Venafi recently sponsored an academic study of the availability of SSL/TLS certificates on the dark web, and their role in the cybercrime economy. The research, undertaken by researchers at the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey, uncovered thriving marketplaces for TLS certificates sold both individually and packaged with a wide range of crimeware.
Together these services deliver “machine-identities-as-a-service” to cyber criminals who wish to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks and steal sensitive data “in order to give attackers immediate access to high levels of online credibility and trust” as David Maimon, associate professor and director of the Evidence-based Cybersecurity Research Group said during the announcement of the study.
As organizations focus on the digital transformation of their businesses, the importance of encryption as the cornerstone of security and privacy is increasingly vital. TLS certificates are essential to encryption because they authorize all encrypted communication between machines. TLS certificates are instrumental in protecting privacy and improving security, providing each machine with a unique machine identity.
Despite the pivotal role encryption plays in our digital economy and across the internet, the processes needed to protect digital certificates are not well understood or widely followed. As a result, TLS certificates are often poorly protected, making them attractive targets for attackers. If these certificates are fraudulent, compromised, forged or tampered with, they can be powerful tools for attackers to launch high profile attacks.
This is deeply related to the mechanics behind the trust model of a TLS certificate. To cut a long story short, when a browser receives a trusted TLS certificate, it follows the digital signature back to the certificate it is associated with until it eventually reaches one of the trusted roots in its trust store. As long as the certificate’s signature can be chained back to a root, the certificate is trusted. A fraudulent certificate is a trusted certificate that is associated with a site that the certificate’s owner doesn’t actually control.
More specifically, fraudulent certificates could be sold in the online underground market on the dark web to malicious parties if a trusted certificate authority is breached and private keys are stolen from it. In turn, these malicious actors could use them to move silently between trusted machines, “listen” to encrypted traffic, and escalate privileges to access sensitive data. Moreover, if the verification processes used by trusted certificate authorities to verify the identity of the requesting party can be circumvented or spoofed, malicious actors can be issued a TLS certificate that delivers the highest levels of trust, such as an EV certificate. This allows attackers to create “trustworthy” spoofed or malicious websites and encrypt the traffic between malicious servers to targeted users, making it more difficult to identify problematic behavior. It is a systemic failure of the trust model of authentication.
The sale of TLS certificates on the dark web is deeply concerning, because consumers are advised by security professionals to visit credible sites using TLS certificates to complete their online purchases. Breaking the trust model proves the ingenuity of cyber criminals to make money in the competitive, yet illegal underground marketplace.
TLS certificates have actually become a weapon of choice for cyber criminals. Kevin Bocek, vice president of security and threat intelligence for Venafi, discussing this threat stated that “TLS certificates that act as trusted machine identities are clearly a key part of cybercriminal toolkits – just like bots, ransomware and spyware. Every organization should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponized and sold as commodities to cyber criminals.”
That’s very true indeed. No matter what kind of networked entity the certificate is associated with, if an external cyber attacker has unauthorized access, the consequences will be devastating. Whether the machine associated with the machine identity contains financial data or just a way into an organization’s internal communications, tremendous damage can be done to a wide variety of organizations, both private and state owned, that may go unnoticed until it is too late. Hence, TLS certificates are a precious commodity in the cybercrime ecosystem. It shouldn’t be a surprise that the rise in demand of TLS certificates comes at a period when the sale of zero-day exploits are on the decline.
During the announcement of the study, Kevin Bocek said that these dark web services essentially deliver "machine identities as a service" to cyber criminals. TLS certificates provide each machine with a unique machine identity and are used to convey trust to website visitors and search engines. "The identities of machines are a lot more valuable, a lot more interesting and a lot more important to hackers these days. Having a machine identity as part of your attack is actually a must-have today, because the browsers have now enforced a policy that if you don't have the TLS digital certificate, then your web service, website and your attack are going to be marked as not trusted at all. No hacker wants that." added Bocek.
Authentic TLS certificates allow cyber criminals to create sites for phishing campaigns and other malicious activity that evade several web browser security measures, like HTTPS checks and safe browsing modes. Stolen certificates can be used for malware diffusion. Installation of certain types of software requires its code to be digitally signed with a trusted certificate. By stealing a digital certificate associated with a trusted vendor and signing malicious code with it, reduces the possibility that a malware will be detected as quickly. In addition, if a digital certificate is stolen, victims may suffer an identity theft and related economic implications. Finally, digital certificates are used by attackers to conduct “man-in-the-middle” attacks over the secure connections, tricking users into thinking they were on a legitimate site when in fact their TLS traffic was being secretly tampered with and intercepted.
The above examples of illicit activity explain why the researchers found the vendors on online underground markets were offering the most trusted type of machine identity, the Extended Validation (EV) certificates for U.S. and U.K. companies, for as much as $2,000, promising “to supply EV certificates from reputable and trusted certificate authorities, along with documentation for the forged companies.” EV certificates allow the attackers to create trustworthy spoofed or malicious websites and encrypt the traffic between malicious servers to targeted users, making it difficult to spot problematic behavior.
All of the above makes the finding of the study more alarming because of “how easy and inexpensive it is to acquire extended validation certificates, along with all the documentation needed to create very credible shell companies without any verification information” as David Maimon has said.
To be honest, the sale of TLS certificates should be expected as the internet becomes more and more encrypted. It is only natural that the attackers evolve their strategies and migrate to techniques that attempt to circumvent this control. As a consequence, internet users should not trust a site only because the TLS certificate is valid, even if it is an EV certificate. As the report shows, these can also be spoofed. It is our shared responsibility to mitigate this attack vector, even if it proves difficult.
There are ways for organizations to safeguard their legitimate certificates and the best one is to ensure successful management of certificates and keys. Organizations must have visibility into each of their TLS key and certificates, and they should recourse to automation for effective management of digital certificates.