Getty Images

Nation-state hackers Based in China Recently infected certificate authority Researchers revealed Tuesday that a powerful malware cocktail was found in several government and defense agencies. It allowed researchers to penetrate networks and steal sensitive information.

The successful compromise The unnamed certificate authority It could prove to be very dangerous because these entities can trust browsers and operating system to certify the identities of servers or apps. In the event of the hackers obtained control of the organization’s infrastructure, they could use it to digitally sign their malware to make it more easily slip past endpoint protections. They may be able to cryptographically impersonate trusted sites or intercept encrypted data.

The researchers who discovered the breach didn’t find any evidence. certificate Infrastructure had been compromised. They stated that this campaign was the latest from a group they call Billbug. The group has a documented history for notable hacks, dating back at most 2009 to at least 2009.

“The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns,” Symantec researchers wrote. “Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past.”

Symantec first documented Billbug in 2018 when Thrip was discovered by company researchers. They hacked several targets, including a satellite communication operator, a company that maps geospatially, three telecom operators and a defense contractor. The hack on the satellite operator was particularly alarming because of the fact that the attackers had access to the entire network. “seemed to be particularly interested in the operational side of the company, looking for and infecting computers running software that monitors and controls satellites.” Researchers speculated that hackers’ motivation may have gone beyond spying to also include disruption.

Researchers eventually located the computers responsible for hacking and traced it back to them. in China. Other than Southeast Asia, other targets were also found in The USA.

More than just a year laterSymantec collected new information, which allowed researchers determine that Thrip was actually the same as Billbug and Lotus Blossom. Billbug had successfully hacked 12 companies in the 15 months following the initial write up. in Hong Kong, Macau Indonesia, Malaysia, Vietnam, the Philippines and Malaysia. These victims include military targets, maritime communications, media, education, and media sectors.

Billbug used a combination of legitimate software and custom malware to burrow into its victims’ networks. The hacking activities could blend using legitimate software like PsExec. PowerShell. Mimikatz. WinSCP. LogMeIn. in Normal operations in The environment is compromised. The hackers The custom-built Catchamas information stealer and backdoors, dubbed Hannotog & Sagerunex, were also used.

The most recent campaign targeted the certificate authority Billbug was also back with Sagerunex & Hannotog. However, it also used a variety of legitimate software such as AdFind, Winmail & WinRAR Ping, Tracert, Route, NBTscan and Certutil.

Tuesday’s post includes a host of technical details people can use to determine if they’ve been targeted by Billbug. Symantec is Broadcom Software’s security arm.