Malware & Threats: New ‘Carderbee‘ APT Targeted Chinese Security Software in Supply Chain Attack
Background
A new advanced persistent threat (APT) actor, dubbed Carderbee, has recently been observed deploying the PlugX backdoor through a supply chain attack primarily targeting organizations in Hong Kong. The actor exploited the legitimate Cobra DocGuard software, developed by EsafeNet and owned by Chinese security firm NSFocus, to carry out their attack. This is not the first time Cobra DocGuard has been abused in a supply chain attack, as APT27 was attributed to a similar attack on a gambling company in Hong Kong in 2022.
The Methods
Starting in April 2023, Symantec noticed a signed version of the PlugX backdoor (also known as Korplug) being delivered through a Cobra DocGuard supply chain attack on organizations in Hong Kong and other parts of Asia. This particular version of PlugX is notorious for being used by multiple APT groups, including APT41 and Budworm. However, it was not possible to definitively link this activity to a known group, leading Symantec to attribute it to the newly discovered Carderbee group.
During their investigation, Symantec identified malicious activity on approximately 100 computers out of the approximately 2,000 running Cobra DocGuard within the targeted organizations. They also observed the deployment of multiple malware families using the same supply chain compromise attack. Notably, the attackers used a downloader with a digitally signed certificate from Microsoft, called Microsoft Windows Hardware Compatibility Publisher, to install the Korplug backdoor on targeted systems.
Analysis and Implications
The Carderbee group demonstrates a high level of sophistication and skill in their attack methods. By exploiting a supply chain attack and using malware signed with a valid certificate, they were able to stay under the radar. Furthermore, the fact that they only deployed their payload on a limited number of computers suggests careful planning and reconnaissance on the part of the attackers.
While Symantec has not definitively linked Carderbee to any specific country, it is worth noting that attacks involving PlugX malware and those targeting Hong Kong are typically attributed to Chinese state-sponsored threat actors. This raises questions about potential state involvement or support for the Carderbee group.
Recommendations
This supply chain attack targeting Chinese security software highlights the importance of implementing robust security measures and maintaining ongoing monitoring. Organizations should take the following steps to enhance their defenses:
1. Regularly update and patch software:
Ensure that all software, including third-party applications, is up to date with the latest security patches. Regularly check for updates and implement them as soon as they are available.
2. Conduct comprehensive supply chain assessments:
Regularly assess and evaluate the security practices of third-party vendors, particularly those providing critical software or services. Consider implementing measures to verify the integrity of software updates and monitor for any suspicious activity.
3. Implement strong access controls:
Adopt multi-factor authentication (MFA) and regularly review and update access controls to minimize the risk of unauthorized access to critical systems and information.
4. Invest in robust endpoint protection:
Implement advanced endpoint protection solutions that can detect and block known and unknown threats. Regularly update and monitor these solutions to ensure their effectiveness.
5. Foster a culture of cybersecurity awareness:
Train employees on cybersecurity best practices, such as identifying and avoiding phishing emails and suspicious websites. Encourage reporting of any unusual or suspicious activity.
6. Enhance threat intelligence capabilities:
Establish relationships with trusted cybersecurity organizations and stay informed about the latest threat intelligence. Leverage this information to proactively identify and mitigate potential threats.
Editorial
This supply chain attack targeting Chinese security software raises concerns about the vulnerabilities and risks associated with relying on third-party vendors. Organizations must prioritize security and ensure that the software they use is regularly updated and thoroughly vetted. Additionally, governments and international bodies need to collaborate and share information to identify and respond to threats that cross borders.
This incident also highlights the evolving tactics and sophistication of threat actors. The use of valid digital certificates and limited deployment of payloads indicates the level of planning and reconnaissance these attackers undertake. It is crucial for organizations to constantly improve their security posture and remain vigilant against new and emerging threats.
Countermeasures alone are not enough; a proactive and holistic approach to cybersecurity is necessary. This requires a comprehensive understanding of the threat landscape, regular risk assessments, and ongoing investment in security measures. Only by adopting a multi-layered defense strategy can organizations effectively protect themselves against advanced threats like Carderbee and secure their supply chains.
<< photo by Markus Spiske >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Cerby Raises $17 Million to Unlock Access Management for Nonstandard Applications
- Mastering SaaS Cybersecurity: CISOs’ Boasts vs. Reality
- The Rise of a Sophisticated Cyber Threat: Unveiling the Hong Kong Supply Chain Cyberattack Takedown
- The PowerShell Gallery’s Achilles’ heel: Typosquatting and More Supply Chain Attacks
- Exploring the Fragilities of PowerShell Gallery: Unveiling the Risks of Supply Chain Attacks
- Unraveling Iran’s Cyber Warfare: APT34’s Sophisticated Supply Chain Attack on the UAE
