Attackers understand that targeting an organization directly is complex and will typically yield slower and fewer results and therefore prefer the approach of a supply chain attack. In these attacks, the trusted software or service become the new targets for the attackers who will try to contaminate the software code signing process and deliver their malware through a ‘legitimate’ tunnel. Maliciously signed software will typically raise less attention and becomes the perfect enabler for a successful attack.
In a supply chain attack, cybercriminals hack into a company’s build or update system, find unprotected code signing keys, add malware to a legitimate software executable, and then sign it with the valid code signing key. The unsuspecting business then pushes out the infected software to all their unsuspecting customers.
Here are some examples of supply chain attacks that leveraged unprotected code signing machine identities:
In late 2020, software provided by SolarWinds contained malware that was intended to gather sensitive information wherever it was installed, according to reports. Customers had implicit confidence in the signed software they received; they believed that it was free of viruses and malicious code because it had not been modified since SolarWinds built, signed, and delivered it to them.
However, intruders placed the so-called Sunspot malware into the Orion IT monitoring and management software used by SolarWinds. The resulting executable was digitally signed by SolarWinds which was then used to infiltrate over 18,000 government and private commercial customers. The malware gathered information on the infected networks and sent data to a remote server.
APT29 (also known as Cozy Bear), connected to the Russian Foreign Intelligence Service (SVR), was reported to be behind the attack.
In 2019, ASUS, the Taiwanese computer manufacturer, fell victim to hackers finding critical code signing keys on their web update server. These cybercriminals added malware to legitimate ASUS updates, signed with ASUS’s code signing keys, infecting one million ASUS computers. The so-called ShadowHammer attacks happened over a six-month period and impacted ASUS notebook customers that had enabled Live Update, a utility that automatically searches for and installs new software and firmware updates from ASUS. The malware injected a backdoor as noted by Kaspersky.
“Each backdoor code contained a table of hardcoded MAC addresses—the unique identifier of network adapters used to connect a computer to a network. Once running on a victim’s device, the backdoor verified its MAC address against this table,” according to Kaspersky, adding that “if the MAC address matched one of the entries, the malware downloaded the next stage of malicious code.”
In July of 2021, a ransomware attack by the REvil group leveraged a vulnerability in Kaseya's VSA software for managing MSPs (Managed Service Providers) and their customers, resulting in downtime for roughly 1,000 downstream companies.
An authentication bypass vulnerability (via Huntress) in the software reportedly allowed attackers to compromise the VSA software and distribute a malicious payload through hosts managed by the software.
“We have high confidence that the threat actor used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection,” according to Huntress.
REvil demanded a $70 million ransom payment to release a “universal decryptor” to unlock all affected systems.
Kaseya later said that it did not pay the ransom and received a universal decryptor from a “trusted third party” to help victims restore files.
On 8 November 2021, the United States Department of Justice announced indictments against Ukrainian and Russian nationals, charging them with conducting ransomware attacks against multiple victims including Kaseya.
Arguably, the most famous incident of a code signing attack took place in 2010, when state-sponsored security forces (reportedly from the U.S. and Israel) hijacked valid code signing certificates and private keys from a service provider to sabotage Iran’s nuclear program with Stuxnet malware. Stuxnet is largely considered a game changer in the industry because it was the first targeted, weaponized cyber-attack against an industrial control system. Once Stuxnet infects a computer, it installs its own driver into Windows computers. Because these drivers have to be signed, Stuxnet used two stolen certificates.
In 2020, massively multiplayer online (MMO) gaming companies suffered a Winnti attack that used an innovative backdoor that was dubbed PipeMon. (“The backdoor gets its name for the multiple pipes used for one module to communicate with another and the project name of the Microsoft Visual Studio used by the developers,” according to Ars Technica.)
This backdoor evades built-in security defenses by using a legitimate, but stolen, code signing certificate that was issued to computer games company Nfinity Games. Surprisingly, the theft of the code signing private key occurred two years previously, but apparently Nfinity didn’t even realize it at the time. As a result, this code signing certificate was not revoked until much later after Nfinity was notified that it was being used to spread malware.
Depending on how a timestamp was configured during the signing operation, the malware could appear legitimate for a very long time even though the certificate has been revoked. This makes it almost impossible to undo the damage of a stolen, misused, or compromised code signing private key.
In 2017, the global shipping conglomerate A.P. Møller-Maersk was hit by NotPetya malware. It brought their entire operations to a standstill. Phones didn’t work. Gates to terminals stopped operating. Approximately 4,000 servers and 45,000 personal computers were down. For nearly two weeks, the company was not operational. Researchers later found that NotPetya malware entered through a backdoor to the source code of at least three versions of third-party accounting software that they used. This same attack also impacted Merck Pharmaceutical and other world-known brands.
Other organizations hit by NotPetya included Ukraine's Chernobyl Nuclear Power Plant, several Ukrainian ministries, and banks. A White House assessment said the total damages to be about $10 billion, according to a report in Wired.
When companies have hundreds or thousands of developers and just as many code applications that require signing, it becomes difficult to have visibility into all code signing activities. Code signing private keys are often left unprotected, stored on a developer or build server computer. In addition, companies without a well-defined code signing process that uses an automated means to enforce code signing processes, do not have the ability to secure their code signing process which leaves them vulnerable to private key theft. If unscrupulous individuals gain access to the private key, they can potentially encode their own messages and software as if they were the developer, and the public key will verify the (false) identity.