Security News > 2021 > July > Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software
In yet another instance of software supply chain attack, unidentified hackers breached the website of MonPass, one of Mongolia's major certificate authorities, to backdoor its installer software with Cobalt Strike binaries.
Avast's investigation into the incident began after it discovered the backdoored installer and the implant on one of its customers' systems.
The modus operandi is also notable for the use of steganography to transfer shellcode to the victim machine, with the installer downloading a bitmap image file from a remote server to extract and deploy an encrypted Cobalt Strike beacon payload. MonPass was notified of the incident on April 22, after which the certificate authority took steps to address their compromised server and notify those who downloaded the backdoored client.
The incident marks the second time software provided by a certificate authority has been compromised to infect targets with malicious backdoors.
In December 2020, ESET disclosed a campaign called "Operation SignSight," wherein a digital signature toolkit from the Vietnam Government Certification Authority was tampered to include spyware capable of amassing system information and installing additional malware.
"Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020," Proofpoint researchers said.