Home Security Researchers Say China State-backed Hackers Breached a Digital Certificates Authority

Researchers Say China State-backed Hackers Breached a Digital Certificates Authority

by crpt os


A suspected Chinese state-sponsored actor breached a digital certificate authority as well as government and defense agencies located in different countries in Asia as part of an ongoing campaign since at least March 2022.

Symantec, by Broadcom Software, linked the attacks to an adversarial group it tracks under the name Billbug, citing the use of tools previously attributed to this actor. The activity appears to be driven by espionage and data-theft, although no data is said to have been stolen to date.

Billbug, also called Bronze Elgin, Lotus Blossom, Lotus Panda, Spring Dragon, and Thrip, is an advanced persistent threat (APT) group that is believed to operate on behalf of Chinese interests. Primary targets include government and military organizations in South East Asia.

Attacks mounted by the adversary in 2019 involved the use of backdoors like Hannotog and Sagerunex, with the intrusions observed in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam.

Both the implants are designed to grant persistent remote access to the victim network, even as the threat actor is known to deploy an information-stealer known as Catchamas in select cases to exfiltrate sensitive information.

“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines,” Symantec researchers said in a report shared with The Hacker News.

“It could also potentially use compromised certificates to intercept HTTPS traffic.”

The cybersecurity company, however, noted that there is no evidence to indicate that Billbug was successful in compromising the digital certificates. The concerned authority, it said, was notified of the activity.

An analysis of the latest wave of attacks indicates that initial access is likely obtained through the exploitation of internet-facing applications, following which a combination of bespoke and living-off-the-land tools are employed to meet its operational goals.

CyberSecurity

This comprises utilities such as WinRAR, Ping, Traceroute, NBTscan, Certutil, in addition to a backdoor capable of downloading arbitrary files, gathering system information, and uploading encrypted data.

Also detected in the attacks were an open source multi-hop proxy tool called Stowaway and the Sagerunex malware, which is dropped on the machine via Hannotog. The backdoor, for its part, is equipped to run arbitrary commands, drop additional payloads, and siphon files of interest.

“The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns,” the researchers concluded.

“Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past.”





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex