Skip to main content
banner image
venafi logo

Sony Breach—The Gift That Keeps on Giving (Sony Certificate Used for Destover Malware)

Sony Breach—The Gift That Keeps on Giving (Sony Certificate Used for Destover Malware)

December 16, 2014 | Gavin Hill

In the season of giving, the Sony breach has given hackers around the world the gift that keeps on giving—keys and certificates that can be used as part of malicious campaigns for as long as Sony keeps them active. In the last week, the media has been abuzz about the malware Destover that’s digitally signed with a valid Sony certificate—part of the treasure trove successfully exfiltrated during the Sony breach last month.

Even though the signing of a variant of Destover was apparently a joke between Kaspersky researchers, the biggest concern should be that Sony has still not yet revoked any of the certificates compromised last month. The main motivation for cybercriminals to sign malware with valid digital certificates is to deliver seemingly valid content and avoid detection by critical security controls like antivirus, sandboxing solutions, or operating system security policies. By not revoking its certificates, Sony is providing cybercriminals with the ability to bypass these security controls.

The misuse of keys and certificates as part of malicious campaigns is at an all-time high. For many years, cybercriminals have been signing malicious code to avoid detection. McAfee’s 2014 Q3 threat report shows a dramatic increase in maliciously signed code with no indications of slowing down. In fact, McAfee describes the misuse of certificates to sign malware as “unabated since we began tracking it in 2007.”

Wake-Up Call

If anything, the Sony breach should be a wake-up call to every organization, showing the power keys and certificates provides to attackers. There are thousands of examples in which cybercriminals continue to misuse keys and certificates—Mask, Crouching Yeti, and APT18 are but a few commonly known examples.

Although 2014 was dubbed the “Year of Encryption,” it has turned out to be the “Year of Encryption Vulnerability.” Organizations have a blind spot when it comes to securing keys and certificates that enables cybercriminals to bypass critical security controls while syphoning data without being detected. Gartner estimates, by 2017, 50% of network-based attacks will  be using SSL to disguise activity.

3 Steps You Can Take to Avoid a Sony-like Breach
  • First, rotate keys and certificates.
  • Second, establish a baseline.
  • Third, remediate quickly.

First, we know that cybercriminals go after keys and certificates to gain trusted status, elevate privileges and avoid detection. So, like password, keys and certificates should be protected and rotated on a frequent basis to avoid their successful use by cybercriminals.

Second, one cannot distinguish a good key or certificate from a bad one—there is no such thing. Unlike malware, keys and certificates are not malicious. However, they can, and are, used in malicious campaigns. Therefore, it is imperative that you establish a baseline of normal behavior of your keys and certificates in your IT environment. By establishing a baseline of normal usage, anomalous key and certificate usage can be identified.

Third, when you have been breached—and you are going to be—the time it takes to respond and how you respond will make all the difference. In the case of the Sony breach, the certificate used to sign Destover should have been revoked the day Sony discovered that it had been stolen. In the case of all the SSH keys that were stolen, they too should also be rotated to avoid providing future backdoor access to cybercriminals.

Find out how Venafi helps organizations mitigate attacks on trust that misuse keys and certificates.

Like this blog? We think you will love this.
Featured Blog

How to Remediate Keys and Certificates After a Data Breach

The Solution

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more