Vault 8 Exposure: What Do the Impersonated Certificates Actually Tell Us?

Earlier this month, Wikileaks revealed a new collection of documents reportedly stolen from the CIA. Dubbed Vault 8, this batch of information reveals how the federal agency may have used certificates to impersonate Kaspersky Labs in order to mask malicious and covert actions.

To find out more about this latest example of certificate compromise, we used Venafi TrustNet, the industry’s first enterprise certificate reputation service, to perform forensic analysis on the fraudulent Kaspersky certificates. Using the TrustNet data available to us, we were able to quickly identify a range of issues that would be cause for concern:

• The certificate was issued by an untrusted entity masquerading as a trusted issuer ("Thawte Premium Server CA").
   
• The certificate issued to "www.kaspersky.com" was valid for 25 years. (Certificate validity is now capped at two years).
   
• The certificate was issued by an entity that was only valid for 10 years. Essentially, the CA issued a certificate that was valid for 15 years longer than the issuer itself!
   
• The end entity certificate chained up directly to a self-signed "Root" CA. While this is not specifically against the standard, it is exceedingly uncommon, and is considered bad practice.
   
• The CA certificate was issued a mere 2 seconds before the fake Kaspersky certificate.
   

While these warning flags seem obvious in hindsight, most applications would not know to check for these indicators. It's far more likely for applications to limit their due diligence to basic checks like issuance and expiration. This is exactly the sort of situation where a certificate reputation service is useful. Not only would it detect PKI-specific anomalies, like the ones outlined above, it would also be capable of detecting additional cryptographic vulnerabilities, like:

1. The association of a certificate to a specific location/device where it was found in the context of a network scan.
    
2. Whether the CA in question was authorized to issue a certificate to that domain. (This can be verified through CAA record).
    
3. Whether the public/private key pair associated with a suspicious certificate was re-used, as opposed to being regenerated.
    
4. Presense of other attributes like Basic Constraints, Key Usage, CRLdp/AIA extensions and Subject Alternative Names (SANs). These properties indicate factors such as untrusted CAs, key validity, revocation status, and the presense of additional host names.
    
5. Certificates issued with a weak hashing or signing algorithms.
   |
6. Check to see if the key pair was generated with weak entropy, and therefore susceptible to vulnerabilities like key factorization as with the recently discovered ROCA issue, which affected billions of devices.
    
7. Whether the certificate was deployed on multiple locations; if this is the case then it is susceptible to a higher level of risk since there were multiple locations on which the credentials was stored, increasing potential threat vectors.
    

A certificate reputation service would analyze all of these factors and generate a score that reflects the trustworthiness of each instance of a credential, while adapting to a continually evolving threatscape. This valuable data would be available for applications/organizations to consume, much like a URL or a file reputation service. This could allow organizations like Kaspersky to spot suspicious certificates and take action quickly.
 

Venafi TrustNet includes information on more than 550M certificate instances, built up through continuous reconnaissance of the internet and third-party integrations. If you’re interested in finding out about any suspicious certificates that are impersonating your organization.
 

How well are you managing your machine identities?