According to a recent report from McAfee, the number of digitally signed malware samples tripled in 2013, driven largely by the abuse of automated Content Distribution Networks (CDNs) that wrap malicious binaries within digitally signed, otherwise legitimate installers.
Code signing is the method of validating the identity of a developer who produced the code in an effort to ensure the code has not been tampered with or modified after a digital certificate has been issued.
In its McAfee Labs Threats Report: Fourth Quarter 2013, McAfee said this accelerating trend could pose a significant threat to the long-established certificate authority (CA) model for authenticating “safe” software.
By the end of 2013, McAfee said the number of malicious signed binaries in its database tripled to more than 8 million suspicious binaries. In the fourth quarter alone, McAfee identified more than 2.3 million new malicious signed applications, a 52 percent jump from the previous quarter.
“Cybercriminals have an all-out assault on digital certificates,” Kevin Bocek, VP Security Strategy & Threat Intelligence at Venafi, told SecurityWeek.
McAfee Labs has cautioned that the rising number of maliciously signed files could create confusion among users and administrators, and even call into question the continued viability of the CA model for code signing.
“Although the expansion of the CA and CDN industries has dramatically lowered the cost of developing and issuing software for developers, the standards for qualifying the identity of the publisher have also decreased dramatically,” said Vincent Weafer, senior vice president for McAfee Labs. “We will need to learn to place more trust in the reputation of the vendor that signed the file, and less trust in the simple presence of a certificate.”
“McAfee’s Q4 Threat Report is just one indicator in a long list that shows cybercriminals are attacking the trust established by digital certificates and cryptographic keys,” Bocek said.
Digitally signed malware can often circumvent existing security protection organizations have in place and enable attackers to obtain “trusted status” undetected for as long as they desire. According to a recent Ponemon Institute report, enterprises lack the visibility, policies, and security in to protect these trust-based technologies.
“There’s little to no visibility in to what keys and certificates are trusted throughout enterprises and no ability to take action, either to enforce policy or respond to attacks,” Bocek said. “The escalation in these types of attacks underscore the problem of unsecured certificates loud and clear. With over 17,000 keys and certificates in typical Global 2000 organizations, there’s a huge attack surface.”
Bocek believes the rise in these attacks should not be a surprise, however.
“From SSL, to code signing, to SSH for administrators and servers, to iOS and Android architectures, we’ve built security systems of the future on keys and certificates,” he said. “They are foundational to our modern world, yet trusting these technologies blindly puts us all in grave peril. Cybercriminals know unprotected keys and certificates are a weak spot in our defenses and will continue to attack there.”
Analysis of “The Mask” APT operation, a sophisticated cyber-espionage campaign uncovered by Kaspersky Lab earlier this year, revealed that hundreds of organizations had SSH keys and SSL keys and certificates stolen.
“The attacks on keys and certificates are unlike other common attacks seen today. With a compromised or stolen key you can impersonate, surveil, and monitor your targets as well as decrypting traffic or impersonating trusted website, code, or administrators,” Bocek explained. “Discovering a compromised key and certificate doesn’t kick an attacker out nor solve the problem; until a key and certificate is revoked and replaced the threat doesn’t go away.”
Mandiant also noted in its APT1 Report that nation-state hackers based in China used self-signed digital certificates to implant malware into hundreds of U.S. companies over a period of several years.
Certificate-based malware attacks come in many shapes and sizes, according to Jeff Hudson, CEO of Venafi.
One of the most notable attacks comes in the form of a compromised certificate authority, such as what happened to the Dutch CA DigiNotar in 2011,” Hudson wrote in an Oct. 2013 SecurityWeek column.
“That compromise allowed hackers to issue malicious certificates that appeared to be signed and legitimized by DigiNotar,” Hudson continued. “A number of additional public CA compromises followed. The net result was that hackers used falsified certificates to execute a man-in-the-middle attacks, fooling people into believing that a false website was in fact real. Not only were user credentials siphoned off but also diverted users to malicious sites. This is still a common practice used today, malicious actors even go as far as to use SSL to disguise their activities over the network.”
Additionally, it was discovered that SSH keys provided Edward Snowden with undetected access that allowed him to steal a significant number of classified documents from the NSA.
“Cybercriminals know unprotected keys are certificates is a weak spot in our defenses and will continue to attack there,” Bocek said.
“Although the total number of signed malware samples includes stolen, purchased, or abused certificates, the vast majority of growth is due to dubious CDNs,” McAfee said in its threat report. “These are websites and companies that allow developers to upload their programs, or a URL that links to an external application, and wrap it in a signed installer.”
Related Resource: Forrester Attacks On Trust Report