.co/GkHsPFwkkd #ThreatIntelligence