APT41 is a state-backed Chinese hacking group, also known as the Winnti Group, set apart from similar threat groups in how they leverage malware generally used for espionage for financial gain. How do they do it? APT41 targets vulnerable code signing keys and certificates to steal money, data, and more. New Venafi research dives deep into what industries are being targeted, how they perform these heinous attacks, and more.
APT41’s most frequent method of attack is to compromise the supply chain via compromised code signing certificates. As Venafi Threat Intelligence Specialist Yana Blachman explains, this duplicity “allow malicious code to appear authentic and evade security controls. The success of attacks using this model over the last decade has created a blueprint for sophisticated attacks that have been highly successful because they are very difficult to detect.”
One tactic APT41 continues to employ is compromising the supply chain of a major commercial vendor, as this essentially grants them an entire pool of companies they can choose to attack at their leisure. After infecting their chosen targets with secondary malware, APT41 uses stolen credentials to move laterally across their networks, stealing intellectual property, sensitive customer data, and more.
Kevin Bocek, Venafi Vice President of Security Strategy and Threat Intelligence, notes that today’s attackers are “disciplined, highly skilled software developers, using the same tools and techniques as the good guys”. “They recognize that vulnerabilities in the software build environment are easy to exploit, and they’ve spent years developing, testing and refining the tools needed to steal code signing machine identities. This research should set off alarms with every executive and board because every business today is a software developer. We need to get a lot more serious about protecting code signing machine identities.”
At the heart of this scheme are stolen code signing machine identities, without which gaining unauthorized network access would be impossible. APT41 is managing a library of stolen or purchased code signing keys and certificates, and selling them for up to $1,200 each on the dark web.
One consequence of these attacks that must be considered is the potential for copycats. The success APT41 has had targeting code signing certificates means that other threat groups will inevitably seek financial gain using that same method. What does this mean for you?
Your security team needs to do a complete overhaul of all machine identity protection strategies to identify and correct any vulnerabilities, particularly around code signing certificates. Yana Blachman urges all software providers to “be aware of this threat and take steps to protect their software development environments.”
Venafi CodeSign Protect is an all-in-one machine identity management solution for your code signing keys and certificates. Insecure private keys, rogue software teams, and lack of policy enforcement will soon be a thing of the past as you kickstart your digital transformation. Information is power, and an in-depth understanding of the latest code signing compromise techniques could be what saves your network from a financially devastating cyber-attack.
Download the free whitepaper to learn more about protecting your code signing machine identities from supply chain attacks!