Billbug Stat-sponsored Chinese cyber-espionage targets certificate authorities and Government agencies in multiple Asian countries Symantec said in his report.
previously known Lotus Blossom , Billbug cyber-espionage is advance persistent threat actor active since 2009 and Symantec reported this type of activity 2018 and 2019 under the name Thrip . Now Symantec is sure that Thrip and Billbug is most likely the same group and no tracking all activity under the name Billbug.
"In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity.
The victims in this campaign included a certificate authority, as well as government and defense agencies. All the victims were based in various countries in Asia. Billbug is known to focus on targets in Asian countries. In at least one of the government victims, a large number of machines on the network were compromised by the attackers.
The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic. However, although this is a possible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in compromising digital certificates. Symantec has notified the cert authority in question to inform them of this activity."
This activity has been ongoing since at least March 2022. Symantec wrote
Symantec also released a list of indicators
072022b54085690001ff9ec546051b2f60564ffbf5b917ac1f5a0e3abe7254a5
0cc6285d4bfcb5de4ebe58a7eab9b8d25dfcfeb12676b0c084e8705e69f6f281
148145b9a2e3f3abdc6c2d3de340eabc82457be67fb44cfa400a5e7bd2f88760
2a4302e61015fdf5f65fbd456249bafe96455cd5cc8aefe075782365b9ae3076
3585a5cbbf1b8b3206d7280355194d5442ed997f61e061fd6938a93163c79507
37fe8efe828893042e4f1db7386d20fec55518a3587643f54d4c3ec82c35df6d
3c35514b27c57a46a5593dbbbfceddbc49979b20fddc14b68bf4f0ee965a7c59
3dd7b684024941d5ab26df6730d23087037535783e342ee98a3934cccddb8c3e
64c546439b6b2d930f5aced409844535cf13f5c6d24e0870ba9bc0cf354d8c11
79f9f25b15e88c47ce035f15dd88f18ecc11e1319ff6f88568fdd0d327ad7cc1
7fe67567a5de33166168357d663b85bd452d64a4340bdad29fe71588ad95bf6f
80a8a9a2e91ead0ae5884e823dca73ef9fce59ff96111c632902d6c04401a4fe
861d1307913d1c2dbf9c6db246f896c0238837c47e1e1132a44ece5498206ec2
8f7c74a9e1d04ff116e785f3234f80119d68ae0334fb6a5498f6d40eee189cf7
a462085549f9a1fdeff81ea8190a1f89351a83cf8f6d01ecb5f238541785d4b3
adb61560363fcda109ea077a6aaf66da530fcbbb5dbde9c5923a59385021a498
bcc99bc9c02e1e2068188e63bc1d7ebe308d0d12ce53632baa31ce992f06c34a
b631abbfbbc38dac7c59f2b0dd55623b5caa1eaead2fa62dc7e4f01b30184308
c4a7a9ff4380f6b4730e3126fdaf450c624c0b7f5e9158063a92529fa133eaf2
e4a460db653c8df4223ec466a0237943be5de0da92b04a3bf76053fa1401b19e
f7ea532becda13a1dcef37b4a7ca140c56796d1868867e82500e672a68d029e4
f969578a0e7fe90041d2275d59532f46dee63c6c193f723a13f4ded9d1525c6b
fea2f48f4471af9014f92026f3c1b203825bb95590e2a0985a3b57d6b598c3ff
No comments:
Post a Comment