APT32 Targets Vietnamese Non-profit Organization in Multi-Year Cyberattack

0
163
APT32 Targets Vietnamese Non-profit Organization in Multi-Year Cyberattack
APT32 Targets Vietnamese Non-profit Organization in Multi-Year Cyberattack

A non-profit organization that protects human rights in Vietnam has been the subject of an ongoing attempt to install malware on susceptible hosts.

An ongoing effort to install malware on vulnerable hosts has targeted a nonprofit organization that defends human rights in Vietnam. The activity was traced back to a threat cluster identified by cybersecurity company Huntress as APT32. APT32 is a Vietnamese-aligned hacking group that is also known by the names APT-C-00, Canvas Cyclone (previously Bismuth), Cobalt Kitty, and OceanLotus. It’s estimated that the intrusion has been going on for at least four years. Security experts Craig Sweeney and Jai Minton noted that “this intrusion has a number of overlaps with known techniques used by the threat actor APT32/OceanLotus and a known target demographic that aligns with APT32/OceanLotus targets.”

With the ultimate purpose of cyber espionage and intellectual property theft, OceanLotus, which has been active since at least 2012, has a history of targeting government and corporate networks in East Asian nations, especially Vietnam, the Philippines, Laos, and Cambodia. Attack chains usually employ spear-phishing lures as the first penetration vector in order to distribute backdoors that have the ability to execute any shellcode and gather private data. Nevertheless, as early as 2018, the gang was seen planning watering hole attacks in an attempt to either collect users’ credentials or infect the non-profit with a reconnaissance payload.

Huntress recently put together a series of attacks that involved four hosts, each of which had been compromised to add different scheduled tasks and Windows Registry keys that trigger Cobalt Strike Beacons, a backdoor that allows Google Chrome cookies for every user profile on the system to be stolen, and loaders that trigger embedded DLL payloads. The news comes as a result of an ongoing campaign aimed at South Korean customers that most likely uses spear-phishing and weak Microsoft Exchange servers to spread reverse shells, backdoors, and VNC malware that takes over compromised computers and retrieves credentials from web browsers.

Also readDORA (Digital Operational Resilience Act) Batch 2 Changes and Expectations from BFSI sector

Do FollowCIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter 

About us:

CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.

CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.