10 Mar 2023 | Asia Cyber Summary

In the spotlight this week:

• Commonwealth Bank of Australia’s Indonesian Arm Hit by Cyber Attack
• Sharp Panda Using New Soul Framework Version to Target Southeast Asian Governments
• Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity
• Iranian Hackers Target Women Involved in Human Rights and Middle East Politics
• Acer Confirms Breach After 160GB of Data for Sale on Hacking Forum

‍‍‍

Commonwealth Bank of Australia’s Indonesian Arm Hit by Cyber Attack

The Indonesian subsidiary of Commonwealth Bank of Australia, PT Bank, said that it has been hit by a cyber incident involving unauthorised access to a web-based software application used for project management. The company has clarified that the bank's Australian systems were segregated from PTBC systems and that the unit's services will operate as usual. At least eight businesses in Australia have reported recent cyberattacks; the biggest of these is health insurer Medibank Private, followed by local Singapore Telecommunications subsidiary Optus.

‍Sharp Panda Using New Soul Framework Version to Target Southeast Asian Governments

Since late last year, a Chinese threat actor known as Sharp Panda has been conducting a cyber espionage campaign against prominent government organisations in Southeast Asia. According to cyber security researchers, the long-running campaigns have historically singled out countries such as Vietnam, Thailand, and Indonesia. Sharp Panda was first documented by the researchers in June 2021, and is described as a "highly-organised operation that placed significant effort into remaining under the radar”. In their latest campaigns the threat actors have been observed to employ a new version of the Soul modular framework which downloads and decrypts data for credential harvesting.

‍Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity

The North Korea-linked Lazarus Group has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year. The first attack in May 2022 entailed the use of a vulnerable version of a certificate software that's widely used by public institutions and universities; the re-infiltration in October 2022 involved the exploitation of a zero-day in the same programme. Cyber security researchers are refraining from divulging specific details related to the vulnerability pending its verification and the release of a software patch.

‍Iranian Hackers Target Women Involved in Human Rights and Middle East Politics

Iranian state-sponsored actors are continuing to engage in social engineering campaigns targeting researchers by impersonating a U.S. think tank to target women who are actively involved in Middle Eastern political affairs and human rights. The campaign’s activity has been attributed to the tracked names Cobalt Illusion, also known as APT35, Charming Kitten, ITG18, Phosphorus, TA453, and Yellow Garuda.‍

‍Over the years, there has been plenty of evidence that the threat actor has targeted academics, activists, diplomats, journalists, politicians, and researchers.‍

‍The group is suspected of operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC) and has exhibited a pattern of using fake personas to establish contact with individuals who are of strategic interest to the government.

‍Acer Confirms Breach After 160GB of Data for Sale on Hacking Forum

Taiwanese computer giant Acer confirmed that it suffered a data breach after threat actors hacked a server hosting private documents used by repair technicians. The company asserts that the findings of its preliminary investigation do not suggest that this security incident has affected customer data. The confirmation of the incident was announced after a threat actor claimed to be selling 160GB of stolen data from Acer, containing technical manuals, software tools, backend infrastructure details, product model documentation for phones, tablets, and laptops, BIOS images, ROM files, ISO files, and replacement digital product keys (RDPK) in mid-February 2023.