Rewterz Threat Update – Vietnam’s Financial Sector Targeted by New APT Group ‘Lotus Bane’

Severity

High

Analysis Summary

The emergence of Lotus Bane, a previously undocumented threat actor, has recently targeted a financial entity in Vietnam. Described as an advanced persistent threat group by security researchers, Lotus Bane’s tactics involve sophisticated methods such as DLL side-loading and data exchange via named pipes for lateral movement within networks. 

Despite similarities in techniques with known threat actors like OceanLotus (also known as APT32), Lotus Bane exhibits a distinct focus on the banking sector in the Asia-Pacific (APAC) region, indicating potentially broader geographical operations. The exact duration of Lotus Bane’s activity before its discovery remains unclear but ongoing investigations may reveal more insights into its history and modus operandi.

Furthermore, the financial sector across APAC, Europe, Latin America (LATAM), and North America has witnessed increased targeting by advanced persistent threat groups such as Blind Eagle. Notably, UNC1945 has been observed targeting ATM switch servers with a custom malware called CAKETAP. UNC2891 and UNC1945 were previously detailed by Google-owned Mandiant in March 2022 as having deployed the CAKETAP rootkit on Oracle Solaris systems to intercept messages from an ATM switching network and perform unauthorized cash withdrawals at different banks using fraudulent cards, noted that one variant of the kernel rootkit came with specialized features that enabled it to intercept PIN and card verification messages to use the stolen data for committing fraudulent cash withdrawals from ATM terminals.

CAKETAP intercepts and alters data transmitted between ATM servers and Hardware Security Module servers, facilitating unauthorized cash withdrawals. This underscores the sophistication and adaptability of cybercriminal tactics, posing significant challenges for financial institutions in safeguarding their networks and customer data.

The coexistence of Lotus Bane and UNC1945 in the APAC region highlights the imperative for heightened vigilance and robust cybersecurity measures within the financial industry. These threat actors with distinct tactics and targets underscore the complexity of mitigating financial cyber threats in today’s digital landscape. As such, organizations must prioritize proactive cybersecurity strategies including threat intelligence sharing network segmentation and employee training to effectively combat the evolving threat landscape and safeguard critical financial infrastructure.

Impact

• Unauthorized Access
• Financial Loss

Remediation

• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Maintain daily backups of all computer networks and servers.
• Keep operating systems and software up to date as banking trojans often exploit vulnerabilities in software and operating systems. Keeping these up to date can help prevent vulnerabilities from being exploited.
• Implement strong password policies: banking malware often relies on stolen login credentials to access sensitive information. Implementing strong password policies and multifactor authentication can make it more difficult for attackers to gain access.
• Provide regular security awareness training for employees that can help them recognize phishing emails and other types of social engineering attacks that are commonly used to spread banking malware.