An Emerging China-Backed APT Group Targets Hong Kong Organizations in Supply Chain Attack
The Attack
An advanced persistent threat (APT) group, believed to be backed by China, has targeted organizations in Hong Kong in a recent supply chain attack. The group, known as Carderbee, utilized a compromised version of Cobra DocGuard, a software produced by Chinese firm EsafeNet, to gain access to the victims’ networks. The attack involved the deployment of the PlugX/Korplug backdoor, a well-known remote access Trojan (RAT).
The interesting aspect of this attack is the use of a legitimate software to carry out the attack. The attackers employed a compromised version of Cobra DocGuard, which is used for protecting, encrypting, and decrypting software, to deliver the PlugX backdoor. The compromised software was distributed to around 2,000 computers, but the researchers observed malicious activity on only about 100 computers. This indicates that the APT group may be selectively targeting specific victims.
Moreover, the attackers used a Microsoft certificate to sign the PlugX installer malware, exploiting a vulnerability in the Windows Hardware Developer Program. This use of a legitimate certificate makes it more difficult for security software to detect the malware, as it appears to be coming from a trusted source.
As-Yet Identified Threat Actor
While the researchers have not definitively linked Carderbee to any known APT group backed by China, there are similarities in the attack tactics and infrastructure with other threat actors operating out of China. However, this crossover of tactics and infrastructure among Chinese threat actors makes attribution challenging. The Korplug backdoor used in this attack has been employed not only by Carderbee but also by other APT groups such as Budworm (also known as LuckyMouse, APT27) and APT41. The researchers are uncertain about the motive behind the attack, but noting that PlugX/Korplug is typically associated with cyber espionage, it could be speculated that the attack was carried out for intelligence gathering purposes.
Defense against Supply Chain Attacks
Software supply chain attacks have become a major concern for organizations across sectors. In the past 12 months, several high-profile attacks have occurred, highlighting the need for better defense mechanisms. Organizations must implement strategies to protect their supply chains and mitigate the risk of compromise.
To effectively defend against supply chain attacks, organizations should monitor the behavior of all activity on their systems, looking for any patterns that indicate suspicious or malicious applications. By identifying and blocking any unusual behavior, organizations can prevent damage before it occurs. It is important to note that the behavior of a malicious update will differ from that of clean software, making it possible to detect and block such updates.
Organizations can also reduce their attack surface by implementing zero-trust policies and network segmentation. These measures prevent a malicious update from spreading throughout the entire network if it is only downloaded onto one machine. By restricting access privileges and segmenting the network, organizations can limit the impact of a potential attack.
In addition to organizational measures, software developers and providers must take responsibility for securing the supply chain. It is crucial that they have robust mechanisms in place to detect any unwanted changes in the software update process or on their website. By ensuring the integrity of their software, developers and providers can contribute to the overall security of the supply chain.
Conclusion
The Carderbee attack highlights the growing threat of supply chain attacks and the challenges they pose to organizations. The use of a legitimate software to deliver malware makes it more difficult for defenders to detect and prevent such attacks. The attack methods and infrastructure used in this attack show similarities with other Chinese-backed APT groups, though definitive attribution is challenging due to the crossover of tactics and infrastructure among these groups.
Organizations must be vigilant and implement robust security measures to protect against supply chain attacks. Monitoring and detecting unusual behavior, implementing zero-trust policies and network segmentation, and securing the software update process are all crucial steps in fortifying the supply chain against potential attacks. As threats continue to evolve, organizations must remain proactive in their defense and adapt their security strategies accordingly.
<< photo by Tima Miroshnichenko >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Hong Kong Faces Cybersecurity Crisis as Malware Targets Local Organizations
- The ‘Carderbee’ APT: Unveiling a Supply Chain Attack on Chinese Security Software
- Cerby Raises $17 Million to Unlock Access Management for Nonstandard Applications
- CISA Sheds Light on Ongoing Adobe ColdFusion Vulnerability Exploitation
- The Great Wall Breached: Chinese APT Targets Government Agencies with Microsoft Outlook Email Hack
- Hidden Threats: Investigating the Chinese APT Behind the Critical Barracuda ESG Zero-Day
- The PowerShell Gallery’s Achilles’ heel: Typosquatting and More Supply Chain Attacks
- Exploring the Fragilities of PowerShell Gallery: Unveiling the Risks of Supply Chain Attacks
- The Rise of a Sophisticated Cyber Threat: Unveiling the Hong Kong Supply Chain Cyberattack Takedown
