Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Content Distribution Networks Fuel Rising Threat of Digitally Signed Malware

According to a recent report from McAfee, the number of digitally signed malware samples tripled in 2013, driven largely by the abuse of automated Content Distribution Networks (CDNs) that wrap malicious binaries within digitally signed, otherwise legitimate installers.

According to a recent report from McAfee, the number of digitally signed malware samples tripled in 2013, driven largely by the abuse of automated Content Distribution Networks (CDNs) that wrap malicious binaries within digitally signed, otherwise legitimate installers.

Code signing is the method of validating the identity of a developer who produced the code in an effort to ensure the code has not been tampered with or modified after a digital certificate has been issued.

In its McAfee Labs Threats Report: Fourth Quarter 2013, McAfee said this accelerating trend could pose a significant threat to the long-established certificate authority (CA) model for authenticating “safe” software.

Code Signing Malware

By the end of 2013, McAfee said the number of malicious signed binaries in its database tripled to more than 8 million suspicious binaries. In the fourth quarter alone, McAfee identified more than 2.3 million new malicious signed applications, a 52 percent jump from the previous quarter.

“Cybercriminals have an all-out assault on digital certificates,” Kevin Bocek, VP Security Strategy & Threat Intelligence at Venafi, told SecurityWeek.

McAfee Labs has cautioned that the rising number of maliciously signed files could create confusion among users and administrators, and even call into question the continued viability of the CA model for code signing.

“Although the expansion of the CA and CDN industries has dramatically lowered the cost of developing and issuing software for developers, the standards for qualifying the identity of the publisher have also decreased dramatically,” said Vincent Weafer, senior vice president for McAfee Labs. “We will need to learn to place more trust in the reputation of the vendor that signed the file, and less trust in the simple presence of a certificate.”

“McAfee’s Q4 Threat Report is just one indicator in a long list that shows cybercriminals are attacking the trust established by digital certificates and cryptographic keys,” Bocek said.

Advertisement. Scroll to continue reading.

Digitally signed malware can often circumvent existing security protection organizations have in place and enable attackers to obtain “trusted status” undetected for as long as they desire. According to a recent Ponemon Institute report, enterprises lack the visibility, policies, and security in to protect these trust-based technologies.

ResourceIs Your Enterprise Managing Certificates? Three Reasons It Should Be.

“There’s little to no visibility in to what keys and certificates are trusted throughout enterprises and no ability to take action, either to enforce policy or respond to attacks,” Bocek said. “The escalation in these types of attacks underscore the problem of unsecured certificates loud and clear. With over 17,000 keys and certificates in typical Global 2000 organizations, there’s a huge attack surface.”

Bocek believes the rise in these attacks should not be a surprise, however.

“From SSL, to code signing, to SSH for administrators and servers, to iOS and Android architectures, we’ve built security systems of the future on keys and certificates,” he said. “They are foundational to our modern world, yet trusting these technologies blindly puts us all in grave peril. Cybercriminals know unprotected keys and certificates are a weak spot in our defenses and will continue to attack there.”

Analysis of “The Mask” APT operation, a sophisticated cyber-espionage campaign uncovered by Kaspersky Lab earlier this year, revealed that hundreds of organizations had SSH keys and SSL keys and certificates stolen. 

“The attacks on keys and certificates are unlike other common attacks seen today. With a compromised or stolen key you can impersonate, surveil, and monitor your targets as well as decrypting traffic or impersonating trusted website, code, or administrators,” Bocek explained. “Discovering a compromised key and certificate doesn’t kick an attacker out nor solve the problem; until a key and certificate is revoked and replaced the threat doesn’t go away.”

Mandiant also noted in its APT1 Report that nation-state hackers based in China used self-signed digital certificates to implant malware into hundreds of U.S. companies over a period of several years. 

Certificate-based malware attacks come in many shapes and sizes, according to Jeff Hudson, CEO of Venafi.

One of the most notable attacks comes in the form of a compromised certificate authority, such as what happened to the Dutch CA DigiNotar in 2011,” Hudson wrote in an Oct. 2013 SecurityWeek column. 

“That compromise allowed hackers to issue malicious certificates that appeared to be signed and legitimized by DigiNotar,” Hudson continued. “A number of additional public CA compromises followed. The net result was that hackers used falsified certificates to execute a man-in-the-middle attacks, fooling people into believing that a false website was in fact real. Not only were user credentials siphoned off but also diverted users to malicious sites. This is still a common practice used today, malicious actors even go as far as to use SSL to disguise their activities over the network.”

Additionally, it was discovered that SSH keys provided Edward Snowden with undetected access that allowed him to steal a significant number of classified documents from the NSA.

“Cybercriminals know unprotected keys are certificates is a weak spot in our defenses and will continue to attack there,” Bocek said.

“Although the total number of signed malware samples includes stolen, purchased, or abused certificates, the vast majority of growth is due to dubious CDNs,” McAfee said in its threat report. “These are websites and companies that allow developers to upload their programs, or a URL that links to an external application, and wrap it in a signed installer.”

Related ResourceBroken Trust: Exposing the Malicious Use of Digital Certificates and Cryptographic Key

Related Resource: Forrester Attacks On Trust Report

Related Insight: Is Your Enterprise Managing Certificates? Three Reasons It Should Be.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...