OceanLotus: New Watering Hole Attack in Southeast Asia


OceanLotus: New Watering Hole Attack in Southeast Asia (Nov 20, 2018)

Researchers from ESET recently discovered a new watering hole campaign conducted by Advanced Persistent Threat (APT) group “OceanLotus” (also known as APT32 and APT-C-00). This campaign has been observed to target sites in Southeast Asia, particularly Cambodian and Vietnamese sites. At least 21 sites have been compromised including sites for the Ministry of Defense of Cambodia, the Ministry of Foreign Affairs, the International Cooperation of Cambodia, as well as Vietnamese newspapers and blogs. The compromised websites contain a small bit of JavaScript code in either the index page or within a JavaScript file hosted on the same server that loads another script of the APT group’s that begins the process to eventually fingerprint the visiting user. Interestingly, this malicious JavaScript code only runs if the site visitor is from Vietnam or Cambodia, which suggests that those two countries are the intended targets. To evade detection, the malicious script is obfuscated to prevent static analysis. The URL typosquats as a legitimate JavaScript library used by the site. The script varies for every compromised website, and each compromised website uses a different domain and URI. It is unclear at the time of this article’s publication what the final payload being dropped is.

Recommendation: This story represents potential threats and attacks that can arise based on current geopolitical developments. Therefore, awareness of tension between countries and governments can potentially grant some insight as to where attacks may originate. Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. It is crucial that server software is kept up-to-date with the most current versions and that all external-facing assets are carefully monitored and scanned for unusual activity and vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.