Threat Actors Target Mongolian Certificate Authority with Cobalt Strike Binaries

This article has been indexed from E Hacking News – Latest Hacker News and IT Security News

Threat actors have breached a server belonging to MonPass, a major certification authority (CA) in Mongolia in East Asia, and have backdoored the company’s official website with Cobalt Strike binaries. The security incident came to light in late March when researchers at Avast identified an installer downloaded from the official website of MonPass. 

On 22 April 2021, Avast informed MonPass regarding the security breach and advised them to patch the compromised server and notify those who downloaded the backdoored client. “Our analysis beginning in April 2021 indicates that a public webserver hosted by MonPass was breached potentially eight separate times: we found eight different webshells and backdoors on this server. We also found that the MonPass client available for download from 8 February 2021 until 3 March 2021 was backdoored,” Avast stated.

However, researchers were unable to attribute the intrusion “with an appropriate level of confidence” to any specific threat actor. “But it’s clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a trustworthy source, which in this case is a CA in Mongolia,” researchers added.

The malicious installer is an unsigned PE file. It starts by downloading the legitimate version of the installer from the MonPass official website. This le

[…]

Read the original article: Threat Actors Target Mongolian Certificate Authority with Cobalt Strike Binaries