Only a few weeks after the supply chain assault on Able Desktop applications, another similar attack occurred on the website of the Vietnam Government Certification Authority (VGCA): ca.gov.vn.
The attackers changed two of the software installers available for download on this website and added a backdoor to compromise users of the legitimate program.
Uncovered by Slovak internet security company ESET earlier this month, the “SignSight” attack involved modifying software installers hosted on the CA website (“ca.gov.vn”) to inject a spyware tool called PhantomNet or Smanager.
In accordance to ESET’s telemetry, the breach took place from at least July 23 to August 16, 2020, with the two installers in query — “gca01-client-v2-x32-8.3.msi” and “gca01-consumer-v2-x64-8.3.msi” for 32-bit and 64-little bit Windows units — tampered to incorporate the backdoor.
“The compromise of a certification authority website is a good opportunity for APT groups since visitors are likely to have a high level of trust in a state organization responsible for digital signatures,” ESET’s Matthieu Faou said.
After the attack was reported to VGCA, the certificate authority confirmed that “they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software.”
Digital signatures are very common in Vietnam, as digitally signed documents have the same degree of enforceability as “wet” signatures.
Subject to Decree No. 130/2018, cryptographic certificates used to sign documents must be granted by one of the approved certificate providers which include the VGCA, which is part of the Government Cipher Committee. The committee, in turn, relies on the Ministry of Information and Communications.
In addition to the problem of certificates, VGCA creates and distributes a digital signature toolkit. It is used by the Government of Vietnam, and possibly by private businesses, to sign digital documents. The compromise on the website of the certification authority is a good opportunity for APT groups, as tourists are likely to have a high degree of confidence in the state agency responsible for digital signatures.
As seen in Figure 1, it appears that these services are being deployed in the Party and State agencies.
Trojan installers are not properly signed, but we found that clean GCA installers are also improperly signed (The digital signature of the object did not verify). Both the official and the trojanized MSIs use the certificate issued to Safenet.
Figure 2 is a description of the assault on the supply chain. To be infected, the user will have to manually download and run the compromised software hosted on the official website.
In November, ESET disclosed a Lazarus campaign in South Korea that used legitimate security software and stolen digital certificates to distribute remote administration tools (RATs) on target systems.
A supply-chain assault on SolarWinds Orion software discovered this week has been exploited to weaken many major U.S. government agencies, including the Departments of Homeland Security, Commerce, Treasury and State.
“Supply-chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate code, making its discovery significantly more difficult,” Faou concluded.