In the season of giving, the Sony breach has given hackers around the world the gift that keeps on giving—keys and certificates that can be used as part of malicious campaigns for as long as Sony keeps them active. In the last week, the media has been abuzz about the malware Destover that’s digitally signed with a valid Sony certificate—part of the treasure trove successfully exfiltrated during the Sony breach last month.
Even though the signing of a variant of Destover was apparently a joke between Kaspersky researchers, the biggest concern should be that Sony has still not yet revoked any of the certificates compromised last month. The main motivation for cybercriminals to sign malware with valid digital certificates is to deliver seemingly valid content and avoid detection by critical security controls like antivirus, sandboxing solutions, or operating system security policies. By not revoking its certificates, Sony is providing cybercriminals with the ability to bypass these security controls.
The misuse of keys and certificates as part of malicious campaigns is at an all-time high. For many years, cybercriminals have been signing malicious code to avoid detection. McAfee’s 2014 Q3 threat report shows a dramatic increase in maliciously signed code with no indications of slowing down. In fact, McAfee describes the misuse of certificates to sign malware as “unabated since we began tracking it in 2007.”
If anything, the Sony breach should be a wake-up call to every organization, showing the power keys and certificates provides to attackers. There are thousands of examples in which cybercriminals continue to misuse keys and certificates—Mask, Crouching Yeti, and APT18 are but a few commonly known examples.
First, we know that cybercriminals go after keys and certificates to gain trusted status, elevate privileges and avoid detection. So, like password, keys and certificates should be protected and rotated on a frequent basis to avoid their successful use by cybercriminals.
Second, one cannot distinguish a good key or certificate from a bad one—there is no such thing. Unlike malware, keys and certificates are not malicious. However, they can, and are, used in malicious campaigns. Therefore, it is imperative that you establish a baseline of normal behavior of your keys and certificates in your IT environment. By establishing a baseline of normal usage, anomalous key and certificate usage can be identified.
Third, when you have been breached—and you are going to be—the time it takes to respond and how you respond will make all the difference. In the case of the Sony breach, the certificate used to sign Destover should have been revoked the day Sony discovered that it had been stolen. In the case of all the SSH keys that were stolen, they too should also be rotated to avoid providing future backdoor access to cybercriminals.