In December 2020, ESET Research, based in Montreal, QB, found another supply-chain attack on the Vietnam Government Certification Authority website. Since digital signatures hold the same level of validity as physical signatures, the Vietnamese government encourages users and private companies to sign digital documents. The VGCA frequently issue certificates and distributes digital signature tool kits.
When a certification authority website is compromised, APT (Advanced Persistent Threats) groups are more likely to take advantage of users’ personal information. After discovering the newest supply-chain attack, ESET notified the Vietnamese government as well as the affected organizations.
The VGCA were aware of the attack before being notified, and also warned the users who downloaded the software. ESET has also seen users in the Philippines become victims to this supply-chain attack. The Onside spoke to Ignacio Sanmillan,Malware Researcher,ESET to gain a better understanding of the risks of a supply-chain attack and the best way to protect oneself.
What element of a supply-chain attack is the most concerning to its users?
There are two main major implications of a successful supply-chain attack. First, the attack gives the attacker the capability to deploy malicious code to all users of the compromised supplier at once. Second, from the user’s perspective, the malicious code comes from a legitimate, trusted source, which usually implies that it is highly likely it will bypass many security mechanisms.
Why are supply-chain attacks a common compromise vector for cyber espionage groups?
Supply-chain attacks happen on a regular basis, but I wouldn’t consider them as common, or at least not as common as phishing via email or social media or watering hole attacks.
However, they do happen on a regular basis. One of the reasons cyberespionage groups leverage supply-chain attacks is to reach targets that would be considerably harder to compromise otherwise. Since the nature of these intrusions consists of the delivery of malware through trusted channels, it makes detecting and mitigating such attacks extremely difficult.
What can users do to protect themselves during a supply-chain attack?
First, users must determine if they have installed the malicious version of the affected software. This can be done by looking at reports from the supplier and other trusted sources. If so, they must delegate an incident response team to investigate to therefore mitigate the situation. The installation of any other software from the same supplier should also be suspended until it is determined that the supplier remediated its own intrusion
What are the first signs of a supply-chain attack that you notice as an IT worker?
It is generally not trivial to determine that a supply-chain attack is ongoing. From an IT worker point of view, one prime indicator would be alerts coming from antivirus or other security software indicating the presence of malware coming from a known software publisher. Another suspicious indicator would be the absence of proper digital signature on the malicious software. It is noteworthy that in some cases, the malicious software can actually be properly signed if the attacker compromised the internal build system of the supplier’s software.
If one finds themselves victim to a supply chain attack, what are the next steps to obtaining security again?
A close evaluation of the intrusion would have to be made in order to identify blind spots of already implemented security measures. Additional measures could also reinforce the awareness and mitigation of potential vulnerable channels, such as hiring a red team to deploy offensive operations for the proactive discovery of vulnerabilities in a subject organization’s network.
Being proactive to find potential threats is as important as being reactive to them. Organizations must hire experienced incident response teams that would investigate incidents or anomalous activity. In addition, organizations must create threat models in order to enable identification and mitigation of potential threats that could abuse production environments, managing their relationship with consumers in order to build a trust relationship that would assure the integrity of deliverables.
For more information, visit https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/
Source:“ESET Discovers Operation SignSight: Supply-Chain Attack against a Certification Authority in Southeast Asia.” ESET, 17 Dec. 2020, www.eset.com/ca/about/newsroom/press-releases/eset-discovers-operation-signsight-supply-chain-attack-against-a-certification-authority-in-southea-2/
Author: Vanessa Butera, Content Writer, The Onside Media, Toronto, Canada. If you have stories to share kindly email: – [email protected]