Earlier this week HackerNews reported that one of Mongolia’s most trust certificate authorities, MonPass, was the victim of a software supply chain attack. Unidentified malicious actors infiltrated its network and made an infected software available for download, and it remained in place for nearly a month before being uncovered. Additionally, one of MonPass’s public webservers was hacked eight separate times, indicated by eight web shells and backdoors present on the compromised server.
Attacks of this nature are, unfortunately, on the rise. SolarWinds and Mimecast were some other recent targets, and the Linux foundation has launched a service to prevent supply chain attacks. It is more important than ever for organizations to remain vigilant to the current encryption threat landscape, and maintain a secure machine identity management strategy.
This week we discuss how exactly the MonPass supply chain attack happened, what it means for the larger encryption attack surface, and how you can fend off similar cyber security threats!
This incident was first investigated by cybersecurity company Avast after they found one of the backdoored installers on a customer’s systems. They said, "The malicious installer is an unsigned [Portable Executable] file. It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate version is dropped to the 'C:\Users\Public\' folder and executed under a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely to notice anything suspicious."
When MonPass was notified of this on April 22, the certificate authority did take immediate steps to address the compromised server and reach out to all the customers that had downloaded the backdoored client.
This is at least the second time that a software compromised by malicious backdoors was provided by a certificate authority. Internet security company ESET reported the “SignSight” attack in December 2020, in that instance it was the Vietnam Government Certificate Authority (VGCA) that was tampered with to include spyware in their digital signature toolkit that was capable of stealing system data and installing even more malware. Part of why supply chain attacks are on the rise is because they allow the cyber criminals to covertly deploy malware on multiple computers at the same time.
It’s no coincidence that earlier this week, Proofpoint reported the abuse of the Cobalt Strike penetration tool by cyber criminals skyrocketed by 161% from 2019 to 2020. The Proofpoint researcher’s stated, “Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020”.
Pratik Savla, Lead Security Engineer at Venafi, noted that “delivery of malicious Portable Executable (PE files) has long been part of an attacker’s playbook because, once compromised, they are very versatile. These files can be delivered using a worm, ransomware and many other mechanisms including APT campaigns. One reason they are so attractive to attackers is that the PE format was not designed to resist code injection.”
But what was it that made the MonPass supply chain attack possible?
According to Pratik, these attackers “went a step further and designed a C2 profile to mimic a jQuery request. This helped them evade detection because these requests are so common they are unlikely to arouse any suspicion when traffic is being analyzed. This attack clearly illustrates that machine identities are a high value target for attackers. All it takes is one successful exploitation to break the trust chain and compromise machine identities."
Cobalt Strike is growing in popularity with attackers, and showing no signs of slowing down. Why? Pratik Savla explains that attackers prefer this method because “anyone can utilize it regardless of their capabilities or skill sets, and they can be leveraged to deliver an initial payload. The reality is that Cobalt Strike lowers the bar to become APT actor, which is a major concern as it’s bound to increase the number of viable APT players.”
Unfortunately for the rest of us, attackers have discovered that Cobalt Strike is a great tool for defense evasion, buying critical time while the attack escalates and spreads. Threat actors are also using the default Cobalt Strike Beacon TLS/SSL certificate in the hopes of evading attack attribution.
It’s no secret that cyber attacks involving machine identities are on the rise. Several factors are expanding the encryption and machine identity attack surface, and it is absolutely essential that organizations have full visibility of their machine identities, where they are, who owns them and who’s using them.
If your security strategy is lacking in this area, the time to act is now. Venafi’s Trust Protection Platform covers your TLS keys and certificates, SSH keys, code signing keys, and more across your entire enterprise!