Digital certificates are essential to secure online communications, including email and web browsing, but these machine identities are also a vehicle for cybercriminals to wreak havoc.
Digital certificates help establishing trust and authenticity for users all around the world, from authenticating software and websites to securing email. These electronic documents associate the identify of an individual to a public encryption key, with the ultimate ambition being that it helps to verify who this user is. In some respects, you could think of these machine identities as something like a credit card or password—credentials that authenticate you are who you say you are, by sharing the machine-to-machine exchange of data securely over the Internet using public key infrastructure.
These certificates can be issued to a person, private company or web server, with this issuance done by a Certification Authority (CA).
These certificates will differ depending on application; for example, in email encryption, code signing and e-signature systems, a certificate’s subject would typically be a person or organization, but for Transport Layer Security (TLS) or Secure Sockets Layer (SSL) certificates—both of which are key components for enabling HTTPS secure websites—the certificate would be issued to a computer or another device.
Though the press often focuses on high-profile compromises, such as nation-state attacks and APTs, attackers are most often after the so-called ‘low-hanging fruit’ as they look for the easiest (and most cost-effective) way to get a foothold on targeted computers. Such attacks may include phishing emails, social engineering campaigns, vishing calls or directing users to malicious links on social media or compromised websites.
Digital certificates are attractive to attackers for a variety of reasons, but mainly because they are trusted; they require payment and proof of identity to tie the code, document, or application to the legitimate organization or person. In essence, they verify that the person or organization is real, and that the certificate belongs to them. As such, this usually makes end users believe that the session protected by the digital certificate is a trusted environment where they can part with personal details, including financial information.
“Cybercriminals can now steal money by taking advantage of the one security measure every Internet user has been trained to trust: the green padlock in web browsers,” said Kevin Bocek, VP of security strategy at Venafi, recently.
These attacks are carried out for numerous reasons. For example, they may leverage stolen or intercepted certificates to improve malware diffusion and increase the likelihood that their attacks will not be detected by traditional security tools, such as antivirus and anti-malware solutions. Many phishing campaigns even leverage genuine SSL certificates for authenticity.
As such, this tactic is often used for cyberwarfare (see: Stuxnet), economic fraud, and MiTM attacks to deliver malware onto a victim’s machine. It is a silent attack that few organizations are prepared for. More recent attacks, particularly on X509 certificates, have been used for data exfiltration.
In a recent paper titled “Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI, highlighted just how digital certificates are perfect for obfuscation—even up to nation state level.
“Digitally signed malware can bypass system protection mechanisms that install or launch only programs with valid signatures,” reads the paper.
“It can also evade anti-virus programs, which often forego scanning signed binaries. Known from advanced threats such as Stuxnet and Flame, this type of abuse has not been measured systematically in the broader malware landscape”.