China-Based Billbug APT Infiltrates Certificate Authority

Access to digital certificates would allow the Chinese-speaking espionage group to sign its custom malware and skate by security scanners.

The state-sponsored cyberattack group known as Billbug managed to compromise a digital certificate authority (CA) as part of an wide-ranging espionage campaign that stretched back to March — a concerning development in the advanced persistent threat (APT) playbook, researchers warn.
Digital certificates are files that are used to sign software as valid, and verify the identity of a device or user to enable encrypted connections. As such, a CA compromise could lead to a legion of stealthy follow-on attacks.
The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates, they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines, according to
a report
this week from Symantec. It could also potentially use compromised certificates to intercept HTTPS traffic.
This is potentially very dangerous, the researchers noted.
Others concur.
“Certificate authorities are one of the most important elements of maintaining security in today’s digital world, Chris Hickman, CSO at Keyfactor, tells Dark Reading. Much like a driver’s license or passport, digital certificates contain information about an individual or entity and are used to verify the authenticity of websites, devices, or organizations, ensuring an individual user that the entity that they’re communicating with online can be trusted. Think of this as the difference between issuing a real ID rather than a fake one — real IDs will always have some characteristics that cannot be replicated in a fake ID. The same holds true with certificates, which is why this dangerous.”
Billbug (aka Lotus Blossom or Thrip) is a China-based espionage group that mainly targets victims in Southeast Asia. Its known for big-game hunting — i.e., going after the secrets held by military organizations, governmental entities, and communications providers. Sometimes it casts a broader net, hinting at darker motivations: In one past instance, it infiltrated an aerospace operator to infect the computers that monitor and control the movements of satellites.
In the latest run of nefarious activity, the APT hit a pantheon of government and defense agencies throughout Asia, in one case infesting a large number of machines on a government network with its custom malware.
This campaign was ongoing from at least March 2022 to September 2022, and it is possible this activity may be ongoing, says Brigid O Gorman, senior intelligence analyst at Symantec Threat Hunter Team. Billbug is a long-established threat group that has carried out multiple campaigns over the years. It is possible that this activity could extend to additional organizations or geographies, though Symantec has no evidence of that at the moment.
At those targets as well as at the CA, the initial access vector has been the exploitation of vulnerable, public-facing applications. After gaining the ability to execute code, the threat actors go on to install their known, custom Hannotog or Sagerunex backdoors before burrowing deeper into networks.
For the later kill-chain stages, Billbug attackers use multiple
living-off-the-land binaries (LoLBins)
, such as AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Tracert, Winmail, and WinRAR, according to Symantecs report.
These legitimate tools can be abused for various doppelganger uses, such as querying Active Directory to map a network, ZIP-ing files for exfiltration, uncovering paths between endpoints, scanning NetBIOS and ports, and installing browser root certificates — not to mention downloading additional malware.
The custom backdoors combined with dual-use tools is a familiar footprint, having been used by the APT in the past. But the lack of concern about public exposure is
par for the course for the group
.
Its notable that Billbug appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past, says Gorman.
She adds, The groups heavy use of living off the land and dual-use tools is also notable, and underlines the need for organizations to have in place security products that can not only detect malware, but can
also recognize if legitimate tools are potentially being used
in a suspicious or malicious manner.
Symantec has notified the unnamed CA in question to inform it of the activity, but Gorman declined to offer further details as to its response or remediation efforts.
While theres no indication so far that the group was able to go on to compromise actual digital certificates, the researcher advises, Enterprises should be aware that malware could be signed with valid certificates if threat actors are able to achieve access to cert authorities.
In general, organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain, she says.
Symantec would also advise implementing proper audit and control of administrative account usage, Gorman notes. Wed also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network. Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials.

Last News
▸ Insights from Prism: 8 Key Metadata Points ◂ Discovered: 26/12/2024 Category: security	▸ Survey finds customers expect to be asked and compensated for personal data use. ◂ Discovered: 26/12/2024 Category: security	▸ Watch out for risks in HTML5 development ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
China-Based Billbug APT Infiltrates Certificate Authority