In my last post, I discussed why attackers go after digital certificates. The simple answer is that criminals are interested in obtaining machine identities. However, the way criminals go about getting them has historically taken numerous different approaches.
Some attackers have looked to compromise the CA itself, in order to issue their own certificates across various web domains, while others have looked to simply buy stolen certificates online. A recent study from the Cyber Security Research Institute (CSRI) revealed that certificates could be available to buy on the dark web for just over a thousand dollars ($1,200). In some cases, criminals have even been able to abuse free certificates issued by Let’s Encrypt.
Once they have these machine identities, criminals are largely in the clear. The digital certificates used to cryptographically sign executable code and documents, issued by the CA and trusted by you or your computer, are more likely to accept and execute actions without warning messages. This makes it a good vehicle for delivering malicious software and other nefarious items.
As a result, many experts have said that digital certificates—and the PKI environments which they sit within—are at risk and should be a worry for many organizations big and small, and in the public and private sector.
Others have blamed CAs themselves as a ‘weak link’ in Internet security, a notion so widespread that last year Google decided to acquire several root certificates so it could issue its own digital (TLS/SSL) certificates rather than rely on third-party firms. As a result of this, any firm now wishing to connect to a Google service will need two root certificates specified by Google. In short, the search giant and the world's most popular website is also now its own root certificate authority.
“CAs have the power to issue digital certificates for domains even if the digital certificate for a particular domain already exists,” said European cyber-security agency ENISA in a recent report.
“As previous incidents suggest, CAs can be abused either internally by the mismanagement of their service or by a third-party due to a security breach, with severe consequences for Internet security.”
Furthermore, the problem for organizations is not solely the loss of such certificates, but also how they react afterwards. Once a legitimate code-signing certificate has been stolen, even after it has been discovered, it can be difficult to revoke. As CSO Online explains, that’s because revoking will “means all the legitimate software signed by the certificate will no longer be accepted as legitimate, either.”
You can trace the major attacks on CAs back to 2011, when an attack on Comodo ultimately resulted in the fraudulent issuance of nine digital certificates across seven different domains, across Yahoo, Google, Skype, Mozilla and others. All of these certificates were revoked immediately upon discovery.
All of these attack vectors illustrate the need for organizations to manage and protect their machine identities against theft or compromise.