Home > Cyber News > Operation SignSight Set Against the Vietnam Government Certification Authority

Operation SignSight Set Against the Vietnam Government Certification Authority

Operation SignSight is a new supply chain attack targeted against Vietnamese private companies. SignSight attackers are smart, aiming to embed malware inside an official government software toolkit.

SignSight attacks aimed against the Vietnam Government Certification Authority

The attack discovered and named by Eset researchers was set against the Vietnam Government Certification Authority (VGCA), responsible for signing digital certificates. “The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software,” the researchers said.

What is the VGCA organization?

The VGCA issues digital certificates to citizens, companies, and government entities looking to submit files to the government. Not only does the agency issue such certificates, but it also provides ready-made client applications that said parties could install on their computers to automate the process of document signing.

Apparently, the threat actors behind the SignSight attack hacked into the VGCA’s website and slipped malware in the form of two Windows files into two of the agency’s client apps. The files had a backdoor in them, known as PhantomNet and Smanager. Even though the backdoor wasn’t a sophisticated one, it opened the door to more dangerous malware plugins.

In terms of its capabilities, the PhantomNet backdoor “can retrieve the victim’s proxy configuration and use it to reach out to the command and control (C&C) server. This shows that the targets are likely to be working in a corporate network.”

In addition, “PhantomNet uses the HTTPS protocol to communicate with its hardcoded C&C servers: vgca.homeunix[.]org and office365.blogdns[.]com. In order to prevent a man-in-the-middle attack, PhantomNet implements certificate pinning, using functions from the SSPI library. The certificate is downloaded during the first connection with the C&C server and then stored in the Windows certificate store,” the report said.

In most cases, it is challenging for researchers to detect supply-chain attacks, as the malicious code is concealed among legitimate code.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree