Security loopholes aren't a hacker's only gateway to infecting a system. Sometimes legitimate certificates spread malware, remaining a threat for years. This type of threat is not going away anytime soon.
So, what is a certificate? Why are they important? Who is abusing them and for what reason? Read on to find out:">
Certificates are used to cryptographically sign executable code, documents and even websites. They prove that the person, code, website or organization can be trusted to be secure.
In short, they give your everyday, non-technical user some assurance that the website or application they are using is legitimate.
Applications that use a certificate are seen as more trustworthy by users. Trusted applications will not be stopped by antivirus or anti-malware technologies. Trusted websites are more likely to be used for sensitive actions, such as online banking.
Certificates are considered secure because they use Public Key Infrastructure (PKI). PKI is an asymmetric system, using two keys to encrypt communications; public and private keys. A Public key is used to encrypt data, whether that be on the user’s browser, data, or part of a message to be sent. Private Keys are then used to decrypt the data that was encrypted by the Public Key, once it arrives at the website or server. This system is considered secure because only the Private key can decrypt the Public Key data.
An SSL (Secure Socket Layer) certificate contains the Public Key of a website, which allows the user’s information to be encrypted and sent to the website, making a session with the website secure. The website then decrypts the secure session data using the private key.
If an organization wants a secure website that uses encryption, then a certificate needs to be obtained.
Obtaining this gives the website the green lock that most non-technical users are familiar with.
In general, SSL Certificates are used to prevent malicious websites from pretending to be legitimate websites. Attackers can create fake websites to steal credentials and/or deliver malware.
Digital Certificates are primarily used to ensure that software is legitimate and not malware, helping non-technical users to easily identify malicious internet properties.
Sticking with the SSL Certificate example, Certificate Authorities are entities that issue SSL certificates and act as a trusted (approved) third party. CAs are trusted because they require payment and proof of identity to tie the code, document, or application to the legitimate organization. They verify that the Certificate actually belongs to the person, organization, or entity that is noted in the certificate.
Software companies do the same for their own software; they sign and certify their code to prove that it belongs to them. The aim is to prevent malicious attackers from masquerading malware as legitimate software.
Getting malware signed by a legitimate company, or getting a website signed by a trusted CA, is a top priority for malicious attackers. If they can create their own ‘legitimate’ certificates that others trust, they can run malicious code or malicious websites that are seen as ‘trusted.' This allows malicious attackers to run code that would not be possible without the certificate.
It is much easier for an attacker to steal a certificate than attempt to bypass anti-virus, application whitelisting, intrusion prevention and all the other tools defenders have. With a certificate, the malware is allowed to run in a trusted state. Bypassing these technologies can save a cybercriminal organization considerable development time and money.
All the benefits above mean attackers are well-practiced at targeting certificate authorities and software companies. An example of this is the NotPetya Ransomware Worm, where attackers used fraudulent Microsoft certificates in an attempt to bypass antivirus scanners.
The benefit of having legitimate certificates for their malware is so great that there are criminal organizations dedicated solely to stealing certificates and selling them to other cybercriminals. These criminal organizations have now even created malware designed just to steal digital certificates.
Many breaches are found to have used legitimate certificates that have been stolen. The Nation state malware in 2016 that infiltrated security firm Kaspersky is a good example of this. The stolen certificates were from Foxconn.
Antivirus software can require high processing power, due to the in-depth nature of scanning. In order to save processing power, anti-virus software can decide not to scan digitally certified software, thus de-prioritizing them. Attackers are very aware of this and will sign their own malware similar to known trusted software companies in order to avoid examination by anti-virus software.
Digital certificates are extremely valuable to attackers, allowing them to bypass ever-expanding defensive technology. Unsurprisingly, these attacks are expected to remain extremely popular for the foreseeable future.
(This post has been updated. It was originally published on July 16, 2019.)