<h2>Overview</h2><p>The Anomali Threat Research Team identified a credential harvesting campaign designed to steal login details from multiple government procurement services. The procurement services are used by many public and private sector organisations to match buyers and suppliers. In this campaign, attackers spoofed sites for multiple international government departments, email services and two courier services. Lure documents sent via phishing emails were found to contain links to spoof phishing sites masquerading as legitimate login pages relevant to the spoofed government agencies. Victims duped into following the phishing email link would then be invited to login. Anyone who fell victim to the adversaries would have provided them with their credentials.</p><h3>Spoofed Organisations</h3><ul><li>United States - U.S. Department of Energy</li><li>United States - U.S. Department of Commerce</li><li>United States - U.S. Department of Veteran Affairs</li><li>United States - New Jersey House and Mortgage Finance Agency</li><li>United States - Maryland Government Procurement Services</li><li>United States - Florida Department of Managed Services</li><li>United States - Department of Transport</li><li>United States - Department of Housing and Urban Development </li><li>DHL International courier service</li><li>Canada - Government eProcurement service</li><li>Mexico - Government eProcurement services</li><li>Peru - Public Procurement Centre</li><li>China - SF-Express courier service</li><li>China - Ministry of Transport</li><li>Japan - Ministry of Economy, Trade and Industry</li><li>Singapore - Ministry of Industry and Trade</li><li>Malaysia - Ministry of International Trade and Industry</li><li>Australia - Government eProcurement Portal</li><li>Sweden - Government Offices National Public Procurement Agency</li><li>Poland - Trade and Investment Agency</li><li>South Africa - Government Procurement Service</li></ul><p>At present, it is not clear who the threat actors are but it does appear to be a persistent attack. Spoofed phishing site domains are hosted in Turkey and Romania. The campaign is currently dormant.</p><h3>Target Countries</h3><p>The heatmap in Figure 1 shows that the United States was primarily targeted, with over 50 phishing sites designed to steal credentials spoofing U.S. organisations. Canada, Japan and Poland followed with 7, 6 and 6 phishing sites accordingly. The countries targeted in this campaign were:</p><table style="width: 100%;"><tbody><tr><td style="width:50%;"><ul><li>United States</li><li>China</li><li>Singapore</li><li>Sweden</li><li>South Africa</li><li>Mexico</li></ul></td><td><ul><li>Japan</li><li>Malaysia</li><li>Poland</li><li>Peru</li><li>Canada</li><li>Australia</li></ul></td></tr></tbody></table><p style="text-align: center;"><em><img alt="Country heatmap of phishing sites targeting Government procurement sites" src="https://cdn.filestackcontent.com/g8dxUszUSkq35CLhbNr5"/><br/> Figure 1. Country heatmap of phishing sites targeting Government procurement sites</em></p><h3>Target Industries</h3><p>The following industries were targeted in this campaign, Figure 2 shows the Government portals had the highest number of phishing sites dedicated to steal credentials.</p><ul><li>Government</li><li>Email services</li><li>Delivery, Postage and Transportation</li></ul><p style="text-align: center;"><em><img alt="Pie chart showing the number of spoofed organisations by industry" src="https://cdn.filestackcontent.com/XSmsVjwS1SRqNYW4RjQ2"/><br/> Figure 2. Pie chart showing the number of spoofed organisations by industry</em></p><h2>Lure Documents</h2><p>Victims targeted in this campaign were likely sent lure documents in a phishing email. The lure documents have been designed to cater for the language of the country whose government it is targeting. The exception is the South African lure document, which is written in English, however, South Africa is home to multiple languages including English. Figure 3, shows some examples of the lure documents discovered.</p><p style="text-align: center;"><em><img alt="Lure documents observed in this campaign" src="https://cdn.filestackcontent.com/T6NFMaKQcG2ObXinxH1x"/><br/> Figure 3. Lure documents observed in this campaign</em></p><p>The lure documents above contain an embedded link:</p><p style="text-align: center;"><em><img alt="Embedded link in the pdf document lure spoofing the U.S. Department of Commerce" src="https://cdn.filestackcontent.com/KZ2zLuZlS5yY4VXhPETb"/><br/> Figure 4. Embedded link in the pdf document lure spoofing the U.S. Department of Commerce</em></p><p>The link in the PDF filename ITB_USDOC.pdf above (Figure 4) has an embedded link directing victims to a phishing page hosted on the malicious domain “40-71[.]xyz”. This document was submitted to VirusTotal in the United States and in France (as part of an email but the email was not available)</p><h2>Credential Harvesting sites</h2><p>All of the sites use Domain Validation (DV) certificates issued by “cPanel, Inc”. The subdomains have similar naming conventions, targeting online credentials and containing a secure, verification, bidding or delivery theme. Figure 5, shows examples of the credential harvesting pages created by the attackers.</p><p style="text-align: center;"><em><img alt="Credential harvesting sites observed in this campaign" src="https://cdn.filestackcontent.com/e4K2J7zZQP29TApxnGqk"/></em></p><p style="text-align: center;"><em>Figure 5. Credential harvesting sites observed in this campaign</em></p><p>In the webpages there are clear emblems and labels detailing which organisation the attacker is attempting to mimic. The attackers have used legitimate domains as well as their own infrastructure. The webpage for the U.S. Department of Energy was hosted on “https://energy.gov.secure.server-bidsync[.]best/auth/login.html” and redirected from the URL: “http://energy.gov.secure.bidsync.newnepaltreks[.]com”. The redirect URL is based on a legitimate domain “newnepaltreks[.]com” which is likely to have been compromised in order to facilitate this attack. </p><h2>Threat Infrastructure</h2><p>During the investigation, 62 domains and approximately 122 phishing sites were discovered. All of the phishing sites hosted on the domains share similar naming conventions:</p><ul><li>The target domain or service written as the subdomain followed by the malicious domain or compromised server.</li><li>Authentication, bidsync, eprocurement or delivery theme</li></ul><p>The phishing sites were primarily hosted on rented infrastructure, on the following four IP addresses:</p><ul><li>31.210.96[.]221 </li><li>193.29.187[.]173</li><li>91.235.116[.]146</li><li>188.241.58[.]170</li></ul><p>The investigation into the initially identified domain “server-bidsync[.]best” identified a resource hash in the communication from the client side browser to the malicious domain. The GET request to hxxps://energy.gov.secure.server-bidsync[.]best/auth/alter.css, the style form “alter.css” was investigated and the resource hash for the CSS script cd9dcb1922df26eb999a4405b282809051a18f8aa6e68edb71d619c92ebcf82d led to 14 new domains hosting similar phishing sites. In many cases the subdomains were written exactly the same, spoofing the same organisations just hosted on different domains. Using the naming convention patterns and new domains as further pivot points led to the discovery of phishing sites targeting further government procurement services. The credential harvesting sites on the identified domains were spoofing the following organisations:</p><p style="text-align: center;"><em><img alt="Infrastructure overview for spoofed organisations" src="https://cdn.filestackcontent.com/VXRA1GvCRdqqNnCJ5bV3"/></em></p><p style="text-align: center;"><em>Figure 6. Infrastructure overview for spoofed organisations</em></p><p>The domains hosting phishing sites for this campaign on the IP address 31.210.96[.]221 were first registered on the 28th October 2019 beginning with server-bidsync[.]best. The IP address is registered in Turkey and been involved in malicious activities in the past. The most prominent of these is the domain “leastinfo[.]com” which was seen in a campaign using zero-day exploits against financial institutions in Asia, and against software used by Urdu and Arabic speakers<sup>[1]</sup>.The other three IP address are all registered in Romania. Organisations were also spoofed in phishing sites hosted on legitimate domains “newnepaltreks[.]com”, “lazapateriadematilda[.]cl” and “onsearch[.]es” that have likely been compromised.</p><h2>Conclusion</h2><p>This credential harvesting campaign has been primarily targeting government bidding and procurement services. The focus on these services suggests the threat actor(s) are interested in potential contractor(s) and/or supplier(s) for those governments targeted. The purpose of this insight could be a financial incentive to out compete a rival bidder, or more long term insight regarding the trust relationship between the potential supplier and the government in question. Campaigns like these are difficult to protect against because unless the domains hosting the phishing pages are known as malicious, an organisations firewall will not know to block it. Legitimate sites were also hosting the phishing pages, and were likely compromised as part of the campaign. At the time of writing none of the sites in this campaign were active, Anomali researchers consider it likely that the actors will continue to target these services in the future.</p><p>For more information on the phishing campaign spoofing multiple government procurement services and a list of IOCs please <a href="https://www.anomali.com/resources/whitepapers/phishing-campaign-targets-login-credentials-of-multiple-us-international-government-procurement-services">download the full report</a>.</p><h2>How Anomali Helps</h2><p>The Anomali Threat Research Team provides actionable threat intelligence that helps customers, partners, and the security community to detect and mitigate the most serious threats to their organizations. The team frequently publishes threat research in the form of white papers, blogs, and bulletins that are made available to the security community, general public, and news organizations. Intelligence and bulletins about threat actors and related Indicators of Compromise (IOCs) are integrated directly into Anomali customers’ security infrastructures to enable faster and more automated detection, blocking, and response.</p><p><a href="https://www.anomali.com/products">Click here for more information</a> on how Anomali customers gain integrated access to threat research. </p><h2>Endnotes</h2><p><sup>[1]</sup> Denis Legezo, “InPage zero-day exploit used to attack financial institutions in Asia”, Securelist Kaspersky, accessed November 10th 2019, Published November 23rd 2016, <a href="https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/" target="_blank">https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/</a></p>