Machine identity protection has evolved
considerably since the days of Stuxnet and Flame. But so have attackers. As we continue to see an explosion of keys and certificates that fuel digital transformation, we are also seeing more attacks and vulnerabilities that impact machine identities. Cyber criminals realize how valuable machine identities are, especially when used to create a false sense of trust. It’s a crafty way to disguise a variety of nefarious acts—as evidenced by the value of certificate toolkits on the dark web.
It’s great to know your enemy. But it’s even better to proactively prepare to prevent attacks. Let’s take a look back at the top 10 TLS threats, attacks and vulnerabilities we covered in 2019 [listed in chronological order].
List of the top ten TLS threats of last year:
- New Poodles Can Bypass Your TLS
Many organizations must maintain backwards compatibility with older cryptographic standards, which may leave their networks vulnerable to exploits such as the recently discovered Zombie POODLE and GOLDENDOODLE.
- ASUS Code Signing Attack Impacts 1M Users
Bad actors used stolen code signing keys to modify the ASUS Live Update Utility to deliver malicious files packaged in legitimate-looking automatic updates, delivering an unauthorized backdoor to approximately one million people.
- Sea Turtle Uses Weak DNS Security for Nation-State Attacks
By illicitly modifying the name records on DNS servers, Sea Turtle can redirect domain name traffic to perform cyberattacks, with primary targets including Eastern Europe, North Africa, and the Middle East.
- New ‘Cipher Stunting’ Helps Attackers Evade Detection
New technique called “cipher stunting,” which involves randomizing SSL/TLS signatures, to target airlines, banking institutions and dating websites, can improve the chances of digital attacks evading detection.
- Reductor Compromises TLS Connections to Mark and Monitor Victims
This Remote Administrative Tool (RAT) compromises network traffic and manipulates TLS certificates on the victim’s authorized certificates store and marks outbound TLS connections for use in monitoring, espionage and execution of secondary stage infection.
- ZenDesk Breach Compromises TLS Certificates
While early investigation from ZenDesk determined that information belonging to a small percentage of customers was accessed prior to November of 2016. This data included. The compromised data included TLS encryption keys provided to Zendesk by customers.
- Imperva API Key Compromise
In a nutshell, it appears that a breach at Imperva was enabled by an API key that was left on a forgotten server, stolen and used in an attack. Imperva released a detailed and pretty transparent statement regarding their breach, its causes and their remedial actions.
- NordVPN Breach Compromised TLS Certificates
Three private keys leaked, which were used to acquire NordVPN’s TLS certificate. It’s possible that another leaked key could have been used to access a private certificate authority that NordVPN used to issue digital certificates.
- Xhelper Uses Pinned Certificate to Thwart Removal
This Android threat uses a pinned certificate—a hardcoded recognition of the “machine identity” of the remote C&C server. As a result, the encrypted, malicious traffic especially difficult to examine.
- Trojan Targets Facebook Ads Manager with Code-Signed Malware
An information-stealing Trojan disguised as a PDF reader steals Facebook and Amazon session cookies as well as sensitive data from the Facebook Ads Manager. Executables were signed by digital certificates issued by a legitimate Certificate Authority (CA).
Does your organization have the visibility, intelligence and automation to fight TLS threats like those we saw in 2019? What about 2020 and beyond?