46. There Are No Bugs, Just Happy Little Exploits
Here are a few highlights from each article we discussed:
- OceanLotus, aka APT32, has been around since 2014, and are thought to be based out of the Vietnam region. Their primary targets have been private sector, foreign governments and news media outlets often exclusively in Southeast Asian countries. We’ve seen them in the wild targeting all OS platforms and using a broad range of techniques to do so, ranging from watering hole attacks to sophisticated stenography for backdoor loading.
- The researchers at Doctor Web initially discovered a trojanized Android application masquerading as an OpenGL update APK that was published to the Google Play store back in 2019. That initial research gave way to Kaspersky’s security researchers that uncovered a long term attack campaign titled PhantomLace. PhantomLace infrastructure was initially created around 2015, with weaponizations of the infrastructure found in malware samples going back to 2016.
- Kaspersky’s & Cylance researchers found code reuse patterns and techniques from several malware samples that matched up with previous samples associated with OceanLotus. So, with high confidence they made the attribution of OceanLotus and this long running campaign.
- Despite there being multiple versions of malware, they are all functionally similar in that they are traditional spyware. The API calls made by the malware are all spyware focused, accessing SMS messages, call logs, contact history and your geolocation. In addition, the malware also allowed download/exec of additional malware after a foothold was established.
- Based on previous OceanLotus campaigns involving Windows and MacOS malware, combined with the code similarities and targeted region for attacks of those and the PhantomLace campaign, Kaspersky’s team was able to tie everything together for attribution. The criteria for the attribution came down to code reuse patterns, code similarities, reuse of C2 domains and other infrastructure overlaps.
- This was not necessarily a targeted attack due to how broad the initial access was by Trojanizing an Android application in Google Play, however, we can see a narrow victim scope with the attackers motivations being victims located in the Southeast Asian region.
- The Remote Desktop Protocol or what used to be called Terminal Services is a proprietary protocol from Microsoft for interacting with a desktop graphically over the Internet. Other common services are VNC or the proprietary LogMeIn or other remote clients.
- There are a number of prebuilt tools out there. I’ve used this one crowbar before, bundled in Kali Linux, probably dozens of others and it just keeps trying username and password combinations in hopes that you will get one right. That’s how brute force attacks go down. In this case we have a renewed interest by attackers in remote protocols with everyone working from home as they are assuming a lot of people are using more remote protocols and there are likely more services exposed whether that is VPN, RDP, VNC or otherwise.
- So RDP has a history of bad, bad bugs that allow for full access. This year already we have seen two RCEs for RDP. I would argue that any corporation doing this needs to have people connect securely over a VPN before they RDP to any device inside their network. I don’t really advocate for RDP anyways as these days if you are providing a remote desktop for someone just use Amazon Workspaces or a similar product. There is just no reason a desktop needs to be sitting exposed as an entry point to your network unless your IR team isn’t busy and needs some work to do.
- VNC is another graphical desktop-sharing protocol that stands for Virtual Network Computing. Again I wouldn’t recommend it either since even though it has had a better vulnerability track record there just isn’t any reason for people to be exposing themselves that way without first having users connect over a VPN to some more secure network.
- I have read different reports on whether or not there has been an uptick in exposed RDP servers. Some say no increase, but Shodan claimed there was an increase. I think there likely are a few more, but that what has really changed is everyone has remote work on their mind including attackers. They probably just started looking around more under the assumption that there would be more of these RDP machines online to support the remote workforce.
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
This Week’s Hoodie/Goodie Scale
The PhantomLance Menace
[Chad]: 7/10 Hoodies
[Tarik]: 7/10 Hoodies
I Can RDP Believe My Eyes
[Chad]: 3/10 Hoodies
[Tarik]: 5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!