IBM recently identified two code signing certificates that were being used to sign malware. IBM acted immediately to revoke these certificates and notify customers. But according to an IBM blog, those revoked certificates may now cause some products to “fail to run or warn the user that the certificates used to sign the products are no longer valid.”
The IBM incident reminds us that we are much more accustomed to business disruptions caused by expired or compromised certificates. So it’s interesting to note that remediating compromised code-signing certificates can also impact organizations. But the bottom line is that maintaining constant vigilance and control of your entire inventory of keys and certificates will preserve both reliability and availability.
But let’s step back a bit and think about how code-signing certificates can be compromised in the first place. According to Walter Goulet, product manager at Venafi, there are two possible scenarios that would explain the compromise at IBM. Both point to the need to control privileged access.
Goulet posits, “Malware signing could mean that the private key associated with the code signing certificates was exfiltrated from IBM's environment by a malicious attacker and used elsewhere. Or it could mean that an internal system in IBM that is responsible for code signing was compromised in such a fashion that an attacker was able to use it to sign the malware.”
Either way, these types of incidents highlight the need to ensure that private key material is properly tracked and controlled. Code signing certificates are among some of the most powerful certificates because of the high levels of trust that they imply. Goulet explains, “Applications and operating systems usually assume a certain level of vetting and due diligence has been performed by application authors prior to signing applications.
Compromise and misuse of code signing certificates is a powerful tool for adversaries who are able to get malware and other malicious code to execute successfully in otherwise well protected environments. IBM hopes that this is not the case in the recent PSIRIT scare, “To IBM’s knowledge, this malware has not been distributed with any IBM software.”
But in the future, organizations may not be as lucky. We should all take these lessons to heart. Do you know where your private keys are, who can access them, and how they are being used?