{"id":38908,"date":"2020-12-28T06:00:04","date_gmt":"2020-12-28T06:00:04","guid":{"rendered":"http:\/\/88e96f8f-1762-4425-9f3e-85f569d3728e"},"modified":"2020-12-28T06:00:04","modified_gmt":"2020-12-28T06:00:04","slug":"vietnam-targeted-in-complex-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/vietnam-targeted-in-complex-supply-chain-attack\/","title":{"rendered":"Vietnam targeted in complex supply chain attack"},"content":{"rendered":"
\"Vietnam<\/span>
<\/span> Image: T.H. Chia <\/span><\/figcaption><\/figure>\n

A group of mysterious hackers has carried out a clever supply chain attack against Vietnamese private companies and government agencies by inserting malware inside an official government software toolkit.<\/p>\n

\n

Special feature<\/span> <\/h3>\n
\"Cyberwar<\/span> <\/a> <\/div>\n

Cyberwar and the Future of Cybersecurity <\/a> <\/p>\n

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.<\/p>\n

Read More<\/a> <\/p>\n<\/p><\/div>\n

The attack, discovered by security firm ESET and detailed in a report named “Operation SignSight<\/a>,” targeted the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to electronically sign official documents.<\/p>\n

Any Vietnamese citizen, private company, and even other government agency that wants to submit files to the Vietnamese government must sign their documents with a VGCA-compatible digital certificate.<\/p>\n

The VGCA doesn’t only issue these digital certificates but also provides ready-made and user-friendly “client apps” that citizens, private companies, and government workers can install on their computers and automate the process of signing a document.<\/p>\n

But ESET says that sometime this year, hackers broke into the agency’s website, located at ca.gov.vn<\/em><\/a>, and inserted malware inside two of the VGCA client apps offered for download on the site.<\/p>\n

The two files were 32-bit (gca01-client-v2-x32-8.3.msi<\/em>) and 64-bit (gca01-client-v2-x64-8.3.msi<\/em>) client apps for Windows users.<\/p>\n

ESET says that between July 23 and August 5, this year, the two files contained a backdoor trojan named PhantomNet<\/strong>, also known as Smanager<\/a>.<\/p>\n

<\/section>\n

The malware wasn’t very complex but was merely a wireframe for more potent plugins, researchers said.<\/p>\n

Known plugins included the functionality to retrieve proxy settings in order to bypass corporate firewalls and the ability to download and run other (malicious) apps.<\/p>\n

The security firm believes the backdoor was used for reconnaissance prior to a more complex attack against selected targets.<\/p>\n

ESET researchers said they notified the VGCA earlier this month but that the agency had already known of the attack prior to its contact.<\/p>\n

On the day ESET published its report, the VGCA also formally admitted to the security breach and published a tutorial<\/a> on how users could remove the malware from their systems.<\/p>\n

PantomNet victims also discovered in the Philippines
<\/h3>\n

ESET said that it also found victims infected with the PhantomNet backdoor in the Philippines but was unable to say how these users got infected. Another delivery mechanism is suspected.<\/p>\n

The Slovak security firm didn’t formally attribute the attack to any particular group, but previous reports linked the PhatomNet (Smanager) malware to Chinese state-sponsored cyber-espionage activities.<\/p>\n

The VGCA incident marks the fifth major supply chain attack this year after the likes of:<\/p>\n