ESET discovers operation SignSight: Supply-chain attack against a certification authority in Southeast Asia

Posted on 2020-12-21
In ESET, Press Release, 2020

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Distology
Distology is a Market Enabler and offers true value for the distribution of disruptive IT Security solutions. The vendors we work with represent innovative and exciting technology that continues to excite and inspire their reseller network. Our ethos is based on trust, relationships, energy and drive and offers end to end support in the full sales cycle providing vendor quality technical and commercial resource.

BRATISLAVA, MONTREAL – ESET researchers have recently discovered websites distributing trojanized cryptocurrency trading applications for Mac computers. These were legitimate apps wrapped with GMERA malware, whose operators used them to steal information, such as browser cookies, cryptocurrency wallets and screen captures. In this campaign, the legitimate Kattana trading application was rebranded – including setting up copycat websites – and the malware was bundled into its installer. ESET researchers saw four names used for the trojanized app in this campaign: Cointrazer, Cupatrade, Licatrade and Trezarus.

“As in previous campaigns, the malware reports to a Command & Control server over HTTP and connects remote terminal sessions to another C&C server using a hardcoded IP address,” says ESET researcher Marc-Etienne M.Léveillé, who led the investigation into GMERA.

ESET researchers have not yet been able to find exactly where these trojanized applications are promoted. However, in March 2020, the legitimate Kattana site posted a warning suggesting that victims are approached individually to lure them to download a trojanized app, thus pointing to social engineering. Copycat websites are set up to make the bogus application download look legitimate. The download button on the bogus sites is a link to a ZIP archive containing the trojanized application bundle.

In addition to the analysis of the malware code, ESET researchers have also set up honeypots (research computers) and lured GMERA malware operators to remotely control the honeypots. The researchers’ aim was to reveal the motivations behind this group of criminals. “Based on the activity we have witnessed, we can confirm that the attackers have been collecting browser information, such as cookies and browsing history, cryptocurrency wallets and screen captures,” concludes M.Léveillé.

For more technical details on the latest GMERA malicious campaign, read the full blogpost, “Mac cryptocurrency trading application rebranded, bundled with malware,” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

BRATISLAVA, MONTREAL – ESET Research discovered another supply-chain attack in Asia, this time on the website of the Vietnam Government Certification Authority (VGCA). The attackers modified two of the software installers available for download on this website by adding a backdoor in order to compromise users of the legitimate application. Supply-chain attacks appear to be a quite common compromise vector for cyberespionage groups. Cybercrime operation SignSight leverages malware known as PhantomNet or Smanager.

“In Vietnam, digital signatures are very common, as digitally signed documents have the same level of enforceability as wet signatures. In addition to issuing certificates, the VGCA develops and distributes a digital signature toolkit. It is used by the Vietnamese government, and probably by private companies, to sign digital documents. The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures,” explains Matthieu Faou, one of ESET’s researchers investigating the SignSight operation.

The PhantomNet backdoor is quite simple and is able to collect victim information (computer name, hostname, username, OS version, user privileges [admin or not], and the public IP address) as well as install, remove and update malicious plugins. These additional and more complex plugins are probably only deployed on a few selected machines. By also installing the legitimate program, the attackers make sure that this compromise won’t be easily noticed by end users.

ESET researchers uncovered this new supply-chain attack in early December 2020 and notified the compromised organization and the VNCERT. We believe that the website ceased delivering compromised software installers at the end of August 2020. The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software.

ESET has seen victims in the Philippines in addition to Vietnam.

For more technical details about operation SignSight, read the blog post “Operation SignSight: Supply- chain attack against a certification authority in Southeast Asia” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Partnership Will Drive Increased Adoption of Portnox’s Cutting-Edge NAC Solution Purpose-Built for Large Distributed Organizations in the Region

LONDON — Portnox, which supplies network access control (NAC), visibility and device risk management to organizations of all sizes, today announced that it has partnered with Distology for the sole distribution and resell of its cloud-delivered NAC-as-a-Service solution in the United Kingdom and Ireland.

We chose to partner with Distology because of their successful history of IT security solution distribution in the UK and Irish markets, said Portnox CEO, Ofer Amitai. Were confident this collaboration will yield tremendous growth for both parties, as Portnox has a unique value proposition and Distology has the market enablement expertise to effectively evangelize our network security offering.

We have a long-established relationship with Portnox and it speaks volumes that the team have decided to choose Distology as their sole UK&I distributor. The technology Portnox brings to the market is incredibly exciting and complements our existing vendor stack effortlessly, said Stephen Rowlands, Head of Sales for Distology. Were especially looking forward to representing and promoting Portnox Clear to our growing partner base, as this brand-new cloud-based technology has potential to completely disrupt the market and we foresee masses of growth potential in this innovative product.

Portnox introduced its cloud-delivered NAC-as-a-Service solution to the UK & Irish markets less than two years go. As the first to bring NAC to the cloud, Portnox has quickly gained a foothold in the region, particularly among large distributed enterprises in the retail, construction and utilities industries.

The adoption of our NAC-as-a-Service product in the UK has been very strong to date, said VP of Products, Tomer Shemer. This is a testament to the fact that the UK is one of the markets leading the trend of cloud security adoption. We expect to see continued growth in the coming years in this area of Europe.

Portnox is set to exhibit at this week’s RSA 2020 Conference (booth #4234) in San Francisco, February 24-28. Additionally, Portnox (booth #G108) and Distology (booth #C40) will both be exhibiting at InfoSec Europe 2020, Europes largest event for information and cyber security, in London, June 2-4.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

2020 ESET

Hello!

Click one of our contacts below to chat on WhatsApp

Support Version 2 Limited