Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action
IPany VPN Breach Analysis and Supply-Chain Attack
A recent and significant cyber security incident involves a supply-chain attack targeting IPany, a South Korean VPN service provider, by a China-aligned Advanced Persistent Threat (APT) group known as PlushDaemon.
Key Details of the Attack
- Discovery and Timeline: The attack was discovered in May 2024 by ESET researchers. However, the malicious activities of PlushDaemon have been traced back to at least 201914.
- Method of Attack: PlushDaemon compromised the legitimate installer of IPany's VPN software by replacing it with a malicious version. This malicious installer, contained within a ZIP archive, was available for download from IPany’s official website. The installer deployed both the legitimate IPany VPN software and a custom backdoor called SlowStepper14.
SlowStepper Backdoor
- Capabilities: SlowStepper is a feature-rich backdoor with a toolkit comprising over 30 components. It is programmed in C++, Python, and Go, highlighting the advanced capabilities and resources of the PlushDaemon group14.
- Components and Functionality: The backdoor includes various modules that enable extensive control and data exfiltration. The components include initial loaders, loader DLLs, installer DLLs, process monitors, and decrypted backdoor components1.
Indicators of Compromise (IoCs)
ESET has provided detailed IoCs to help identify and mitigate the PlushDaemon threat. These include specific file hashes and names such as:
AutoMsg.dll(SHA-1: A8AE42884A8EDFA17E9D67AE5BEBE7D196C3A7BF)lregdll.dll(SHA-1: 2DB60F0ADEF14F4AB3573F8309E6FB135F67ED7D)OldLJM.dll(SHA-1: 846C025F696DA1F6808B9101757C005109F3CF3D)svcghost.exe(SHA-1: AD4F0428FC9290791D550EEDDF171AFF046C4C2C)main.dll(SHA-1: 401571851A7CF71783A4CB902DB81084F0A97F85)IPanyVPNsetup.exe(SHA-1: 068FD2D209C0BBB0C6FC14E88D63F92441163233)1.
Targets and Impact
- Geographical Scope: PlushDaemon has targeted individuals and organizations in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand14.
- Victims: ESET telemetry revealed that several users attempted to install the trojanized software within the networks of a semiconductor company and an unidentified software development firm in South Korea. The oldest recorded cases date back to November 2023 for a victim in Japan and December 2023 for a victim in China1.
Mitigation and Response
- Notification and Removal: Upon discovery, ESET notified the VPN software developer, who subsequently removed the malicious installer from their website1.
- Recommendations: Users of IPany VPN and similar services are advised to verify the integrity of their software installations and remain vigilant for any signs of compromise. Security teams should use the provided IoCs to scan their systems and networks for potential compromises1.
Implications and Concerns
- Supply Chain Compromise: This attack marks a significant escalation in PlushDaemon’s tactics, demonstrating their ability to compromise not just Chinese applications but also South Korean software providers. The focus on VPN services is particularly concerning due to the sensitive nature of the data and communications these tools secure14.
- State-Sponsored Cyber Espionage: The discovery of PlushDaemon and its activities highlights the ongoing threat posed by state-sponsored cyber espionage campaigns. It underscores the importance of robust security measures throughout the software supply chain and the need for constant vigilance against evolving cyber threats1.
