New SignSight Supply-Chain Attack Targeted Certification Authority in Southeast Asia Twice

A second supply-chain attack dubbed Operation SignSight has been discovered on the website of the Vietnam Government Certification Authority. The attackers made changes to software installers available for download from the website. In addition, they added a backdoor to target users of a legitimate application.

What happened?

The Vietnam Government Certification Authority confirmed that they were victims of the recent supply-chain attack and alerted individuals who could have downloaded the malicious software installers.
  • The website, ca.gov.vn, was compromised from July 23 to August 16.
  • The attackers used two modified installers gca01-client-v2-x32-8.3.msi and gca01-client-v2-x64-8.3.msi. These two trojanized installers were laden with a piece of malware known as PhantomNet/SManager. 
  • Both MSI installers were downloaded from ca.gov.vn over HTTPS protocol.
  • Once downloaded and executed, the installer executes the genuine GCA program and the malicious file to ensure that end-users do not spot this compromise easily.

Recent attacks

Supply-chain attacks are now becoming quite a common attack vector among cyberespionage groups.
  • In the previous attack dubbed Operation StealthyTrident, cybercriminals compromised Able Desktop installers and their update system to propagate HyperBro, Korplug, and Tmanger malware, while focusing on Mongolian organizations.
  • Recently, a widespread campaign has been discovered to be abusing SolarWinds software as a supply chain.
  • Last month, the Lazarus group used an unusual supply-chain mechanism in South Korea.

Conclusion

Cybercriminals are apparently taking more interest in supply-chain attacks as such attacks provide them the ability to silently deploy their malware. Thus, experts suggest using reliable and up-to-date cybersecurity software, managing supplier relationships, and applying the Principle of Least Privilege (PoLP) to reduce the risk of malicious access.