Skip to main content
banner image
venafi logo

Vault 8 Exposure: What Do the Impersonated Certificates Actually Tell Us?

Vault 8 Exposure: What Do the Impersonated Certificates Actually Tell Us?

November 22, 2017 | Hari Nair

Earlier this month, Wikileaks revealed a new collection of documents reportedly stolen from the CIA. Dubbed Vault 8, this batch of information reveals how the federal agency may have used certificates to impersonate Kaspersky Labs in order to mask malicious and covert actions.

To find out more about this latest example of certificate compromise, we used Venafi TrustNet, the industry’s first enterprise certificate reputation service, to perform forensic analysis on the fraudulent Kaspersky certificates. Using the TrustNet data available to us, we were able to quickly identify a range of issues that would be cause for concern:

  • The certificate was issued by an untrusted entity masquerading as a trusted issuer ("Thawte Premium Server CA").
  • The certificate issued to "" was valid for 25 years. (Certificate validity is now capped at two years).
  • The certificate was issued by an entity that was only valid for 10 years. Essentially, the CA issued a certificate that was valid for 15 years longer than the issuer itself!
  • The end entity certificate chained up directly to a self-signed "Root" CA. While this is not specifically against the standard, it is exceedingly uncommon, and is considered bad practice.
  • The CA certificate was issued a mere 2 seconds before the fake Kaspersky certificate.

While these warning flags seem obvious in hindsight, most applications would not know to check for these indicators. It's far more likely for applications to limit their due diligence to basic checks like issuance and expiration. This is exactly the sort of situation where a certificate reputation service is useful. Not only would it detect PKI-specific anomalies, like the ones outlined above, it would also be capable of detecting additional cryptographic vulnerabilities, like:

  1. The association of a certificate to a specific location/device where it was found in the context of a network scan.
  2. Whether the CA in question was authorized to issue a certificate to that domain. (This can be verified through CAA record).
  3. Whether the public/private key pair associated with a suspicious certificate was re-used, as opposed to being regenerated.
  4. Presense of other attributes like Basic Constraints, Key Usage, CRLdp/AIA extensions and Subject Alternative Names (SANs). These properties indicate factors such as untrusted CAs, key validity, revocation status, and the presense of additional host names.
  5. Certificates issued with a weak hashing or signing algorithms.
  6. Check to see if the key pair was generated with weak entropy, and therefore susceptible to vulnerabilities like key factorization as with the recently discovered ROCA issue, which affected billions of devices.
  7. Whether the certificate was deployed on multiple locations; if this is the case then it is susceptible to a higher level of risk since there were multiple locations on which the credentials was stored, increasing potential threat vectors.

A certificate reputation service would analyze all of these factors and generate a score that reflects the trustworthiness of each instance of a credential, while adapting to a continually evolving threatscape. This valuable data would be available for applications/organizations to consume, much like a URL or a file reputation service. This could allow organizations like Kaspersky to spot suspicious certificates and take action quickly.

Venafi TrustNet includes information on more than 550M certificate instances, built up through continuous reconnaissance of the internet and third-party integrations. If you’re interested in finding out about any suspicious certificates that are impersonating your organization.

Learn more about the TrustNet service here. 

Like this blog? We think you will love this.
graphic of a robber repelling down from the ceiling to steal a password off a cell phone
Featured Blog

Imperva: Timeline of an API Key Compromise

While there are obviously a few gaps in the narrative (and a LOT of spin, plus

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies

Machine Identity Protection for Dummies

About the author

Hari Nair
Hari Nair

Hari is Director of Product Management at Venafi. He is responsible for vision and execution of #NextGenerationTrustProtection to secure the Global 5000.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more