Researchers from Masaryk University in the Czech Republic and Maryland Cybersecurity Center (MCC) monitored suspicious organizations and identified four that sold Microsoft Authenticode certificates to anonymous buyers. The same research team also collected a trove of Windows-targeted malware carrying valid digital signatures.
“Recent measurements of the Windows code signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carrying valid digital signatures,” researchers wrote. In their work, the researchers also discovered several cases of potentially unwanted programs (PUPs), revealing that along with their ability to sign malicious code, bad actors are also able to control a range of Authenticode certificates.
Gaining this type of unauthorized access has traditionally been easy for attackers using drive-by downloads and phishing, according to Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies. “And while endpoint security achieved some increases in efficacy over the last five years with the evolution of end point protection platforms, we only ever treated the symptom – and the not cause – of permissive access,” Gumbs said.
“If an attacker can use a trusted signed certificate to install malware, then the malware will use the access rights granted to that user or the access rights left behind in the form of NTLM hashes to further penetrate the network,” he continued. “While this development is a worrying one, applying a least access privilege model would reduce the threat greatly.”
Because the value of stolen data will more than make up for the cost of a stolen certificate, malicious actors are inclined to pay for certificates in order to fly under the radar of most protection tools so that they can hide in plain sight as authorized software. “Malware purveyors seem focused on deep technical things until you see their real focus is actually a core business concept: ROI. Criminals are in it for the revenue, and they understand you have to spend money to make money,” added Jonathan Sander, chief technology officer at STEALTHbits Technologies.
The underground economy is growing because many organizations are rapidly expanding their use of code signing certificates. “They are foundational components in many applications and DevOps environments. Unfortunately, in many cases code signing certificates are secured by unsuspecting teams that are focused on delivering code quickly, which allows attackers to intercept them,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Organizations must have full control over every code signing certificate they use, especially during the software development pipeline and signing process,” Bocek said.