Skip to main content
banner image
venafi logo

Are Attackers Targeting Your Code Signing Certificates? [Recent Hacks]

Are Attackers Targeting Your Code Signing Certificates? [Recent Hacks]

October 1, 2020 | Eddie Glenn

Folks, if you work in industry where software is your company’s primary product—be it a web service, enterprise software, or embedded software—you better listen up and pay attention. Earlier this month, the US Department of Justice indicted five Chinese hackers and two Malaysian businessmen on intrusions that hit more than 100 companies.

Who were the hackers after?

According to the indictment as reported by Bloomberg, the hackers targeted computer hardware manufacturers, software development companies, telecommunications providers, video game companies, and social media companies. 

What were they after?

According to the DOJ, the attacks facilitated the theft of source code, software code signing certificates, customer account data and valuable business information. 

The first set of indictments came in August of 2019 with the rest coming last month. It’s still unclear if the hackers were working directly for the Chinese government, though there is evidence that they may have been proxies for the Chinese government. 

How exposed are you? Get your free Venafi Code Signing Risk Awareness Checklist.

Wasted Locker 

In July 2020, Garmin, a world leading manufacturer of GPS devices, experienced a broad outage in their website and with their mobile app effecting their customers worldwide. During this outage, Garmin couldn’t receive calls, emails or online chats and their users experienced outages of software services that they had purchased. 

 According to Malwarebytes, one of the most common ways that companies get infected with WastedLocker is through the usage of fake software update alerts such as this one: 


Evil Corp gang, assumed to be run by Russians, has primarily been targeting US companies with this malware which encrypts critical software files that they hold at ransom, sometimes as high as $10M in Bitcoin.

 Even though the US DOJ offered a $5M bounty for leading to arrest of these individuals in December 2019, they were still at it 6 months later. 

This is what really concerns me 

These attacks are just the latest prominent examples of incidents. Earlier this year, we discussed the dangers of Pipemon to video game manufactures. Security company Ecylpsium reported about not protecting firmware (read our blog about it). Landry’s had a breach of firmware in its retail POS terminals. And before that A.P. Møller-Maersk was crippled for weeks. And before that, computer manufacturer, ASUS, accidentally infected millions of customer computers as well. 

I get the sense that the industry may not be taking this threat seriously enough, nor doing enough to prevent it. 

According to Yana Blachman, a principle threat intelligence analyst at Venafi, “Attackers see the opportunity in targeting the source of software since they try to increase the infection rate and the number of targets. This is what is called shifting ‘upstream’ in the software supply chain.

Attackers understand that targeting an organization directly is complex and will typically yield slower and fewer results and therefore prefer the approach of a supply chain attack. In a supply chain attack, the trusted software or service become the new targets for the attackers who will try to contaminate the software code signing process and deliver their malware through a ‘legitimate’ tunnel. A malicious signed software will typically raise less attention and becomes the perfect enabler for a successful attack.”  

Who protects the protector? 

In many of these cases, companies could have simply used code signing to protect the software they use internally or deliver to their customers. It’s an encryption technology that has been around for 30 years and is effective. 

However, what is alarming is that hackers are now targeting the theft of these vital code signing keys and certificates, inserting their malware into legitimate software, signing it with the stolen keys, and then distributing it. To the rest of the world, the malware-infected software update looks legit because it has a valid signature.  

This is exactly why several years ago, Venafi began researching how to help companies protect their code signing keys and certificates. Here are just a few tidbits that we learned from our customers (names withheld to protect the innocent) during the early days of our market research:

  • How many code signing certificates are in use at your company? “I dunno.” 
  • What group is responsible for safeguarding the use of those keys? “It depends. 
  • How do you enforce any policies that you have around code signing? “We don’t. 
  • Are you aware of your code signing certs being misused, either internally or externally? “We would rather not answer that.” 
  • Where do you store your code signing keys? “It depends. Sometimes on our developers laptops, build servers, or web servers depending on the application.” 

It’s no wonder that businesses have a tough time safeguarding its code signing keys and certificates. 

If you’re not familiar with “Security Considerations for Code Signing” written by NIST, I encourage you to download it. This paper explains why securing code signing keys in a hardware security module isn’t adequate anymore. The use of a code signing key needs to be protected by a process that is easily enforced.

Check out these recommendations! Some of them are obvious, but others not as much:

  • Identify specific users which can use code signing keys 
  • Establish policies and procedures for reviewing, vetting and approving code before it is signed 
  • Use separate code signing keys for development/test signing than those used for production signing 
  • Conduct periodic audits to determine who has been signing code, with which certificates, and with which tools 

Hackers know how to steal code signing keys and credentials, and they have become effective at doing that. The NIST guidance is designed to prevent that from happening. 

And, that’s why Venafi developed Venafi CodeSign Protect. CodeSign Protect provides visibility, intelligence, automation, and protection for code signing keys and enforces policies and processes used to protect them. 

I really don’t want the next blog I write about code signing security threats to include your company as the latest example. Please take the time to look at how you can improve the security of your code signing process.

Related posts

Like this blog? We think you will love this.
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Eddie Glenn
Eddie Glenn

Eddie is the Product Marketing Manager over Code Signing at Venafi. A product marketing professional in SaaS, Enterprise, and Embedded Software, he has a strong technical background and experience with inbound and outbound marketing, business and marketing strategy, and marketing operations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more