According to researchers at Symantec, a Digital Certificate authority was breached by China state-backed hackers. Additionally, they also managed to breach government and defense agencies located in different countries in Asia as part of an ongoing campaign since at least March 2022.
Symantec revealed the attacks were linked to an adversarial group it tracks under the name Billbug. The hackers used Broadcom Software in earlier incidents previously attributed to this actor. While there’s been no reported data theft so far, this activity appears to be driven by government-related espionage.
Billbug, also known as Bronze Elk, Lotus Blossom, Lotus Panda, Spring Dragon, and Thrip, is an advanced persistent threat (APT) group believed to work on behalf of the Chinese government. Their primary targets are in South East Asia.
Earlier cyberattacks in 2019 are being been carried out using malware, like Hannotog and Sagerunex. These intrusions have been spotted in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam.
Both implants transmit information back to the attacker, even if they are deploying an information-stealer known as Catchamas in some cases.
According to Symantec researchers, “The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines”… and it could potentially interfere with encrypted HTTPS traffic.”
Further added, “It could also potentially use compromised certificates to intercept HTTPS traffic.”
The cybersecurity company reported that there’s no evidence to indicate that Billbug compromised digital certificates. The concerned authority was notified of the activity, according to it.
After an analysis of recent attacks, it appears that there is a high probability that initial access was obtained following the exploitation of internet-facing applications. Sometimes both bespoke and living-off-the-land tools are used to carry out the operation.
The Remote Control System (RCS) is like a Swiss army knife for hackers because it has different utilities. Utilities such as WinRAR, Ping, Traceroute, NBTscan, and Certutil are all a part of RCS. The software also includes a backdoor capable of downloading arbitrary files, gathering system information, and uploading encrypted data.
This attack consisted of an open-source multi-hop proxy tool called Stowaway and the Sagerunex malware. These two pieces of malware were joined by a backdoor that can run arbitrary commands, drop additional payloads, and siphon files of interest.
The ability to compromise multiple victims at once indicates that this threat group remains a well-resourced operator, capable of carrying out sustained campaigns. The researchers concluded.
Billbug has shown that they are not concerned with having their hacking attributed to them. In rare cases, they have even reused tools that have been previously linked to the group.
LockBit Ransomware Gang Member Nabbed in Canada
FBI, CISA, and NSA Explain How Hackers Target Defense Industrial Base Organizations
Comm100 Chat Application Hacked to Spread Malware in Supply Chain Attack