Skip to main content
banner image
venafi logo

SSL/TLS Attacks, Part 1: Why Do Cybercriminals Abuse Digital Certificates?

SSL/TLS Attacks, Part 1: Why Do Cybercriminals Abuse Digital Certificates?

Cybercriminals abuse digital certificates
January 31, 2019 | Guest Blogger: Jack Walker

Digital certificates are essential to secure online communications, including email and web browsing, but these machine identities are also a vehicle for cybercriminals to wreak havoc.

Digital certificates help to establish trust and authenticity for users all around the world, from authenticating software and websites to securing email. These electronic documents associate the identity of an individual to a public encryption key, with the ultimate ambition being that it helps to verify who this user is. In some respects, you could think of these machine identities as something like a credit card or password—credentials that authenticate you are who you say you are, by sharing the machine-to-machine exchange of data securely over the Internet using the public key infrastructure.

These certificates can be issued to a person, private company or web server, with this issuance done by a Certification Authority (CA).

These certificates will differ depending on the application; for example, in email encryption, code signing and e-signature systems, a certificate’s subject would typically be a person or organization, but for Transport Layer Security (TLS) or Secure Sockets Layer (SSL) certificates—both of which are key components for enabling HTTPS secure websites—the certificate would be issued to a computer or another device.

Though the press often focuses on high-profile compromises, such as nation-state attacks and APTs, attackers are most often after the so-called ‘low-hanging fruit’ as they look for the easiest (and most cost-effective) way to get a foothold on targeted computers. Such attacks may include phishing emails, social engineering campaigns, vishing calls or directing users to malicious links on social media or compromised websites.

Digital certificates are attractive to attackers for a variety of reasons, but mainly because they are trusted; they require payment and proof of identity to tie the code, document, or application to the legitimate organization or person. In essence, they verify that the person or organization is real, and that the certificate belongs to them. As such, this usually makes end-users believe that the session protected by the digital certificate is a trusted environment where they can part with personal details, including financial information.

“Cybercriminals can now steal money by taking advantage of the one security measure every Internet user has been trained to trust: the green padlock in web browsers,” said Kevin Bocek, VP of security strategy at Venafi, recently.

These attacks are carried out for numerous reasons. For example, they may leverage stolen or intercepted certificates to improve malware diffusion and increase the likelihood that their attacks will not be detected by traditional security tools, such as antivirus and anti-malware solutions. Many phishing campaigns even leverage genuine SSL certificates for authenticity.

As such, this tactic is often used for cyber warfare (see: Stuxnet), economic fraud, and MiTM attacks to deliver malware onto a victim’s machine. It is a silent attack that few organizations are prepared for. More recent attacks, particularly on X509 certificates, have been used for data exfiltration.

A recent paper titled “Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI, highlighted just how digital certificates are perfect for obfuscation — even up to the nation-state level.

“Digitally signed malware can bypass system protection mechanisms that install or launch only programs with valid signatures,” reads the paper.

“It can also evade anti-virus programs, which often forego scanning signed binaries. Known from advanced threats such as Stuxnet and Flame, this type of abuse has not been measured systematically in the broader malware landscape”.

Digital certificate attacks are on the rise so it’s important to improve your machine identity protection.


Related posts

Like this blog? We think you will love this.
Featured Blog

Lloyd's Backs Off Insurance for State-Sponsored Cyberattacks

Cyber related businesses are ‘e

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Jack Walker
Guest Blogger: Jack Walker
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more