State-Sponsored Actor Targets Cert Authority, Government Agencies In Multiple Asian Countries
A new state-sponsored actor has targeted multiple Cert Authorities (CAs) and government agencies in multiple Asian countries, FireEye researchers warn. The actor, dubbed TEMP. Periscope by the security firm. Uses phishing emails as an attack vector to deliver malware to organizations based in Nepal and Indonesia that have ties with the Indian government and military. The espionage campaign started in August 2017 and it’s still ongoing; FireEye discovered it after detecting two phishing emails sent to two different entities in the region. Which at first glance were unrelated to each other.
What is a state-sponsored actor?
A state-sponsored actor is a person or organization that is sponsored by a government agency. State-sponsored actors are usually tasked with espionage and information-gathering missions as well as cyber-attacks. The main goal of these actors is to destabilize the country’s enemies in an attempt to protect the interest of their sponsoring country. There are many different types of state-sponsored actors. Who use different methods for the completion of their mission.
1) A hacker can create malware or a computer virus that can infiltrate any system. And allow them to steal confidential data from within that system. Hackers will often use phishing emails where they pretend to be someone trustworthy. So that you’ll open an attachment and give them access to your computer.
What are the state-sponsored actor targets?
This particular attack used a vulnerability in the software development framework Apache Struts. The vulnerability was originally found and patched back in March 2017 by the US National Security Agency. The NSA shared the vulnerability with other countries as well. This meant that many governments around. The world were aware of this vulnerability and yet it still wasn’t addressed or patched. This is not something you’d typically see from a state-sponsored actor. Because they usually go for more sophisticated methods like zero-day exploits to infiltrate their targets. That being said, it’s unclear if this was intentional or accidental. Because of how easy it would have been to patch this issue. But what is clear is that they wanted to use this exploit as soon as possible. After they found out about it and that they wanted to do so without getting caught.
How did they do it?
According to a blog post by Trend Micro, the actor was successful in compromising the target systems by exploiting vulnerabilities. The attackers were able to steal certificates and use them for man-in-the-middle attacks. They also used these stolen certificates to spoof HTTPS traffic in order to execute their attack. This is one of the first incidents where a state-sponsored actor has been found using this method of obtaining certificates.
What can we do to prevent this?
The best way to prevent these types of attacks is by keeping your systems and software patched and up to date. This will ensure that you are always running the latest version of the software that includes critical security fixes. You should also limit the number of privileges for regular users and create separate accounts with limited privileges for those who only need to perform a few tasks. Keeping your data in a safe location is another important step toward ensuring it cannot be accessed by unauthorized individuals. If you have sensitive information on your computer then you should use encryption software like BitLocker or VeraCrypt to encrypt the data before sending it over an unsecured network such as email or FTP. Lastly, make sure all of your devices are properly configured with strong passwords to avoid being vulnerable to brute-force attacks.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.