Code Signing Abuse On the Upswing From Criminal Gangs [APT41]

Building a secure IT infrastructure involves having strong security controls in place. These controls include implementing a Public Key Infrastructure (PKI) that uses code signing to authenticate executable software. However, threat actors have several ways to abuse the code signing process and inject malware into supply chains and legitimate devices. Their tactics are advancing over time and as the case of criminal group APT41 demonstrates, they are aiming at “low value” targets to disrupt high-profile enterprises.

What is code signing?

Code signing is the practice of cryptographically signing software with the intent of giving the operating system an efficient and accurate way to discriminate between a legitimate application and malicious software. All modern operating systems and browsers automatically verify signatures by means of the concept of a certificate chain.

The certificate chain of trust is straight-forward: certificates are signed by trusted certificate authorities which have been authorized by publicly trusted root certificate authorities. While code signing provides security to code, if it is not implemented properly, it can pose issues and can be vulnerable to attacks or abuse.

How can attackers abuse code signing?

Malware authors can take advantage of the inherited trust model by gaining access to otherwise valid code signing certificates to release malicious code under a trusted author’s certificate and bypass malware protections. As research and incident investigations have discovered, code signing abuse can happen thorough several different ways.
 

• Key compromise: Poor storage and management of digital certificates or keys opens the door to threat actors to steal the associated private keys of trusted entities. Using these keys, they can sign code with a legitimate identity, or they can issue rogue certificates impersonating trusted identities.
  
  An analysis by TrendMicro in 2018 indicated that “a large number of malicious software… have been signed by trusted authorities—bypassing any client-side validation mechanisms built in recent OSs and browsers.” This shows that cybercriminals commonly provide software that are signed correctly, therefore running and bypassing code signing validations.
  
  The use of Hardware Security Modules (HSMs) can help secure private keys from attackers, as they would need to physically access the HSM with the proper credentials to steal the keys stored inside.
   
• Use of revoked or expired certificates: When a certificate is compromised or expired, certificate revocation is the only available process for CAs to notify their customers that the certificate is no longer trustworthy. However, this process introduces a delay during which malware with a revoked certificate may be considered as “trusted”. Researchers at Chronicle found out in 2019 that “CAs who signed certificates of 100 or more malware samples account for nearly 78% of signed samples uploaded to VirusTotal.”
   
• Coding errors: Code signing can be abused if the signed software contains vulnerabilities. If bugs and security flaws are present in the developed software, threat actors can discover them before being patched, rendering code signing useless. Even though the code is signed, these previously inserted vulnerabilities can still be leveraged by attackers to deploy malware onto victim’s systems. Code should be thoroughly tested before deployment, to ensure that no vulnerabilities are present.
   
• Systems compromise: If a system is compromised, and software is being signed on that system, the code can be changed before the actual signing. This allows malware payloads to be hidden in code that is legitimately signed, without the developer’s knowledge. That was the case with the SolarWinds attack.

Notable code signing abuses

Several notable code signing abuses have occurred in the past, and we can learn a lot from these incidents to protect our data in the future.

• SolarWinds: In 2020, SolarWinds found that its core systems had been compromised. Utilizing a supply chain attack, attackers managed to gain access to a Microsoft365 account owned by SolarWinds in September 2019. This allowed the threat actors to gain access to SolarWinds code, giving them the ability to abuse the code signing procedure and editing code before it was actually signed.
   
• D-Link: D-Link accidentally published their private code signing keys when publishing their source code for a firmware update. In this case, attackers could utilize these keys to sign code of their own making, but have recipients believe that they are receiving trusted code from D-Link. With the D-Link attack, only one of the four signing keys leaked was valid, but all it takes is one valid certificate for it to be misused.
   
• ASUS: Computer manufacturer ASUS had their code signing process compromised. Using ASUS’ software’s live update utility, the threat actors released malware to create backdoors into thousands of users’ computer systems. Because the malware was signed by ASUS, the live update tool updated the systems, allowing the attackers to steal sensitive data from the victims.
   

The APT41 case and code signing abuse

According to a recent Venafi whitepaper, cybercriminal group APT41 is increasingly leveraging compromised code signing certificates in launching supply chain attacks. Analysis shows that the group spent the last decade advancing attack methods to compromise code signing keys and certificates in “low value” targets like gaming and adware organizations. These certificates are then used in a wide variety of targeted cyberespionage attacks in the software, hardware, media, healthcare, high-tech and telecommunications sectors.

To understand how professional and advanced APT41 group is, BlackBerry security researchers note that although the group has shifted from stealing code signing certificates from gaming companies to signing malware with certificates stolen from adware vendors. To bypass security controls APT41 hides malware within the high volume of adware alerts that organizations receive every day.

Criminals discovered that this practice results in low detection rates and high success rates. This is because incident response and security teams are overwhelmed with other security signals and alerts and due to alert fatigue, they tend to disregard adware alerts.

How to prevent code signing abuse

The above use cases, and especially the tactics deployed from APT41 to move from low-value targets to high-profile organizations, demonstrate that every organization must improve the security of their software development processes. Unless every organization increases the security controls governing code signing keys and certificates, they will be at great risk. And this risk will move across the whole supply chain of the victim organization.

Venafi and Veracode have joined forces with Sophos and Cloudbees to develop a blueprint for building modern, secure software development pipelines, which consists of 15 controls and best practices to help organizations reduce risk and align with agile, high performance software development pipelines.

If you want to learn more about the APT41 tactics and how you can protect your code signing certificates, download the Venafi whitepaper “APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks”

Related posts

• Code Signing Risks and Containers: What You Need to Know
• Code Signing Risks: Hackers Are Getting Better at Stealing Code Signing Machine Identities
• New Study on Code Signing Certificates as Supply Chain Attack Targets