Your TLS certificates, like all of your machine identities, are very precious and very sensitive keys. I live in a large city, so if I lose the physical key to my apartment’s front door, there’s no clue on my key as to which street address’ door it unlocks. I’d have to make an embarrassing phone call to my landlord, but at least the odds of a burglar breaking into my home with it are exceedingly slim. The same cannot be said for TLS certificates. Your TLS certificates contain information which can be used to spoof the machines they’re associated with. And it doesn’t matter what kind of networked entity the certificate is associated with, if an external cyber attacker has unauthorized access, the consequences will be devastating. Whether the machine associated with the machine identity contains financial data or just a way into your workplace’s internal communications, tremendous damage can be done that you may not notice until it’s too late.
Cyber attackers know this all too well and they see an opportunity. Some will acquire TLS certificates and see that other cyber attackers on the Dark Web are willing to pay top dollar, or rather top Bitcoin for them. Other cyber attackers think paying the equivalent of a few hundred dollars for a bunch of certificates is a worthwhile investment, because the cybercrime they can commit with them could make them at least thousands.
Venafi has sponsored some extensive research into this worrisome and growing cybersecurity problem. The research was conducted by the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey, featuring the work of David Maimon,Yubao Wu, Michael McGuire, Nicholas Stubler, and Zijie Qiu. The objective of the study was to find how extensive TLS certificate trafficking is on the Dark Web, and how those sensitive machine identities are packaged and sold to cyber attackers. Their findings are very concerning, and every organization which uses certificates must know about them.
Here are some of the findings which really grabbed my attention.
TLS certificates aren’t always sold on their own. Often they are packaged in bundles with other crimeware, such as ransomware and kits for making phishing websites. Don’t tell me you’d buy that TV informercial’s food processor if they didn’t throw in a set of Japanese kitchen knives and an avocado cutting gadget if you call right now! On a more serious note, the packaging that Dark Web market vendors do makes life much easier for cyber attackers. Now more than ever, they don’t have to work very hard to engage in cyber attacks, nor do they require l33t hacker skills these days. That spells bad news for the legitimate users of machine identities and encrypted networking.
The researchers examined Dark Web markets and forums hosted both on the Tor and on the I2P proxy networks. Some of the illicit entities that they’ve researched include Dream Market, Wall Street Market, Empire Market, Silk Road 3.1, Rapture, Tochka/Point Cannazon, CGMC, Berlusconi Market, AltBay, The Majestic Garden, Olympus, Midland City, Black Market, Cave Tor, Visibility, Dumpteam, Hidden Answers, Chan, Anongw, Anonsfw and Difracker.
Dream Market, Wall Street Market, BlockBooth, Nightmare Market, and Galaxy3 specifically sell more TLS certificates than the other Dark Web sites the researchers looked at. All of them have easy-to-use search functionality. Searches on those five sites conducted by the researchers uncovered 2,943 mentions for “SSL” and 75 for “TLS.” For some perspective, there were only 531 mentions for
“ransomware” and 161 for “zero day.” As you of course know, a zero day exploit is one that’s assumed to be unknown by the cybersecurity industry. Interestingly enough, Dream Market seems to specialize in selling TLS certificates now.
Some of the targeted extras which have been bundled by maliciously acquired TLS certificates include after-sale support and integration with a range of legitimate payment processors such as PayPal, and “aged” domains. That could make profitable cybercrime easier than ever.
One vendor on BlockBooth has been found to claim to issue certificates from legitimate certificate authorities. If the claim is true, that’s absolutely fascinating. But it also suggests that perhaps some certificate authorities are being specifically exploited for the purposes of cybercrime.
Illicitly acquired and sold TLS certificates aren’t as expensive as you may think. Researchers have found that they tend to be sold for the equivalent of around $260 to $1600 USD. Although pretty much everything that can be purchased from the Dark Web must be bought with cryptocurrency, my own personal research of Dark Web markets has indicated that the sites can be configured to show what the Bitcoin, Monero, or Ethereum prices are worth in US dollars, Euros, British pounds, Canadian dollars, or other major fiat currencies. Also, those prices must be irresistible to prospective cyber attackers. I occasionally spend several hundred dollars impulsively, and I’m not a wealthy woman. Crimeware and your sensitive machine identities can be relatively affordable in the grand scheme of things.
The research report concludes:
“This project provides evidence of the existence of an online underground market for TLS certificates, specifically the presence of vendors on online underground markets that are promising to issue EV certificates for US and UK companies for less than $2,000. At this point, we are not sure how large this market is, whether the quality of goods offered matches vendor listings, or which parties are interested in purchasing these commodities. However, we plan to continue our research and keep investigating this issue.”
That continued research is very necessary and I’m eager to learn what further Venafi-sponsored research will uncover in due time.