Compromised Code Signing Certificates Aiding Hackers Spread Malware
Compromised Code Signing certificates let hackers forge digital signatures and trick browsers.
Hackers are using compromised code signing certificates to sign malware. This, in turn, tricks antivirus programs into thinking the malware has come from a trusted source. The antivirus program doesn’t flag the software as being untrusted or malicious, a user downloads it and suddenly their computer is infected.
It’s a brilliant play – and a dangerous one, too.
What is a Code Signing certificate?
A code signing certificate is a digital certificate that lets an individual developer or an organization digitally sign a script or executable. This digital signature serves two purposes. First of all, it lets end users verify the identity of the publisher. Secondly, it allows the end user to verify that the software comes as intended – that it hasn’t been tampered with.
Web filters like Google Safe Browsing and Microsoft SmartScreen, as well as antivirus programs require software be signed or else they flag the downloads as untrusted and potentially unsafe. This warning is enough to dissuade most end users.
What happens when a code signing certificate is compromised?
When a code signing certificate is compromised, it can be used to sign malicious software like malware and fool antivirus programs. Because the digital signature of a trusted publisher is present, the programs believe the software must be trustworthy as well. Thus, no warning is issued and the end user winds up downloading malware.
Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. “Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors,” Tudor Dumitras, one of the researchers, told El Reg. “Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states. We also found 27 certificates issued to malicious actors impersonating legitimate companies that do not develop software and have no need for code-signing certificates, like a Korean delivery service… This flaw affects 34 antivirus products, to varying degrees, and malware samples taking advantage of this are also common in the wild.”
In some cases, the malware creators didn’t even need to possess a code signing certificate. Simply copying a digital signature (or Authenticode signature) to the software was enough to trick the antivirus programs by creating an invalid signature.
A study by the Cyber Security Research Institute and Venafi recently found code signing certificates for sale on the dark web around $1200.
“Our research proves that code signing certificates are lucrative targets for cyber criminals,” said Kevin Bocek, chief security strategist for Venafi. “With stolen code signing certificates, it’s nearly impossible for organizations to detect malicious software. In addition, code signing certificates can be sold many times over before their value begins to diminish, making them huge money makers for hackers and dark web merchants. All of this is fuelling the demand for stolen code signing certificates.”
What can be done to fix this?
This problem needs to be dealt with on several levels. For starters, CAs need to tighten up their validation practices to avoid issuing code signing certificates to entities that don’t develop software. A trusted CA should be able to tell very quickly whether something seems fishy about the company applying for the certificate if they’re, say, a Korean delivery service – as was the example given earlier.
Additionally, antivirus companies need to tighten up as well. Specifically, an invalid signature should be treated as if there’s no signature. The fact a misapplied signature is enough to trick these programs into not warning users before a download is appalling.
And finally, for the companies having their certificate compromised, it frankly comes down to better key management in a lot of cases. If you lose that private key, your certificate is worthless. One answer is to store your key on a physical hardware token – not on your network. This makes stealing the private key a lot harder because it has to be physically taken. That’s a huge advantage in this situation. Alternatively, you could invest in an Extended Validation code signing certificate. It requires more extensive vetting on behalf of the issuing CA and its private key is also delivered on a physical hardware token.
What we Hashed Out (for Skimmers)
Here’s what we covered in today’s discussion:
- Hackers are using compromised Code Signing certificates to get their malware past antivirus software and web filters.
- Code Signing certificates add a digital signature to software that validated identity and ensures software integrity.
- The best way to avoid having your code signing certificate is with strong key management, we recommend getting an EV code signing certificate because the private key is stored on a physical hardware token.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown