Carderbee, an emerging China-backed advanced persistent threat (APT) group, has targeted organizations in Hong Kong in a sophisticated supply chain attack, according to researchers. The group utilized a compromised version of Cobra DocGuard, a software developed by Chinese firm EsafeNet, as a vehicle to gain access to victims’ networks. The attack deployed the PlugX/Korplug backdoor, signed with a legitimate Microsoft certificate obtained through an abuse of the Windows Hardware Developer Program.
The use of the Microsoft certificate in the attack poses significant challenges for defenders, as malware signed with a seemingly legitimate certificate is harder for security software to detect. Approximately 100 computers in affected organizations experienced malicious activity, while the compromised Cobra DocGuard software was installed on around 2,000 computers. This suggests that the APT group may be selectively targeting specific victims, a common tactic in supply chain attacks.
The researchers have named the APT group Carderbee, but they have not definitively linked the activity to any known threat actor. The attackers’ motives remain unclear, although PlugX/Korplug backdoor is typically used in cyber espionage attacks, which aligns with the typical behavior of Chinese threat actors.
The attack, which occurred over a period of several months, followed a consistent pattern. Attackers delivered a malicious version of Cobra DocGuard to infected computers within victim organizations, specifically to the “csidl_system_drive\program files\esafenet\cobra docguard client\update” location. The attackers utilized multiple families of malware, including the PlugX/Korplug downloader, which had a digitally signed certificate from Microsoft. The backdoor sample observed in the attack had various functions, including executing commands, enumerating files, checking running processes, downloading files, opening firewall ports, and acting as a keylogger.
Software supply chain attacks like the one carried out by Carderbee continue to be a significant concern for organizations across all sectors. In the past year, numerous high-profile supply chain attacks have occurred, including the Cl0p ransomware attack that exploited a flaw in an app from Progress Software. These attacks highlight the vulnerability organizations face when their trusted partners’ software is compromised.
To defend against supply chain attacks, organizations should monitor all activity on their systems to identify any suspicious patterns and block unauthorized applications before they cause damage. Implementing zero-trust policies and network segmentation can also reduce the attack surface and prevent the spread of malicious updates. Additionally, software developers and providers must take responsibility for securing the supply chain by detecting unwanted changes in software updates and on their websites.
The researchers emphasize the importance of vigilance and proactive measures to protect against supply chain attacks. With the increasing sophistication of threat actors and their ability to exploit trusted software, organizations must remain agile and proactive in their defense strategies. By implementing robust security measures and continuously monitoring for anomalies, organizations can better safeguard their networks and sensitive data from the growing threat of supply chain attacks.