Skip to main content
banner image
venafi logo

Pokémon’s Newest Villain? Pipemon!

Pokémon’s Newest Villain? Pipemon!

code signing vulnerability
May 28, 2020 | Eddie Glenn

During the past 3-day weekend, homebound and unable to get away due to the pandemic, my family played lots of video games. I noticed that updates to these video games were automatically downloaded to our computers and devices. Yesterday morning, I had several macOS apps that I regularly use update as well.

Were we asked if we wanted to update? Nope. Our devices checked the code signing signature on these updates, found them valid, and immediately trusted to download and install them. What exactly did they find trustworthy? A valid code signing signature and associated certificate said that the software hasn’t been modified since the publisher signed it, and that the publisher’s identity has been verified. It’s a great mechanism to protect our software supply chain, isn’t it?

Well, if you happen to be a recent user of Avast CCleaner (anti-malware utility), ASUS (Taiwanese personal computer manufacturer), or a player of several very popular massively multiplayer online (MMO) games, then you might have reason to believe otherwise.


Software Supply Chain Attack

What do these companies have in common? They all have been victims of a software supply chain attack. This attack usually works like this:

  • Cybercriminals hacks into a company’s build or update system, finds unprotected code signing keys, adds malware to a legitimate software executable, and then signs it with the valid code signing key. The unsuspecting business then pushes out the infected software to all of their unsuspecting customers.
  • Or cybercriminals steal a code signing private key (from a legitimate & trusted business) and then uses that to sign malware that they distribute in various ways to ensure their targets get infected. Often times, the legitimate business does not even know that their code signing credentials have been compromised until, well, it’s too late.

Avast CCleaner pushed out malicious updates to millions of unsuspecting users. ASUS pushed out a backdoor-infected driver update to over 500,000 customer PCs. Massively Multiplayer Online (MMO) games had malware installed in them that targeted users and was able to steal in-game currencies. 

As Ars Technica recently reported, it is suspected that a single cybercriminal group known as Winnti is responsible for all of these attacks.

Winnti, MMO games and PipeMon

There are several troubling characteristics of the latest attack on MMO games. First, in this attack, Winnti used a new and innovative backdoor that has been dubbed PipeMon that can survive reboots by infecting Windows print processors. This backdoor evades built-in security defenses by using a legitimate, but stolen, code signing certificate that was issued to computer games company Nfinity Games. Second, the theft of the code signing private key occurred 2 years ago. Apparently Nfinity didn’t even realize it. Third, this code signing certificate was not revoked until just recently when Nfinity was notified that it was being used to spread malware. Two years is a lot of time for a lot of malware to be signed. Furthermore, depending on if a timestamp was configured during the signing operation, the malware could appear legitimate for a VERY long time even though the certificate has been revoked.

But this isn’t unusual. According to a research paper, companies often do know if their company’s code signing credentials have been stolen or compromised the way they can with other web PKI info (e.g. TLS certificates). This is largely the result that stolen TLS certificates are easily discoverable on the Internet, but stolen code signing keys are not. They are usually discovered AFTER they have been used and damage has been done.

So, here we have a risk (code signing keys stolen or compromised) that is often not detectable until long after the damage has been done. What can businesses do to protect their software supply chain?

How to Protect Your Supply Chain?

First, it is imperative that all code signing keys are stored securely, either in an encrypted software store or better yet, a hardware security module. These keys should never leave this location. For any reason. Period.

Second, the keys should be protected by a secure process that ensures only authorized persons, for authorized situations, using authorized tools are able to use the key to sign code. Third, a record of every code signing certificate and key in use by a business should be maintained. In addition, knowing exactly when they were used, for what software, and by whom is important to keep track of.

Fourth, make it easy & simple for your developers. If they have to follow a laborious manual process or are unable to automatically sign code as part of their CI/CD build pipelines, they will find ways to bypass your security measures and store keys in convenient, but unsecure, locations.

PipeMon is scary. Now that Winnti’s use of Nfinity Games code signing credentials has been exposed, will they use one from your company next?  

Even the Pokémons may not be able to fend off this threat!





Like this blog? We think you will love this.
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Eddie Glenn
Eddie Glenn

Eddie is the Product Marketing Manager over Code Signing at Venafi. A product marketing professional in SaaS, Enterprise, and Embedded Software, he has a strong technical background and experience with inbound and outbound marketing, business and marketing strategy, and marketing operations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more