1(630)802-8605 Ravi.das@bn-inc.net

Well, yesterday, we stated an international theme examining the Cyber security issues that are prevalent in Vietnam today. To recap, the government there recently passed some legislation as to what can be posted on the Internet, and placing severe limits on the freedoms of speech of the Vietnamese people. Today, we go further up and now look at China. So what is exactly happening here?

Apparently, Cybersecurity researchers have discovered an espionage related attack that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks. It is strongly suspected that the hackers are of Chinese origin and perhaps have launched their attacks from China as well. The Cyber attacking group is known specifically as “Lucky Mouse”, but have gone by other names that include Iron Tiger, EmissaryPanda, APT 27 and Threat Group-3390.

This is the same group that was discovered targeting Asian countries with Bitcoin mining malware earlier this year. It is believed to be as well that this same group has been active since the beginning of 2010, and has been behind many of the previous Cyber attacks against United States based defense companies (such as Boeing).
The end result of this was that there was a massive amount of data stolen, as well as a lot of money. Whether this money has been actually recovered or not is still yet to be determined, or it has not been publicly released.

These Cyber researchers determined that “Lucky Mouse” injected malicious JavaScript code into various Chinese government based websites that were associated with the data center so that these watering hole attacks could be launched.
The main choice of the attack vehicle has been the Microsoft Office vulnerability (CVE-2017-11882). But, there is no solid proof yet that this is being used in these recent attacks.

It is widely believed to be that the main goal of this attack on the Chinese based data centers was to compromise, and gain access to the accounts of the employees that work there. The malware that was used in this attacks is called “HyperBro”.
It is widely believed to be a Remote Access Trojan (RAT); meaning the Cyber attacker can remotely manipulate the malware in order to get what they want, or cause the destruction that they want as well.

After HyerBro was spread, the visitors to the Chinese government website were redirected either to the Browser Exploitation Framework or ScanBox. Both of these organizations to whom these websites belong to conduct Penetration Testing, as well as Keylogging exercises, respectively. Interestingly enough, the server that was used in this Cyber attack was of Ukranian origin.

It was also believed by the team of Cyber researchers that this server was specifically selected by “Lucky Mouse” in order so that the malware could avoid detection when it was launched. Finally, it was concluded that their primary goal was to gain as much secret and information and data as possible in “one fell swoop”.

My thoughts on this? Well, being the naïve me, at first when I read the term “watering hole”, I literally thought that it was that – a place where water was collected for later irrigation and other forms of agricultural purposes. So, in my efforts to clear up this confusion, I Googled it and found out that it is a form of a Phishing attack.

The exact definition of it is as follows:

“A watering hole attack is a malware attack in which the attacker observes the websites often visited by a victim or a particular group, and infects those sites with malware. A watering hole attack has the potential to infect the members of the targeted victim group. Although uncommon, a watering hole attack does pose a significant threat to websites, as these attacks are difficult to diagnose.”
(SOURCE: https://www.techopedia.com/definition/31858/watering-hole-attack)

Ah ha, as much as I have written about Phishing attacks, this one is a rare one. Thus, I have never heard of it before!! Duh!! It seems like that there are all kinds of new terms and phrases coming out for all of the variants of Phishing schemes. This one will be added to my list for sure now.

Although it is not heavily used, this type of attack can carry some deadly arsenal with it. For example, you just never know who is watching what websites you frequent, and you just never know when that piece of malicious could be injected and spread onto your computer. Normally in the past I have written that in order to avoid a Phishing attack, be careful of the websites that you visit.

But, here is the contradiction. Wouldn’t you think that the websites that you visit the most would be safe and secure, after all? Such as your banking website or your favorite news channel website? Well, this is what the Cyber attacker is preying upon – one of our greatest human weaknesses is that of trust.

After all, we are trusting that these websites will have already fortified their levels of security, and the Cyber attacker is playing on that level of trust and manipulating it to their full advantage.

So again, what is one to do? Make sure that your favorite websites are at least encrypted (you can tell this if it has the “HTTPS” in the URL bar – the S stands for “Secure”). If there are still any doubts, then contact the organization to whom the website belongs to. Ask them about the levels of security that have been implemented.

Also, if you see anything suspicious that is occurring on your computer, especially your web browser, then contact that organization as well immediately and let them know what is going on. And of course, take your computer to the nearest Geek Squad to have it further examined.

Remember, you should not be afraid to ask for this kind of information – after all, it is your personal data that is at risk, and you alone can only protect.  But remember don’t let fear either get in your way of Internet enjoyment.