Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs (Sep 2, 2019)
Volexity analysts have identified approximately “11 Uyghur and East Turkistan related websites that have been compromised and leveraged for surveillance and exploitation.” Researchers note that while this number is less than an extensive surveillance campaign conducted by the Chinese Advanced Persistent Threat (APT) group “OceanLotus” in 2018, these 11 sites have been compromised specifically to use for malicious purposes. At least two Chinese APT groups, one tracked as “Evil Eye” and the other unnamed (or not attributed), are using the compromised websites to target Android users. The websites were found to contain malicious code that utilizes an exploit to download an executable file that steals device information and send it back to the actors via an HTTP POST request.
Recommendation: Volexity analysts believe that this campaign is associated with similar activity that was reported on by Google Threat Analysis researchers in late August. This campaign consisted of threat actors also utilizing compromised websites to download malicious code to exploit and subsequently steal information from iOS devices; five unique exploit chains in total were identified. Any device connected to the internet is a potential security liability. Your company should have application policies in place for all devices and work machines to avoid installation of potentially malicious applications.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.