State-Sponsored Actor Targets Cert Authority, Government Agencies In Multiple Asian Countries

By   ISBuzz Team
Writer , Information Security Buzz | Nov 16, 2022 11:27 am PST

State-Sponsored Actor Targets Cert Authority, Government Agencies In Multiple Asian Countries

A new state-sponsored actor has targeted multiple Cert Authorities (CAs) and government agencies in multiple Asian countries, FireEye researchers warn. The actor, dubbed TEMP. Periscope by the security firm.  Uses phishing emails as an attack vector to deliver malware to organizations based in Nepal and Indonesia that have ties with the Indian government and military. The espionage campaign started in August 2017 and it’s still ongoing; FireEye discovered it after detecting two phishing emails sent to two different entities in the region. Which at first glance were unrelated to each other.


What is a state-sponsored actor?

A state-sponsored actor is a person or organization that is sponsored by a government agency. State-sponsored actors are usually tasked with espionage and information-gathering missions as well as cyber-attacks. The main goal of these actors is to destabilize the country’s enemies in an attempt to protect the interest of their sponsoring country. There are many different types of state-sponsored actors. Who use different methods for the completion of their mission.

1) A hacker can create malware or a computer virus that can infiltrate any system. And allow them to steal confidential data from within that system. Hackers will often use phishing emails where they pretend to be someone trustworthy. So that you’ll open an attachment and give them access to your computer.


What are the state-sponsored actor targets?

This particular attack used a vulnerability in the software development framework Apache Struts. The vulnerability was originally found and patched back in March 2017 by the US National Security Agency. The NSA shared the vulnerability with other countries as well. This meant that many governments around. The world were aware of this vulnerability and yet it still wasn’t addressed or patched. This is not something you’d typically see from a state-sponsored actor. Because they usually go for more sophisticated methods like zero-day exploits to infiltrate their targets. That being said, it’s unclear if this was intentional or accidental. Because of how easy it would have been to patch this issue. But what is clear is that they wanted to use this exploit as soon as possible. After they found out about it and that they wanted to do so without getting caught.


How did they do it?

According to a blog post by Trend Micro, the actor was successful in compromising the target systems by exploiting vulnerabilities. The attackers were able to steal certificates and use them for man-in-the-middle attacks. They also used these stolen certificates to spoof HTTPS traffic in order to execute their attack. This is one of the first incidents where a state-sponsored actor has been found using this method of obtaining certificates.


What can we do to prevent this?

The best way to prevent these types of attacks is by keeping your systems and software patched and up to date. This will ensure that you are always running the latest version of the software that includes critical security fixes. You should also limit the number of privileges for regular users and create separate accounts with limited privileges for those who only need to perform a few tasks. Keeping your data in a safe location is another important step toward ensuring it cannot be accessed by unauthorized individuals. If you have sensitive information on your computer then you should use encryption software like BitLocker or VeraCrypt to encrypt the data before sending it over an unsecured network such as email or FTP. Lastly, make sure all of your devices are properly configured with strong passwords to avoid being vulnerable to brute-force attacks.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Sitaram Iyer
Sitaram Iyer , Global Security Architect
November 16, 2022 7:29 pm

This compromise of a certificate authority (CA) highlights the importance of managing all machine identities in an enterprise. If the compromised were to be the root CA, then the attacker can potentially gain full control over the entire PKI infrastructure and compromise the trust in the system. Revocation of all the certificates issued by this CA must be revoked and replaced. This certainly comes at a high-cost effort – and in most cases, credibility of the organization.  

This can be even more catastrophic as organizations create subordinate CAs that are used for signing workloads in cloud native environments for managing pod or mesh identities. The sheer volume of these identities and the need to revoke all subordinates, recreate them and issue identities for workloads is a huge effort.

Protecting and managing all the machine identities, irrespective of where and how it’s used, is critical for creating an enterprise security posture. Manual processes need to be eliminated, and all machine identity management should be 100% automated with security teams having the right kind of observability.

Last edited 1 year ago by Sitaram Iyer
Kevin Bocek
Kevin Bocek , VP Security Strategy & Threat Intelligence
November 16, 2022 7:28 pm

The compromise of a digital certificate authority (CA) is bad news. CAs are a vital centerpiece in the system of identity that keeps our online world running securely. A CA issues companies with TLS certificates – a type of machine identity that enables secure machine-to-machine communication. This identity tells other machines that it can be trusted. It is this system that enables the green padlock we are all so familiar with now. If a CA is compromised, all the identities associated with it come into question. 

In this particular case, the attack on the CAs has all the tell-tale signs of a sophisticated nation state attack. However, this doesn’t just impact the CAs – every business, consumer and government that relies on these CAs to know whether a digital service is real or fake, and whether communications are private or tapped, is impacted. An attacker could use this position of power to conduct man-in-the-middle attacks, to intercept encrypted traffic, or to issue identities for malicious or fraudulent services to enable them to be trusted by major browsers and operating systems. We’ve seen this play out with attacks such as DigiNotar in the Netherlands.  

To remediate the problem, just as you change your passwords if they are breached, CISOs, CIOs and CEOs must do the same for machine identities. In today’s age of businesses running in the cloud, organizations must quickly identify and remove all certificates associated with unknown and untrusted CAs, and replace them with new certificates from trusted sources. Yet an organization could have hundreds, if not thousands of identities to replace. This is why organizations need to invest in a control plane that can automate the management of machine identities.

Last edited 1 year ago by Kevin Bocek

Recent Posts

Would love your thoughts, please comment.x