According to research from both Venafi and Recorded Future, code signing certificates are lucrative assets for cyber criminals to buy and sell on the Dark Web. However, these certificates are rather expensive, selling for higher prices than counterfeit U.S. passports, stolen credit cards and even handguns.
Code signing certificates are used to verify the authenticity and integrity of computer applications and software, thus contributing a vital element to internet and enterprise security. Unfortunately, these assets can cause substantial damage if they fall into the wrong hands.
Earlier this month, researchers from Microsoft uncovered an intense malware campaign that impacted over 400,000 computers within 12 hours. Cyber attackers attempted to install a resource-draining currency miner through Mediget, a BitTorrent application. Distressingly, the perpetrators used compromised machine identities to kick off their campaign.
“To avoid detection, the malware used a valid digital certificate that Microsoft suspects was stolen from an unnamed company,” wrote Dan Goodin, security reporter for ArsTechnica. “It's not clear how the attackers managed to obtain the digital certificate. One possibility is from a thriving underground economy that sells counterfeit malware signing credentials that are unique to each buyer.”
This event, sadly, is just the tip of the iceberg. Compromised certificates have consistently been used in major attacks and campaigns.
“This cyber crime spree uses the same blueprint as Stuxnet: stolen code signing certificates,” said Kevin Bocek, chief security strategist for Venafi. “You can take down Iranian centrifuges and create a powerful network of crypto mining zombies through the same attack vectors.”
Unfortunately, we should expect to see similar campaigns with more frequency in the near future. “Success with this attack will only drive the misuse of code signing certificates higher. Organizations need a new approach to protect themselves. The reputation of each and every code signing certificate must be continuously scored and evaluated,” concluded Bocek.
Are cyber criminals misusing your certificates?