Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

‘Destover’ Malware Signed by Stolen Sony Certificate

A digital certificate stolen from Sony Pictures under the recent high-profile cyber attack has been used to sign malware, according to a report from Kaspersky Lab.

A digital certificate stolen from Sony Pictures under the recent high-profile cyber attack has been used to sign malware, according to a report from Kaspersky Lab.

Ironically, the malware sample found digitally signed by the legitimate certificate from Sony was a sample of “Destover”, the destructive malware family that was reportedly used against Sony in the recent attack that resulted in troves of stolen corporate and personal data being leaked, along with the destruction data on corporate PCs.

Sony’s digital certificates, which were leaked by the attackers could be used to sign other malware samples and used in other attacks, but in this case it may not have been actually used by someone with malicious intent.

However, CSO’s Steve Regan has pointed out that the malware sample, which was uploaded to Malwr, was a joke between researchers.

The distrubting part, as Ragan reminded, is that after knowing its digital certificates had been obtained by attackers, Sony had not yet successfully revoked the known stolen certificates.

So while this incident may be a joke, the risk of Sony’s certificates being used in malware for real attacks is a reality.

Stolen Certificates from Sony“Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective,” Kaspersky Labs’ Global Research & Analysis Team wrote in a blog post. “We’ve seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software and default-deny policies.” 

According to Kaspersky Lab, it appears as though the new sample was signed on December 5, 2014 and it virtually the same as a previously observed non-signed file.

Kaspersky said that stolen digital certificate was reported to COMODO and Digicert, which should be blacklisted shortly.

Advertisement. Scroll to continue reading.

“As more news on the Sony Pictures Entertainment breach trickles out, it’s not surprising to learn that the new version of the Destover malware used by the attackers was signed by a legitimate certificate from Sony,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, told SecurityWeek. “Time and again, we’re seeing breached organizations like Sony leave open doors for attackers by failing to protect the trust provided by digital certificates and cryptographic keys.”

“Bad actors have learned that the easiest, fastest and most effective way to inject malware that resides undetected on corporate networks is by signing the malware with compromised or stolen digital certificates,” Bocek continued. “Attackers know that most organizations cannot detect or respond to anomalous certificates that authenticate systems and users on their networks, devices and applications, so they exploit them, just as they did in the Sony hack.”

“Global companies typically have tens of thousands of keys and certificates and the majority do not take an accurate inventory of them, do not know where they are deployed, who is using them and do not have the right systems in place to secure them.”

“As noted by Kaspersky, these stolen Sony certificates are the exact opening attackers need and can lead to further, more detrimental attacks,” Bocek said. “SSL and SSH cloaks an attacker’s communication channel and makes it nearly invisible – this is exactly what they’re looking for to carry out their cyber crimes.”

*Updated with additional information on sample thought to be a joke between researchers.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.