A complex Supply-Chain attack hit Vietnam Government Certification Authority (VGCA).
Supply Chain Attack:
A cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain.
Earlier today, a security firm discovered — hackers targeted the Vietnam Government Certification Authority (VGCA) — an organization that issues digital certificates.
Vietnamese authorities sign the records using a VGCA-compatible digital certification, that any Vietnamese citizen, personal business, and also other government agency that wishes to submit documents.
Security company ESET, in its report named “Operation SignSight,” stated attackers modified two of the software installers available for download on this website.
Follow Us on: Twitter, Instagram, Facebook to get latest security news!
Followingly, added a backdoor in order to compromise users of the legitimate application.
In the report, Firstly, Hackers broke into the agency’s website, located at ca.gov.vn.
Secondly, inserted malware inside two of the VGCA client apps offered for download on the site.
Moreover, between July 23 and August 5, this year, the two files contained a backdoor trojan named PhantomNet, also known as Smanager.
The malware was not very intricate but was only a wireframe for much more powerful plugins.
However, VGCA confirmed that the agency had already known of the attack prior to its contact.
Previous Supply-Chain Attack Victims:
According ZDNet, The VGCA incident marks the fifth major supply chain attack this year after the likes of:
- SolarWinds – Russian hackers compromised the update mechanism of the SolarWinds Orion app and infected the internal networks of thousands of companies across the glove with the Sunburst malware.
- Able Desktop – Chinese hackers have compromised the update mechanism of a chat app used by hundreds of Mongolian government agencies.
- GoldenSpy – A Chinese bank had been forcing foreign companies activating in China to install a backdoored tax software toolkit.
- Wizvera VeraPort – North Korean hackers compromised the Wizvera VeraPort system to deliver malware to South Korean users.
Indicators of Compromise:
Files
| SHA-1 | ESET detection name | Description |
|---|---|---|
| 5C77A18880CF58DF9FBA102DD8267C3F369DF449 | Win32/TrojanDropper.Agent.SJQ | Trojanized installer (gca01-client-v2-x64-8.3.msi) |
| B0E4E9BB6EF8AA7A9FCB9C9E571D8162B1B2443A | Win32/TrojanDropper.Agent.SJQ | Trojanized installer (gca01-client-v2-x32-8.3.msi) |
| 9522F369AC109B03E6C16511D49D1C5B42E12A44 | Win32/TrojanDropper.Agent.SJQ | PhantomNet dropper |
| 989334094EC5BA8E0E8F2238CDF34D5C57C283F2 | Win32/PhantomNet.B | PhantomNet |
| 5DFC07BB6034B4FDA217D96441FB86F5D43B6C62 | Win32/PhantomNet.A | PhantomNet plugin |
C&C servers
office365.blogdns[.]com
vgca.homeunix[.]org
In conclusion, VGCA published a tutorial on how users could remove the malware from their systems
Leave A Comment