Earlier this month, Wikileaks revealed a new collection of documents reportedly stolen from the CIA. Dubbed Vault 8, this batch of information reveals how the federal agency may have used certificates to impersonate Kaspersky Labs in order to mask malicious and covert actions.
To find out more about this latest example of certificate compromise, we used Venafi TrustNet, the industry’s first enterprise certificate reputation service, to perform forensic analysis on the fraudulent Kaspersky certificates. Using the TrustNet data available to us, we were able to quickly identify a range of issues that would be cause for concern:
While these warning flags seem obvious in hindsight, most applications would not know to check for these indicators. It's far more likely for applications to limit their due diligence to basic checks like issuance and expiration. This is exactly the sort of situation where a certificate reputation service is useful. Not only would it detect PKI-specific anomalies, like the ones outlined above, it would also be capable of detecting additional cryptographic vulnerabilities, like:
A certificate reputation service would analyze all of these factors and generate a score that reflects the trustworthiness of each instance of a credential, while adapting to a continually evolving threatscape. This valuable data would be available for applications/organizations to consume, much like a URL or a file reputation service. This could allow organizations like Kaspersky to spot suspicious certificates and take action quickly.
Venafi TrustNet includes information on more than 550M certificate instances, built up through continuous reconnaissance of the internet and third-party integrations. If you’re interested in finding out about any suspicious certificates that are impersonating your organization.
Learn more about the TrustNet service here.