ESET discovers operation SignSight: Supply-chain attack against a certification authority in Southeast Asia

Next story
Editor

BRATISLAVA, MONTREAL – ESET Research discovered another supply-chain attack in Asia, this time on the website of the Vietnam Government Certification Authority (VGCA). The attackers modified two of the software installers available for download on this website by adding a backdoor in order to compromise users of the legitimate application. Supply-chain attacks appear to be a quite common compromise vector for cyberespionage groups. Cybercrime operation SignSight leverages malware known as PhantomNet or Smanager.

“In Vietnam, digital signatures are very common, as digitally signed documents have the same level of enforceability as wet signatures. In addition to issuing certificates, the VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese government, and probably by private companies, to sign digital documents. The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures,” explains Matthieu Faou, one of ESET’s researchers investigating the SignSight operation.

The PhantomNet backdoor is quite simple and is able to collect victim information (computer name, hostname, username, OS version, user privileges [admin or not], and the public IP address) as well as install, remove and update malicious plugins. These additional and more complex plugins are probably only deployed on a few selected machines. By also installing the legitimate program, the attackers make sure that this compromise won’t be easily noticed by end users.

ESET researchers uncovered this new supply-chain attack in early December 2020 and notified the compromised organization and the VNCERT. We believe that the website ceased delivering compromised software installers at the end of August 2020. The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software.

ESET has seen victims in the Philippines in addition to Vietnam.

For more technical details about operation SignSight, read the blog post “Operation SignSight: Supply- chain attack against a certification authority in Southeast Asia” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About ESET 
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.