New research from Masaryk University in the Czech Republic, and Maryland Cybersecurity Center (MCC) in the US, has identified and monitored four organizations that sold Microsoft Authenticode certificates to anonymous buyers. The same research team also collected a corpus of Windows-targeted malware carrying valid digital signatures: http://legacydirs.umiacs.umd.edu/~tdumitra/papers/WEIS-2018.pdf
Cybersecurity experts from STEALTHbits Technologies and Venafi commented on this story. According to Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies,“Gaining unauthorized access to desktops has traditionally been relatively easier for attackers using attack vectors such as drive-by downloads and phishing. And while endpoint security achieved some increases in efficacy over the last 5 years with the evolution of end point protection platforms, we only ever treated the symptom and the not cause – over permissive access. If an attacker can use a trusted signed certificate to install malware then the malware will use the access rights granted to that user or the access rights left behind in the form of NTLM hashes to further penetrate the network. While this development is a worrying one, applying a least access privilege model would reduce the threat greatly.”
Jonathan Sander, chief technology officer at STEALTHbits Technologies observed, “Malware purveyors seem focused on deep technical things until you see their real focus is actually a core business concept: ROI. Bad guys are more than happy to pay a price for certificates to fool protective measures and hide in plain sight as ‘authorized’ software because the value of any stolen data will more than cover the small cost of a stolen cert. Criminals are in it for the revenue, and they understand you have to spend money to make money.”
“The Stuxnet blueprint continues, we’re seeing a growing cyber criminal underground that has clearly expanded on the original attack’s accomplishments. Everyone, from cyber criminals to nation state actors, is hungry for trusted code signing certificates,” commented Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. He Added, “New research shows that demand for code signing certificates is accelerating; cyber criminals know that these assets make it possible to evade detection, even with targets that are using next generation AV tools. Intel correctly identified this new threat in 2015, predicting it would be the next hot commodity on subversive marketplaces.
This underground economy is growing because many organizations are rapidly expanding their use of code signing certificates. They are foundational components in many applications and DevOps environments. Unfortunately, in many cases, code signing certificates are secured by unsuspecting teams that are focused on delivering code quickly, which allows attackers to intercept them.
Organizations must have full control over every code signing certificate they use, especially during the software development pipeline and signing process.”