SoylentNews

State-Sponsored Hackers in China Compromise Certificate Authority

posted by hubie on Thursday November 17 2022, @11:56PM   

Fnord666 writes:

Active in dozens of advanced hacks since 2009, Billbug is still going strong:

Nation-state hackers based in China recently infected a certificate authority and several government and defense agencies with a potent malware cocktail for burrowing inside a network and stealing sensitive information, researchers said on Tuesday.

The successful compromise of the unnamed certificate authority is potentially serious, because these entities are trusted by browsers and operating systems to certify the identities responsible for a particular server or app. In the event the hackers obtained control of the organization's infrastructure, they could use it to digitally sign their malware to make it more easily slip past endpoint protections. They might also be able to cryptographically impersonate trusted websites or intercept encrypted data.

While the researchers who discovered the breach found no evidence the certificate infrastructure had been compromised, they said that this campaign was only the latest by a group they call Billbug, which has a documented history of noteworthy hacks dating back to at least 2009.

"The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns," Symantec researchers wrote. "Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past."

[...] Tuesday's post includes a host of technical details people can use to determine if they've been targeted by Billbug. Symantec is the security arm of Broadcom Software.

Remember that you can always edit/manage the list of trusted Certificate Authorities on your own machines.

---

Original Submission

• Re:trust no one? (Score: 3, Informative) by Anonymous Coward on Friday November 18 2022, @10:40AM

  by Anonymous Coward on Friday November 18 2022, @10:40AM (#1280325)

  Oh, and the whole house of cards is only as secure as the least secure CA in the lot, since they all have equal status as far as your browser is concerned.

  Speak for yourself. Some of the CAs in my browser are not trusted and won't be trusted.

  By the way for the browsers on Windows that use Microsoft/Window's Cert system (e.g. Edge, Chrome), you should not delete the CA certs if you don't trust them. You should instead "disable all purposes for this certificate". This is because the way Windows does stuff, the certificates you delete can get auto-added if they are signed by CAs that you do trust:
  https://archive.is/aqyen [archive.is]

  In the default configuration for Windows XP with Service Pack 2 (SP2), if a user removes one of the trusted root certificates, and the certifier who issued that root certificate is trusted by Microsoft, Windows will silently add the root certificate back into the user's store and use the original trust settings.

  So you should edit the certs you don't trust and "disable all purposes for this certificates". HOWEVER the problem remains that new certs that you are not aware of, can still be added in a similar manner.

  Therefore the real solution on Windows is to use something like Firefox instead of Chrome or Edge. Firefox has its own list of CAs.

  Parent

  Starting Score:	0		points
  Moderation		+3
  Interesting=1, Informative=2, Total=3
  Extra 'Informative' Modifier		0
  Total Score:		3