Security Experts:

Let's Encrypt's Free Certificates Abused by Cybercriminals

Security certificates from the free certificate authority (CA) Let’s Encrypt are being abused by cybercriminals in a malvertising campaign, Trend Micro has discovered.

The Let’s Encrypt initiative was proposed by the Electronic Frontier Foundation (EFF) and is backed by many web companies, including Mozilla, Cisco, Facebook, Akamai, Automattic, IdenTrust, the Linux Foundation, the University of Michigan, and others. The goal of the CA is to eliminate fees associated with certificate issuance, thus determining site owners to secure their domains.

The CA also helps site owners set up the certificates and manage them, and also announced that it would automatically renew them when they expire. Additionally, Let’s Encrypt issues only domain-validated certificates, without offering extended validation (EV) certificates, which usually require additional checks regarding the identity of the site owner.

Let’s Encrypt issued its first digital certificate  in mid-September 2015, and entered an invitation-based private beta testing phase around the same time. On Dec. 3, 2015, it announced the public beta phase, which eliminated the need for an invitation to join the testing process and receive free certificates from it.

As Trend Micro’s Joseph Chen notes in a blog post, while the potential for Let’s Encrypt to be abused has always been present, the first sites to do so was uncovered on Dec. 21. The security firm observed a campaign that redirected users to the Angler Exploit Kit, which in turn downloaded a banking Trojan, and activity was observed going to a malvertising server, with traffic coming from users in Japan.

The attack is believed to be the continuation of a malvertising campaign that was identified in September of last year, which was also targeting Japanese users. The cybercriminals behind the campaign used domain shadowing to carry out attacks, a technique that involves creating subdomains under a legitimate domain, with the subdomains leading to a server under the control of the attackers.

In this particular case, the attackers created ad.{legitimate domain}.com under the legitimate site, with traffic to the subdomain being protected with the HTTPS protocol and a Let’s Encrypt certificate. The security researchers discovered on the domain an ad that appeared to be related to the legitimate domain, but which instead was used to disguise traffic.

Trend Micro also discovered that some parts of the redirection script were moved from a JavaScript file into a .GIF file, thus making it more difficult to identify the payload. However, the company also found anti-antivirus code similar to the one identified in the September campaign, and discovered that the attack used an open DoubleClick redirect tactic.

As Chen notes, any technology meant for good can be abused by cybercriminals, and Let’s Encrypt is no exception. The problem is that an attacker can create subdomains under a legitimate domain name, which results in a CA that automatically issues certificates specific to these subdomains actually helping cybercriminals in their nefarious activities.

He also explains that Let’s Encrypt checks domains only against the Google safe browsing API, and that they already said that they do not believe CAs should act as content filters. However, he also states that website owners should be able to secure their own website control panels so that no new subdomains they cannot control are created without their knowledge.

To keep users secure, browser makers, CAs, and anti-virus companies should actively engage into blocking bad actors, Chen adds. While CAs should be willing to cancel inadvertently issued certificates, users should also be aware of the fact that secure sites are not necessarily safe, and that they need to keep their software up to date at all times to minimize the attack surface for exploit kits.

view counter