Subj : This VPN is being abused to spread malware
To   : All
From : TechnologyDaily
Date : Mon Aug 21 2023 12:45:04

This VPN is being abused to spread malware

Date:
Mon, 21 Aug 2023 11:33:17 +0000

Description:
A known Chinese threat actor is abusing Ivacy VPN's certificate to target 
gambling firms in Southeast Asia

FULL STORY
======================================================================

Cybersecurity researchers from SentinelLabs have recently spotted a hacking 
campaign in which legitimate certificates used by a VPN service were abused 
to hide malware in plain sight. 

The researchers pinned the campaign to Bronze Starlight, a Chinese 
state-sponsored APT, which was after companies in the gambling industry, 
located in the Southeast Asia region. 

As per their report, the group was distributing two .NET executables - 
agentupdate_plugins.exe and AdventureQuest.exe, most likely through 
trojanized chat apps. The goal of the campaign, according to the researchers, 
is to deliver a Cobalt Strike beacon. Hiding in plain sight 

Cobalt Strike is a commercial penetration testing tool, used by both security 
professionals and cybercriminals. Legitimate use cases include testing the 
security of networks and systems. 

The code-signing certificate for the .NET executables was the same one thats 
used by the installer for Ivacy VPN , a popular virtual private network 
solution. Read more 

> Are VPNs really safe? How to check your service's security 


 > More malware is being hidden in PNG images, so watch out 


 > Check out the best malware removal right now 

By using a legitimate certificate, the attackers can bypass cybersecurity 
solutions installed on the target endpoint, and also make sure that any 
inbound and outbound traffic generated by the malware remains hidden. 

The researchers also discovered that the two .NET executables were designed 
not to work in certain countries, including the United States, Germany, 
France, Russia, India, Canada, or the UK, most likely to further evade 
detection. But the geofencing feature wasnt implemented properly, they added. 

"It is likely that at some point the PMG PTE LTD signing key has been stolen  
a familiar technique of known Chinese threat actors to enable malware 
signing," SentinelLabs said. "VPN providers are critical targets since they 
enable threat actors to potentially gain access to sensitive user data and 
communications." 

Ivacy VPN is currently silent on the matter, so its difficult to determine 
exactly how the hackers obtained the certificates. They have, since then, 
been invalidated for breaching baseline requirements set up by DigiCert. 
Check out the best endpoint protection tools around 

 Via: BleepingComputer



======================================================================
Link to news story:
https://www.techradar.com/pro/security/this-vpn-is-being-abused-to-spread-malw
are


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.