Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
On November 6, 2017, cyber security company Volexity released a blog post highlighting an espionage campaign targeting ASEAN nations via compromised websites and typosquatting infrastructure. The campaign is believed to be linked to the OceanLotus Group, also known as APT 32, which has carried out targeted attacks against foreign governments, private companies, and journalists and dissidents—potentially on behalf of Vietnam. Because the group used compromised web infrastructure as its avenue of attack, RiskIQ’s global network of web crawlers yielded data that gave greater context around its campaign by shedding light on its scope and scale, including more than 140 compromised parent websites.
This data, which can be found in RiskIQ Community Edition, added several new layers to the investigation below.
Examining the associations between the infrastructure identified by Volexity and RiskIQ’s web crawling data available in RiskIQ Community Edition, we can surface connections that indicate that the campaign has been active since at least February of 2016. Investigating this malicious infrastructure for redirection sequences, links, and dependent requests in RiskIQ’s Host Pair data shows that the malicious domain ad[.]adthis[.]org has a script association to danchimviet[.]info, an online Vietnamese newspaper first seen by RiskIQ on February 1, 2016:
Fig-1 Host Pair data showing connection to a Vietnamese Newspaper
Additionally, another script association between malicious domain api[.]querycore[.]com and the National Rescue Party of Cambodia, one of two major political parties with a platform focused on human rights and democracy, can be firsts seen in our data set on February 5, 2016:
Fig-2 Host Pairs data showing another connection to the National Rescue Party of Cambodia on Feb. 5
Both of these websites match the targeting profile laid out in the Volexity report, i.e., consistent with Vietnam state interests.
Using the RiskIQ PassiveTotal Maltego transforms, we are quickly able to identify more than 140 compromised parent websites redirecting to the malicious infrastructure outlined in the Volexity report. The below Maltego chart visualizes the full extent of this infrastructure:
Fig-3 A visual of the threat infrastructure in Maltego
At the center of this infrastructure is a single domain, health-ray-id.com, which appears to connect all of the current active malicious infrastructure. As you can see by clicking on the Host Pairs tab in RiskIQ Community, these domains are connected to the domain in question via an XMLHttpRequest.
Fig-4 Host Pairs data showing the extent of the connections to “health-ray-id.com”
Looking at the sequence data as observed in RiskIQ’s web crawler, we can see the associations between the compromised website, the above domain, and the additional OceanLotus Infrastructure:
Fig-5 RiskIQ’s crawl shows the connection
In the above sequence, we can see that the compromised site reaches out to malicious URL hxxps://health-ray-id[.]com/robot.txt, which then drops a cookie that appears to imitate a legitimate Cloudflare service header (CF-Ray):
Fig-6 The cookie dropped by the malicious URL
This process is similar to the tactics outlined in the Volexity report in which they noted three other cookie names being used, “___APISID” , “___APISID2”, and “SAPIS_ID”, but shows a deeper level of detail in the operations, suggesting the actors may be evolving their techniques.
Fig-7 A pivot on a cookie mentioned in the Volexity report
Pivoting on the cookie name cloudflare-ray-uuid, we see that RiskIQ has observed this cookie associated with 274 domains and IP addresses in our cookie database. Filtering out the IP address associations, we find 99 instances where this cookie has been associated with a domain:
Fig-8 Pivoting on the cookie found by RiskIQ
As the Maltego chart below shows, RiskIQ was able to identify 78 unique domains with this cookie association, all connected to the health-ray-id domain.
Fig-9 Domains associated with the cookie
A quick review of the 78 domains associated with this cookie shows a mix of Asia Pacific-based blogs, news organizations, and government websites, which, again, appear to map to the targeting profile laid out by Volexity.
As tension rises in ASEAN, its members often turn to sponsoring cyber attacks that disrupt and spy on their neighbors. At the same time, many of these countries have poor cybersecurity practices and levels of awareness, both in the public and private sectors, that make their government and business organizations extremely susceptible to hacking groups like OceanLotus, which uses automation to launch sophisticated attacks cheaply by rotating and reusing undetected infrastructure.
However, defenders with access to internet data collected by web crawlers can detect unknown threats at the source and track how they change and spread. Correlating threat data extracted from a broad set of data sources across channels reveals the risk posed to an organization by a single piece of infrastructure—and how it’s used within a broader context. As can be seen from the above analysis, RiskIQ’s crawling infrastructure, indexed web data sets, and analyst-focused analysis platform allows organizations to quickly and effectively identify the scale of these strategic compromises and provide visibility that improves an organization’s ability to defend their network.
To understand the full scope of this attack campaign and continue the investigation, check out the PassiveTotal public project.
Interested in crawling specific parts of the Internet with RiskIQ technology? Now you can task our virtual users to work for you at scale. RiskIQ offers URL crawling through our Security Intelligence Services (SIS), so you can capture the same kind of data we used in this post. For more information and a quote, contact us today.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
Dream situation for adversaries. Holes open daily in the attack surface to support remote work. Time to adapt! Proud to be helping with free access in @PassiveTotal and via the @RiskIQ Illuminate platform. Purpose built for the #CISO and #cybersecurity teams. https://twitter.com/RiskIQ/status/1266444273207083009
Microsoft Remote Desktop is spiking. Why? Because all work is now remote work and all access is now remote access. RiskIQ scans hundreds of ports and maps exposed services to provide security teams with a picture worth a thousand log lines. https://bit.ly/2xJ1Dgx
RiskIQ's #COVID19 Weekly Update:
➡️Car rental company Hertz filed for bankruptcy protection
➡️For the first time, the Boston Marathon has been canceled
➡️Most of the malicious coronavirus emails are coming from US IP space
Read full update here: http://bit.ly/2Uv3CMV
RiskIQ's #COVID19 Internet Intelligence Gateway will enable the cybersecurity community to fight a surge in pandemic-related cybercrime. Sign up, submit any suspicious COVID-19-related URL, and have RiskIQ's powerful global crawling network at your command http://bit.ly/3eon6ek
Via @InfosecurityMag, @DanRaywood highlights RiskIQ's new #COVID19 Internet Intelligence Gateway. This one-stop cybersecurity resource is the latest weapon in the fight against the surge in pandemic-related cybercrime. Read more here https://bit.ly/36ALU02