Skip to main content
banner image
venafi logo

Mongolian CA Hit by Supply Chain Attack: The Latest in a Growing Trend [Encryption Digest 62]

Mongolian CA Hit by Supply Chain Attack: The Latest in a Growing Trend [Encryption Digest 62]

mongolian-ca-hit-by-supply-chain-attack
July 9, 2021 | Alexa Cardenas

Earlier this week HackerNews reported that one of Mongolia’s most trust certificate authorities, MonPass, was the victim of a software supply chain attack. Unidentified malicious actors infiltrated its network and made an infected software available for download, and it remained in place for nearly a month before being uncovered. Additionally, one of MonPass’s public webservers was hacked eight separate times, indicated by eight web shells and backdoors present on the compromised server.  

Attacks of this nature are, unfortunately, on the rise. SolarWinds and Mimecast were some other recent targets, and the Linux foundation has launched a service to prevent supply chain attacks. It is more important than ever for organizations to remain vigilant to the current encryption threat landscape, and maintain a secure machine identity management strategy.

This week we discuss how exactly the MonPass supply chain attack happened, what it means for the larger encryption attack surface, and how you can fend off similar cyber security threats!

How did MonPass fall prey to a supply chain attack?

This incident was first investigated by cybersecurity company Avast after they found one of the backdoored installers on a customer’s systems. They said, "The malicious installer is an unsigned [Portable Executable] file. It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate version is dropped to the 'C:\Users\Public\' folder and executed under a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely to notice anything suspicious."

When MonPass was notified of this on April 22, the certificate authority did take immediate steps to address the compromised server and reach out to all the customers that had downloaded the backdoored client.

This is at least the second time that a software compromised by malicious backdoors was provided by a certificate authority. Internet security company ESET reported the “SignSight” attack in December 2020, in that instance it was the Vietnam Government Certificate Authority (VGCA) that was tampered with to include spyware in their digital signature toolkit that was capable of stealing system data and installing even more malware. Part of why supply chain attacks are on the rise is because they allow the cyber criminals to covertly deploy malware on multiple computers at the same time.

It’s no coincidence that earlier this week, Proofpoint reported the abuse of the Cobalt Strike penetration tool by cyber criminals skyrocketed by 161% from 2019 to 2020. The Proofpoint researcher’s stated, “Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020”.

What are security experts saying about this incident?

Pratik Savla, Lead Security Engineer at Venafi, noted that “delivery of malicious Portable Executable (PE files) has long been part of an attacker’s playbook because, once compromised, they are very versatile. These files can be delivered using a worm, ransomware and many other mechanisms including APT campaigns. One reason they are so attractive to attackers is that the PE format was not designed to resist code injection.”

But what was it that made the MonPass supply chain attack possible?

According to Pratik, these attackers “went a step further and designed a C2 profile to mimic a jQuery request. This helped them evade detection because these requests are so common they are unlikely to arouse any suspicion when traffic is being analyzed. This attack clearly illustrates that machine identities are a high value target for attackers. All it takes is one successful exploitation to break the trust chain and compromise machine identities."

Cobalt Strike is growing in popularity with attackers, and showing no signs of slowing down. Why? Pratik Savla explains that attackers prefer this method because “anyone can utilize it regardless of their capabilities or skill sets, and they can be leveraged to deliver an initial payload. The reality is that Cobalt Strike lowers the bar to become APT actor, which is a major concern as it’s bound to increase the number of viable APT players.”

What can you do to boost your cyber security?

Unfortunately for the rest of us, attackers have discovered that Cobalt Strike is a great tool for defense evasion, buying critical time while the attack escalates and spreads. Threat actors are also using the default Cobalt Strike Beacon TLS/SSL certificate in the hopes of evading attack attribution.

It’s no secret that cyber attacks involving machine identities are on the rise. Several factors are expanding the encryption and machine identity attack surface, and it is absolutely essential that organizations have full visibility of their machine identities, where they are, who owns them and who’s using them.

If your security strategy is lacking in this area, the time to act is now. Venafi’s Trust Protection Platform covers your TLS keys and certificates, SSH keys, code signing keys, and more across your entire enterprise!
 

Related Posts

Like this blog? We think you will love this.
global-machine-identity-technology-network
Featured Blog

Introducing the Venafi Warrior Community: Connect, Share and Learn!

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS MIM For Dummies
eBook

TLS Machine Identity Management for Dummies

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Alexa Cardenas
Alexa Cardenas

Alexa is the Web Marketing Specialist at Venafi.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more