supply-chain

Vietnam’s complex supply chain attack

A group of mysterious hackers launched a complex supply chain attack on private companies and government agencies by planting malicious code in an official government software digital signature toolkit in Vietnam. Until now, the security threats of attacks have expanded in scope and severity. If information security is not handled properly, there may be a risk of losing millions or even billions of dollars.

The security company ESET discovered the attack and described in detail in a report called “Operation SignSight” that the target of the attack was the Vietnam Government Certification Authority (VGCA), that is, the government agency issued a document that can be used to electronically sign official documents. Digital certificate.

clip_image001[5]

Any citizens, private companies and even other government agencies who want to submit documents to the Vietnamese government must sign the documents with a digital certificate compatible with VGCA.

VGCA not only issues these digital certificates, but also provides ready-made, user-friendly “client applications” that citizens, private companies and government workers can install on their computers and automatically complete the process of signing documents.

But ESET said that at some point this year, hackers broke into the agency’s website ca.gov.vn and inserted malware into two VGCA client applications available for download on the website .

Specifically, these two files are 32-bit (gca01-client-v2-x32-8.3. MSI ) and 64-bit (gca01-client-v2-x64-8.3.msi) client applications for Windows users .

clip_image002[5]

It is said that between July 23 and August 5 this year, these two files contained a backdoor Trojan named “PhantomNet”, also known as Smanager.

The researchers said that the malware is not complicated, but its functions include retrieving proxy settings to bypass the company firewall, and the ability to download and run other (malicious) applications.

The security company believes that backdoors are mainly used for reconnaissance purposes before more sophisticated attacks on selected targets.

Earlier this month, ESET had notified VGCA of this issue, but VGCA had known about the attack before then. On the day ESET released the report, VGCA also officially admitted that there were security vulnerabilities and issued a tutorial to guide users on how to remove malware from their systems.

ESET stated that it also found victims infected by the PhantomNet backdoor in the Philippines, but could not explain how these users were infected.

IOCs

f9e56f335b7f3c56b8b00cb09c55c6e6

628e6068c4cb1be86b489574452fc9ab

830dd354a31ef40856978616f35bd6b7

c11e25278417f985cc968c1e361a0fb0

c29538230a3e388ce5a350358d5175aa

5c77a18880cf58df9fba102dd8267c3f369df449

b0e4e9bb6ef8aa7a9fcb9c9e571d8162b1b2443a

9522f369ac109b03e6c16511d49d1c5b42e12a44

989334094ec5ba8e0e8f2238cdf34d5c57c283f2

5dfc07bb6034b4fda217d96441fb86f5d43b6c62

b0fd1ff7f5d45be89fffc04937f352754c6055e1f4ca26a9257169ce168569ef

6be34df727fcb79123e4e8f472ad24b698d83395fb17d4db019e9976f485cd83

97a5fe1d2174e9d34cee8c1d6751bf01f99d8f40b1ae0bce205b8f2f0483225c

f659b269fbe4128588f7a2fa4d6022cc74e508d28eee05c5aff26cc23b7bd1a5

c42000f2f6526c782757aa43246b4c1a12d366610721df6b6112305064d48a32

office365.blogdns[.]com

vgca.homeunix[.]org