Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

‘Destover’ Malware Signed by Stolen Sony Certificate

A digital certificate stolen from Sony Pictures under the recent high-profile cyber attack has been used to sign malware, according to a report from Kaspersky Lab.

A digital certificate stolen from Sony Pictures under the recent high-profile cyber attack has been used to sign malware, according to a report from Kaspersky Lab.

Ironically, the malware sample found digitally signed by the legitimate certificate from Sony was a sample of “Destover”, the destructive malware family that was reportedly used against Sony in the recent attack that resulted in troves of stolen corporate and personal data being leaked, along with the destruction data on corporate PCs.

Sony’s digital certificates, which were leaked by the attackers could be used to sign other malware samples and used in other attacks, but in this case it may not have been actually used by someone with malicious intent.

However, CSO’s Steve Regan has pointed out that the malware sample, which was uploaded to Malwr, was a joke between researchers.

The distrubting part, as Ragan reminded, is that after knowing its digital certificates had been obtained by attackers, Sony had not yet successfully revoked the known stolen certificates.

So while this incident may be a joke, the risk of Sony’s certificates being used in malware for real attacks is a reality.

Stolen Certificates from Sony“Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective,” Kaspersky Labs’ Global Research & Analysis Team wrote in a blog post. “We’ve seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software and default-deny policies.” 

According to Kaspersky Lab, it appears as though the new sample was signed on December 5, 2014 and it virtually the same as a previously observed non-signed file.

Kaspersky said that stolen digital certificate was reported to COMODO and Digicert, which should be blacklisted shortly.

Advertisement. Scroll to continue reading.

“As more news on the Sony Pictures Entertainment breach trickles out, it’s not surprising to learn that the new version of the Destover malware used by the attackers was signed by a legitimate certificate from Sony,” Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, told SecurityWeek. “Time and again, we’re seeing breached organizations like Sony leave open doors for attackers by failing to protect the trust provided by digital certificates and cryptographic keys.”

“Bad actors have learned that the easiest, fastest and most effective way to inject malware that resides undetected on corporate networks is by signing the malware with compromised or stolen digital certificates,” Bocek continued. “Attackers know that most organizations cannot detect or respond to anomalous certificates that authenticate systems and users on their networks, devices and applications, so they exploit them, just as they did in the Sony hack.”

“Global companies typically have tens of thousands of keys and certificates and the majority do not take an accurate inventory of them, do not know where they are deployed, who is using them and do not have the right systems in place to secure them.”

“As noted by Kaspersky, these stolen Sony certificates are the exact opening attackers need and can lead to further, more detrimental attacks,” Bocek said. “SSL and SSH cloaks an attacker’s communication channel and makes it nearly invisible – this is exactly what they’re looking for to carry out their cyber crimes.”

*Updated with additional information on sample thought to be a joke between researchers.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.