Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Course Final Project on OceanLotus by Lino Lazarous Marino Ija
1. University of Maryland, College Park
Cybersecurity For Everyone
COURSE FINAL PROJECT
ON OCEANLOTUS
By Lino Lazarous Marino Ija
2. OceanLotus
OceanLotus is also known as APT32. It is the threat actor associate group that has its base in
Vietnam which was been active since 2014. The group has compromised various industries like
manufacturing, network security, technology infrastructure, banking, media, and consumer
products. Their signature malware payload includes WINDSHIELD, KOMPROGO,
SOUNDBITE, and PHOREAL.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
3. The skill level and resources available to OceanLotus
OceanLotus actors are targeting peripheral Network security and technology infrastructure
corporations including political demonstrators and foreign officials to obtain confidential
information. OceanLotus have high skill levels and access to resources.
OceanLotus has recently started using a new backdoor, which sideloads into a legitimate
Symantec dll file. They leverage ActiveMime files that employ social engineering methods to
entice the victim into enabling macros.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
4. The motivations of OceanLotus
OceanLotus are motivated by two main thematic;
To disturb the Vietnamese private sector.
To strengthen the finance of Vietnam.
They use various tactics like persistent malware, spear-phishing, and social engineering
techniques to carry out their attacks. OceanLotus utilize specific tradecraft, tactics, and
processes to act on their motivations. They also utilize the Lockheed Martin Kill Chain.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
5. The specific geo-political context OceanLotus are operating in
OceanLotus are carrying out intrusions into private sector companies across multiple industries
and have also targeted foreign governments, dissidents, and journalists.
OceanLotus actors designed multilingual lure documents which were tailored to specific
victims. These files were likely created by exporting Word documents into single file web pages.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
6. The hacking process for OceanLotus
The cyber kill chain is a series of steps that trace stages of a cyberattack from the early
reconnaissance stages to the exfiltration of data that helps us understand and combat
ransomware, security breaches, and advanced persistent attacks.
Lockheed Martin derived the kill chain framework from a military model – originally
established to identify, prepare to attack, engage, and destroy the target.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
7. The hacking process for OceanLotus Continuation…
o Reconnaissance
OceanLotus observe the outside-in, to identify their targets and tactics for the attack.
o Intrusion
Based on what the OceanLotus discovered in the reconnaissance phase, they’re able to get into
the systems on target: often leveraging malware or security vulnerabilities.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
8. The hacking process for OceanLotus Continuation…
o Exploitation
The act of exploiting vulnerabilities, and delivering malicious code onto the system, in order to
get a better foothold.
o Privilege Escalation
OceanLotus often need more privileges on a system to get access to more data and
permissions: for this, they need to escalate their privileges often to an Admin.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
9. The hacking process for OceanLotus Continuation…
o Lateral Movement
Once OceanLotus are in the system, they can move laterally to other systems and accounts in
order to gain more leverage: that’s higher permissions, more data, or greater access to systems.
o Obfuscation / Anti-forensics
OceanLotus need to cover their tracks in order to successfully pull off a cyberattack, and in
this stage they often lay false trails, compromise data, and clear logs to confuse.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
10. The hacking process for OceanLotus Continuation…
o Denial of Service
OceanLotus disrupt the normal access for users and systems, in order to stop the attack from
being monitored, tracked, or blocked
o Exfiltration
This is where OceanLotus gets data out of the compromised system.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
11. The range of efforts used by OceanLotus
Over the years, OceanLotus has been involved in very many threat actors since 2014 in which
we are going to look on some of them;
June 2017: A new OceanLotus variant is distributed via a ZIP file, likely sent as an
attachment in an email. The majority of victims are located in Vietnam. Apple has already
issued an update to protect systems running MacOS X from this threat. (Palo Alto
Networks)
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
12. The range of efforts used by OceanLotus Continuation…
In 2020, Bloomberg reported that OceanLotus had targeted China’s Ministry of Emergency
Management and the Wuhan municipal government in order to obtain information about
the COVID-19 pandemic.
In 2020, Kaspersky researchers disclosed that OceanLotus had been using the Google Play
Store to distribute malware.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
13. The range of efforts used by OceanLotus Continuation…
In February 2021, Amnesty International reported that OceanLotus had launched a number
of spyware attacks against Vietnamese human rights activists, including Bui Thanh Hieu.
Volexity has identified a number of new attacks being carried out by the Vietnamese threat
actor OceanLotus, which has been targeting Vietnamese-language news websites and
Facebook pages in 2020.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
14. Case studies of attacks OceanLotus were involved in
Over the years, OceanLotus are carrying out intrusions into private sector companies across
multiple industries and have also targeted foreign governments, dissidents, and journalists.
In 2020, Bloomberg reported that OceanLotus had targeted China’s Ministry of Emergency
Management and the Wuhan municipal government in order to obtain information about
the COVID-19 pandemic. The Vietnamese Ministry of Foreign Affairs called the
accusations unfounded.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
15. Case studies of attacks OceanLotus were involved in Continuation…
In 2020, Kaspersky researchers disclosed that OceanLotus had been using the Google Play
Store to distribute malware.
In November 2020 Volexity researchers disclosed that OceanLotus had set up fake news
websites and Facebook pages to both engage in web profiling and distribute malware.
In February 2021, Amnesty International reported that OceanLotus had launched a number
of spyware attacks against Vietnamese human rights activists, including Bui Thanh Hieu.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
16. Case studies of attacks OceanLotus were involved in Continuation…
Volexity has identified a number of attacks being carried out by the Vietnamese
OceanLotus, which has been targeting Vietnamese-language news websites and Facebook
pages in 2020.
The secondary effect is directly on the IT system, for example, as designated by FireEye,
OceanLotus are carrying out intrusions into private sector companies across multiple
industries and have also targeted foreign governments, dissidents, and journalists.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
17. Primary, secondary and second order effects where OeanLotus were
involved in
The secondary effects: OceanLotus get access to all the details of Vietnamese human rights
activists including the working staffs.
The last one is second order effects. Volexity identified multiple Vietnamese-language news
websites that appeared to be compromised, as they were being used to load an OceanLotus
web profiling framework. The exact functionality varied from site to site, but the goal of these
frameworks was to gather information about site visitors and, in some cases, deliver malware.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
18. Characteristics of OceanLotus as private and public concern for policy
makers and respond for policy makers
Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are
carrying out intrusions into private sector companies across multiple industries and have also
targeted foreign governments, dissidents, and journalists.
They can be classified as private and public concern. OceanLotus leverages a unique suite of
fully-featured malware, in conjunction with commercially-available tools, to conduct targeted
operations that are aligned with Vietnamese state interests.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija
19. Characteristics of OceanLotus as private and public concern for policy
makers and respond for policy makers Continuation…
OceanLotus aims at two objectives;
To disturb the Vietnamese private sector.
To strengthen the finance of Vietnam.
The policy makers should create laws and make good use of the laws. Because sometimes the
laws are their but they are not followed.
11/2/2023
Course Final Project By Lino Lazarous Marino Ija