During the past 3-day weekend, homebound and unable to get away due to the pandemic, my family played lots of video games. I noticed that updates to these video games were automatically downloaded to our computers and devices. Yesterday morning, I had several macOS apps that I regularly use update as well.
Were we asked if we wanted to update? Nope. Our devices checked the code signing signature on these updates, found them valid, and immediately trusted to download and install them. What exactly did they find trustworthy? A valid code signing signature and associated certificate said that the software hasn’t been modified since the publisher signed it, and that the publisher’s identity has been verified. It’s a great mechanism to protect our software supply chain, isn’t it?
Well, if you happen to be a recent user of Avast CCleaner (anti-malware utility), ASUS (Taiwanese personal computer manufacturer), or a player of several very popular massively multiplayer online (MMO) games, then you might have reason to believe otherwise.
What do these companies have in common? They all have been victims of a software supply chain attack. This attack usually works like this:
Avast CCleaner pushed out malicious updates to millions of unsuspecting users. ASUS pushed out a backdoor-infected driver update to over 500,000 customer PCs. Massively Multiplayer Online (MMO) games had malware installed in them that targeted users and was able to steal in-game currencies.
As Ars Technica recently reported, it is suspected that a single cybercriminal group known as Winnti is responsible for all of these attacks.
There are several troubling characteristics of the latest attack on MMO games. First, in this attack, Winnti used a new and innovative backdoor that has been dubbed PipeMon that can survive reboots by infecting Windows print processors. This backdoor evades built-in security defenses by using a legitimate, but stolen, code signing certificate that was issued to computer games company Nfinity Games. Second, the theft of the code signing private key occurred 2 years ago. Apparently Nfinity didn’t even realize it. Third, this code signing certificate was not revoked until just recently when Nfinity was notified that it was being used to spread malware. Two years is a lot of time for a lot of malware to be signed. Furthermore, depending on if a timestamp was configured during the signing operation, the malware could appear legitimate for a VERY long time even though the certificate has been revoked.
But this isn’t unusual. According to a research paper, companies often do know if their company’s code signing credentials have been stolen or compromised the way they can with other web PKI info (e.g. TLS certificates). This is largely the result that stolen TLS certificates are easily discoverable on the Internet, but stolen code signing keys are not. They are usually discovered AFTER they have been used and damage has been done.
So, here we have a risk (code signing keys stolen or compromised) that is often not detectable until long after the damage has been done. What can businesses do to protect their software supply chain?
First, it is imperative that all code signing keys are stored securely, either in an encrypted software store or better yet, a hardware security module. These keys should never leave this location. For any reason. Period.
Second, the keys should be protected by a secure process that ensures only authorized persons, for authorized situations, using authorized tools are able to use the key to sign code. Third, a record of every code signing certificate and key in use by a business should be maintained. In addition, knowing exactly when they were used, for what software, and by whom is important to keep track of.
Fourth, make it easy & simple for your developers. If they have to follow a laborious manual process or are unable to automatically sign code as part of their CI/CD build pipelines, they will find ways to bypass your security measures and store keys in convenient, but unsecure, locations.
PipeMon is scary. Now that Winnti’s use of Nfinity Games code signing credentials has been exposed, will they use one from your company next?
Even the Pokémons may not be able to fend off this threat!