China state-backed threat actor compromises digital certificate authority
Such breaches might provide attackers the ability to publish valid code-signing certificates, which could then be used to sign malware
A Chinese state-backed threat group tracked as Billbug compromised a digital certificate authority as well as several government and defense entities located in multiple countries in Asia, according to a Symantec investigation.
Billbug is an advanced persistent threat (APT) actor also variously known by the names Lotus Blossom and Thrip. It primarily targets entities in the United States and Southeast Asia.
The group is thought to have been operational since at least 2009.
According to Symantec, the successful breach of the unnamed certificate authority might have major repercussions as these entities are trusted by operating systems and browsers to validate the identities of those responsible for a certain server or app.
These kinds of breaches might provide attackers the ability to publish valid code-signing certificates, which could then be used to sign malware in order to evade detection.
Intercepting HTTPS traffic may also be accomplished via the use of compromised certificates.
"The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines," Symantec researchers said in their post.
As per an analysis of the most recent wave of attacks, the first access by hackers was probably gained by taking advantage of internet-facing apps, and to achieve its operational objectives, a mix of custom and living-off-the-land tools were then used.
The most recent activity seems to be motivated by data theft and espionage, although Symantec could not find any evidence that the attackers were able to compromise digital certificates.
The certificate authority has been informed of the malicious activity, which researchers believe has been going on since at least March 2022.
According to the researchers, in earlier campaigns, the use of legitimate software like PsExec, PowerShell, Mimikatz, WinSCP, and LogMeIn made it possible for hacking activities to blend in with routine operations in compromised systems.
Additionally, the cybercriminals made use of a bespoke info stealer called Catchamas as well as backdoors known as Hannotog and Sagerunex.
Billbug returned with Hannotog and Sagerunex in the more current campaign aimed against the certificate authority and other entities, although it also employed a variety of new, reliable tools, including AdFind, Winmail, WinRAR, Ping, Tracert, Route, NBTscan, Certutil, and Port Scanner.
The Hannotog backdoor has the ability to modify firewall settings, launch a service for persistence, terminate current processes, upload encrypted data, gather system data, and download files to the system.
The Sagerunex backdoor, which communicates with the command and control (C&C) server through a variety of channels, provides commands that list running proxies, execute programmes, steal or drop files, and get configurable file paths.
Symantec says the ability of this actor to infect several victims at once shows that the group remains a skilled and resourceful operator capable of launching long-lasting operations.
"Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past," it added.