Security certificates are intended to elicit trust in users for the deployment of software, but as with so many other safeguards, threat actors can find a way to abuse the mechanism for their own ends.
Traditional antivirus software usually relies on signature-based databases to detect whether or not software downloaded or executed on a machine contains a malicious secret. However, if signed off by a legitimate authority, malicious software may be able to circumvent detection.
The same process applies to websites, too. Security certificates present a website's credentials, including its ability to secure and encrypt data going between a client and browser, and these certificates and are issued by a Certificate Authority (CA).
Certificates also come with an expiry date and have to be renewed relatively frequently.
For cyberattackers, security certificates can be valuable in spreading malware and hoodwinking potential victims into visiting malicious domains that, for all intents and purposes, appear trustworthy.
Code-signing certificates perform basic identity checks, whereas extended validation code signing certificates are more rigorously tested. The second certificate option, as it requires extensive vetting, is usually more expensive for developers to adopt.
Certificates can give threat actors the ability to masquerade as trusted parties. There have been past cases of certificates becoming compromised and stolen, or CAs being banned outright for reasons including the sale of surveillance tools or direct user spying, and now, researchers have found cyberattackers pretending to be legitimate business executives to purchase certificates online.
According to Tomislav Pericin, co-founder of ReversingLabs, the theft of certificates and identities can sometimes become "intertwined" in the trade of illicit security certificates.
In a case recently tracked by the cybersecurity firm, a threat actor, or group, is currently impersonating business executives in order to purchase and then later sell certificates in underground forums for malware deployment.
The cyberattacker first performs reconnaissance to select suitable, viable targets. In one example, the fraudster scraped information from a UK business executive's LinkedIn page and then registered a domain name related to their company.
Once this infrastructure was in place, the attacker ordered a code-signing certificate, which requires less vetting -- and, therefore, all of the information required to see the purchase through has already been generated.
In order to validate their stolen identity, the firm's legal existence is checked under government or trusted third-party databases, the website domain is checked via email, and then for business validation, a simple, automated callback process is usually in play.
The attacker has now successfully impersonated a business and has a code-signing certificate in their possession and available for sale. This particular certificate, based on fraud, has now been used to sign off on OpenSUpdater adware and has been used to sign 22 executables in total, many of which are malicious.
ReversingLabs believes the cyberattacker, or threat group, has used the same tactic on at least a dozen companies. To make matters worse, fraudulent extended validation certificates have also been connected to the same entity, which may suggest that the profit margins are worth the reconnaissance and infrastructure setup required to pass hefty ID checks.
"Certificate authority hopping is another tactic employed by this threat actor," Pericin says. "Using the same impersonated identity, the actor tries to buy as many certificates from as many certificate authorities as possible. These typically get issued in quick succession, as the attackers want to get the best return on their infrastructure investment."
Previous and related coverage
- Israeli police arrest execs from vendor of mobile surveillance tech
- US government demands data on thousands of gun scope app users
- Pen test goes pear-shaped: cybersecurity firm staff arrested over courthouse burglary
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0