- If your AI-generated code becomes faulty, who faces the most liability exposure?
- These discoutned earbuds deliver audio so high quality, you'll forget they're mid-range
- This Galaxy Watch is one of my top smartwatches for 2024 and it's received a huge discount
- One of my favorite Android smartwatches isn't from Google or OnePlus (and it's on sale)
- The Urgent Need for Data Minimization Standards
Billbug Targets Government Agencies in Multiple Asian Countries
State-sponsored actors in the Billbug group (aka Lotus Blossom and Thrip) have tried to compromise a digital certificate authority in an Asian country during a campaign targeting multiple government agencies.
Security researchers from Symantec have made the discovery and shared the findings in an advisory published earlier today.
“In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog and another backdoor known as Sagerunex. Both these tools were also seen in this more recent activity,” reads the technical write-up.
The company added that all the victims in this recent Billbug campaign were based in various countries in Asia.
“Billbug is known to focus on targets in Asian countries. In at least one of the government victims, a large number of machines on the network were compromised by the attackers,” Symantec explained.
According to the security firm, the targeting of a certificate authority is notable. If the attackers could compromise it and access certificates, they could use them to sign malware with a valid certificate and help it avoid detection on victim machines. It could also use compromised certificates to intercept HTTPS traffic.
“However, although this is a possible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in compromising digital certificates,” wrote the company.
In terms of how the attacks were executed, Billbug was observed exploiting public-facing applications to gain initial access to victim networks and, in particular, dual-use tools. These included AdFind, WinRAR and Port Scanner, among others.
“Multiple files that are believed to be loaders for the Hannotog backdoor were spotted on victim machines,” Symantec wrote. “A backdoor was then deployed on the compromised system. This backdoor has multiple functionalities.”
Among its various capabilities, the backdoor could create a service for persistence, stop other services and upload encrypted data.
Symantec confirmed it had notified the certificate authority to inform them of this activity. The advisory comes two months after Interpol claimed to have dismantled an international cybercrime ring that made an estimated $47,000 from extorting dozens of victims in Asia.