certification authority

The software supply chain attack hit the Vietnamese government certification authority

Cybersecurity researchers today revealed a new attack on Vietnam’s government certification authority (VGCA), which destroyed the agency’s digital signature toolkit and installed backdoers on victims’ systems.

Slovak internet security company ESET discovered the “SignSight” attack earlier this month, which involved modifying software installers hosted on the CA website (“ca.gov.vn”) to insert spyware tools called PhantomNet or Smanager.

According to ESET telemetry, violations occurred between 23 July and 16 August 2020, involving two installers – “gca01-client-v2-x32-8.3.msi” and “gca01-client-v2-x64-8.3″ .msi” (for 32-bit and 64-bit Windows systems) that had been tampered with.

After reporting the attack to VGCA, the certification authority confirms that “they were aware of the attack before notifying us and notified the user who downloaded the Trojan software.” “

Mattieu Faou of ESET said: “For the community, the compromise on the certification body’s website is a good opportunity because visitors may have a high level of trust in the national organization responsible for digital signatures. “

Government Certification Authority of Viet Nam
The digital signature tool authorized by the Vietnamese Government Password Committee is part of an electronic authentication program that government departments and private companies use to digitally sign documents using USB tokens (also known as PKI tokens) that store digital signatures. The above drivers are also required to operate.

As a result, the only way for a user to get infected is to manually download and execute the infected software hosted on the target system.

Once installed, the modified software will start a real GCA program to mask the vulnerability and then run the PhantomNet backdoer disguised as a seemingly harmless file called “eToken.exe”.

The backdoer program (last compiled on April 26) is responsible for collecting system information and controlling servers (e.g., “vgca.homeunix” from hard-coded commands and control servers. The plug-ins retrieved by org and office365.blogdns to deploy other malicious features. [。 com), mimicking the names of VGCA and popular productivity software.

In addition to Vietnam, ESET said it had seen victims in the Philippines, but its delivery mechanism was still unknown. The attacker’s ultimate goal remains unclear, with little or no information about post-compromise activities.

If anything, this incident highlights why attacks are increasingly becoming a common attack vector in cyberespionage organizations because they allow to secretly deploy malware on multiple computers at the same time.

Government Certification Authority of Viet Nam
ESET disclosed in November the Lazarus attack in South Korea, which used legitimate security software and stolen digital certificates to distribute Remote Management Tools (RAT) on target systems.

Then last week, it discovered that a chat software called Able Desktop had been used by 430 government agencies in Mongolia and had been misused to provide HyperBro backdopers, Korplug RAT and another Trojan named Tmanger.

Finally, attacks on SolarWinds Orion software were discovered this week, undermining several major U.S. government agencies, including the Department of Homeland Security, the Commerce Department, the Treasury Department and state governments.

“Supply chain attacks are often difficult to detect because malicious code is often hidden in many legitimate code, which makes it more difficult to discover,” Faou concludes. “