Cybersecurity experts discovered a new supply chain attack against a certification authority organization in Vietnam.
Supply chain attacks seem to be the rage among cybercriminal gangs more recently.
As revealed in an ESET report dubbed ‘Operation SignSight,’ attackers compromised the website of the Vietnam Government Certification Authority (VGCA) (i.e., ca.gov.vn). The site was likely compromised from at least July 23rd to August 16th of 2020.
Furthermore, ESET found two of the MSI installers downloaded from the compromised website were modified to include malware PhantomNet or SManager.
“We believe that the website has not been delivering compromised software installers as of the end of August 2020 and ESET telemetry data does not indicate the compromised installers being distributed anywhere else. The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software,” ESET wrote in the blog post.
According to ESET, the supply chain attack drops a malicious DLL file ‘Smanager_ssl.DLL’ named PhantomNet, a backdoor malware.
“This backdoor is quite simple and most of the malicious capabilities are likely deployed through additional plugins. It can retrieve the victim’s proxy configuration and use it to reach out to the command and control (C&C) server,” ESET explains.
Moreover, PhantomNet also uses the HTTPS protocol to communicate with C&C servers. The malware also uses certificate pinning to avoid man-in-the-middle attacks.
Other supply chain attacks
In conclusion, these types of supply chain attacks will likely continue to be a common threat vector for cyberespionage groups to compromise its victims.
- SolarWinds releases updated advisory on SUPERNOVA malware
- Solorigate malware behind the SolarWinds attack
- Cybersecurity experts reveal growing list of SolarWinds 2nd stage attack victims
- CISA: Threat actors behind SolarWinds hack pose ‘grave risk’ (updated)
- Global active exploits against SolarWinds via Sunburst backdoor
- DHS warns businesses of risks using Chinese tech and data services
- Operation ShadowHammer hijacks ASUS Live Update to install backdoor
- CCleaner application backdoor