Compromised Code Signing Certificates Aiding Hackers Spread Malware
Compromised Code Signing certificates let hackers forge digital signatures and trick browsers.
Hackers are using compromised code signing certificates to sign malware. This, in turn, tricks antivirus programs into thinking the malware has come from a trusted source. The antivirus program doesn’t flag the software as being untrusted or malicious, a user downloads it and suddenly their computer is infected.
It’s a brilliant play – and a dangerous one, too.
What is a Code Signing certificate?
A code signing certificate is a digital certificate that lets an individual developer or an organization digitally sign a script or executable. This digital signature serves two purposes. First of all, it lets end users verify the identity of the publisher. Secondly, it allows the end user to verify that the software comes as intended – that it hasn’t been tampered with.
Web filters like Google Safe Browsing and Microsoft SmartScreen, as well as antivirus programs require software be signed or else they flag the downloads as untrusted and potentially unsafe. This warning is enough to dissuade most end users.
What happens when a code signing certificate is compromised?
When a code signing certificate is compromised, it can be used to sign malicious software like malware and fool antivirus programs. Because the digital signature of a trusted publisher is present, the programs believe the software must be trustworthy as well. Thus, no warning is issued and the end user winds up downloading malware.
Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. “Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors,” Tudor Dumitras, one of the researchers, told El Reg. “Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states. We also found 27 certificates issued to malicious actors impersonating legitimate companies that do not develop software and have no need for code-signing certificates, like a Korean delivery service… This flaw affects 34 antivirus products, to varying degrees, and malware samples taking advantage of this are also common in the wild.”
In some cases, the malware creators didn’t even need to possess a code signing certificate. Simply copying a digital signature (or Authenticode signature) to the software was enough to trick the antivirus programs by creating an invalid signature.
A study by the Cyber Security Research Institute and Venafi recently found code signing certificates for sale on the dark web around $1200.
“Our research proves that code signing certificates are lucrative targets for cyber criminals,” said Kevin Bocek, chief security strategist for Venafi. “With stolen code signing certificates, it’s nearly impossible for organizations to detect malicious software. In addition, code signing certificates can be sold many times over before their value begins to diminish, making them huge money makers for hackers and dark web merchants. All of this is fuelling the demand for stolen code signing certificates.”
What can be done to fix this?
This problem needs to be dealt with on several levels. For starters, CAs need to tighten up their validation practices to avoid issuing code signing certificates to entities that don’t develop software. A trusted CA should be able to tell very quickly whether something seems fishy about the company applying for the certificate if they’re, say, a Korean delivery service – as was the example given earlier.
Additionally, antivirus companies need to tighten up as well. Specifically, an invalid signature should be treated as if there’s no signature. The fact a misapplied signature is enough to trick these programs into not warning users before a download is appalling.
And finally, for the companies having their certificate compromised, it frankly comes down to better key management in a lot of cases. If you lose that private key, your certificate is worthless. One answer is to store your key on a physical hardware token – not on your network. This makes stealing the private key a lot harder because it has to be physically taken. That’s a huge advantage in this situation. Alternatively, you could invest in an Extended Validation code signing certificate. It requires more extensive vetting on behalf of the issuing CA and its private key is also delivered on a physical hardware token.
What we Hashed Out (for Skimmers)
Here’s what we covered in today’s discussion:
- Hackers are using compromised Code Signing certificates to get their malware past antivirus software and web filters.
- Code Signing certificates add a digital signature to software that validated identity and ensures software integrity.
- The best way to avoid having your code signing certificate is with strong key management, we recommend getting an EV code signing certificate because the private key is stored on a physical hardware token.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown