Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Thursday November 17, @11:56PM   Printer-friendly

Active in dozens of advanced hacks since 2009, Billbug is still going strong:

Nation-state hackers based in China recently infected a certificate authority and several government and defense agencies with a potent malware cocktail for burrowing inside a network and stealing sensitive information, researchers said on Tuesday.

The successful compromise of the unnamed certificate authority is potentially serious, because these entities are trusted by browsers and operating systems to certify the identities responsible for a particular server or app. In the event the hackers obtained control of the organization's infrastructure, they could use it to digitally sign their malware to make it more easily slip past endpoint protections. They might also be able to cryptographically impersonate trusted websites or intercept encrypted data.

While the researchers who discovered the breach found no evidence the certificate infrastructure had been compromised, they said that this campaign was only the latest by a group they call Billbug, which has a documented history of noteworthy hacks dating back to at least 2009.

"The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns," Symantec researchers wrote. "Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past."

[...] Tuesday's post includes a host of technical details people can use to determine if they've been targeted by Billbug. Symantec is the security arm of Broadcom Software.

Remember that you can always edit/manage the list of trusted Certificate Authorities on your own machines.


Original Submission

This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Insightful) by MostCynical on Friday November 18, @12:36AM (5 children)

    by MostCynical (2589) on Friday November 18, @12:36AM (#1280275) Journal

    Remember that you can always edit/manage the list of trusted Certificate Authorities on your own machines.

    CA is based on trust.
    Trust requires verification, which requires certainty..

    Once you can interrupt the trust chain (where the certainty comes from) you break the trust..

    So.. all well and good to manage your own trusted CA list - but... how do you validate the ones you allow?

    --
    "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
    • (Score: 4, Insightful) by Sjolfr on Friday November 18, @02:27AM (1 child)

      by Sjolfr (17977) on Friday November 18, @02:27AM (#1280284)

      Is trust about perfection or is it about how problems are handled?

      I believe it's about how things are handled; transparency of practices, standards, technology, and development. Nothing is perfect and the way that the CAs were compromised should be made public so that the vast majority of developers, and technical minds, can plug that hole.

      In the end, when a CA is compromised, remove it from your list. Put it back when things are fixed, or not, your choice. An OS can provide a security patch that does it for you as well.

      • (Score: 0, Flamebait) by Sjolfr on Friday November 18, @02:36AM

        by Sjolfr (17977) on Friday November 18, @02:36AM (#1280286)

        Also, if you read the original article, all the tools really seem to be Windoze based. Why the hell would anyone want to control a satellite with an OS designed to infect everything it touches? Symantec tracked it down, presumably, through the anti-virus software ... fer winderz.

        "PsExec, PowerShell, Mimikatz, WinSCP, and LogMeIn allowed the hacking activities to blend in with normal operations in the compromised environments. The hackers also used the custom-built Catchamas info stealer and backdoors dubbed Hannotog and Sagerunex.

        In the more recent campaign targeting the certificate authority and the other organizations, Billbug was back with Hannotog and Sagerunex, but it also used a host of new, legitimate software, including AdFind, Winmail, WinRAR, Ping, Tracert, Route, NBTscan, Certutil, and Port Scanner."

        Stop using Windows FCOL.

    • (Score: 2) by driverless on Friday November 18, @07:24AM (1 child)

      by driverless (4770) on Friday November 18, @07:24AM (#1280308)

      CA is based on trust.

      No it's not. Do you trust Telia Finland Oyj? IZENPE S.A.? Gyrmoyko EST? Disig a.s.? iTurk NET? Chunghwa Telecom Co., Ltd.? Do you even know who they are? Are they actually CAs or just names I've invented? On what basis do you "trust" them? How far can you "trust" them when you've never even heard of them?

      CA's are based on the fact that if you remove them from your browser or OS, you won't be able to connect to lots of web sites any more. Nothing more, nothing less.

      Oh, and the whole house of cards is only as secure as the least secure CA in the lot, since they all have equal status as far as your browser is concerned.

      • (Score: 3, Informative) by Anonymous Coward on Friday November 18, @10:40AM

        by Anonymous Coward on Friday November 18, @10:40AM (#1280325)

        Oh, and the whole house of cards is only as secure as the least secure CA in the lot, since they all have equal status as far as your browser is concerned.

        Speak for yourself. Some of the CAs in my browser are not trusted and won't be trusted.

        By the way for the browsers on Windows that use Microsoft/Window's Cert system (e.g. Edge, Chrome), you should not delete the CA certs if you don't trust them. You should instead "disable all purposes for this certificate". This is because the way Windows does stuff, the certificates you delete can get auto-added if they are signed by CAs that you do trust:
        https://archive.is/aqyen [archive.is]

        In the default configuration for Windows XP with Service Pack 2 (SP2), if a user removes one of the trusted root certificates, and the certifier who issued that root certificate is trusted by Microsoft, Windows will silently add the root certificate back into the user's store and use the original trust settings.

        So you should edit the certs you don't trust and "disable all purposes for this certificates". HOWEVER the problem remains that new certs that you are not aware of, can still be added in a similar manner.

        Therefore the real solution on Windows is to use something like Firefox instead of Chrome or Edge. Firefox has its own list of CAs.

    • (Score: 5, Informative) by rigrig on Friday November 18, @02:11PM

      by rigrig (5129) Subscriber Badge <soylentnews@tubul.net> on Friday November 18, @02:11PM (#1280343) Homepage

      That's where Certificate Transparency [transparency.dev] comes in:
      * CAs are required to publish al certificates in public logs
      * Browsers can check certificates are present in the log (Chrome and Safari do, Firefox doesn't yet :-( )
      * Site owners can follow the log for their domain, and presumably take some action if an unexpected certificate shows up

      --
      No one remembers the singer.
  • (Score: -1, Offtopic) by Frosty Piss on Friday November 18, @05:54AM

    by Frosty Piss (4971) on Friday November 18, @05:54AM (#1280303)

    Yeah? Well 'MERICA does this too!

    And so what? But in any case where are all the stories about the NSA hacking hospitals, banks, industry, what have you? Where are these stories? Oh, that's right, there aren't any. The "usual suspects" China, Russia, and a few others are the "usual suspects" for a reason.

  • (Score: 2, Offtopic) by drussell on Friday November 18, @01:30PM

    by drussell (2678) Subscriber Badge on Friday November 18, @01:30PM (#1280339) Journal

    The original Symantec post on which the article is based is here:

    https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority [security.com]

(1)