DigiCert last week announced that certificates fraudulently obtained from its internal support portal after a cyberattack were revoked.
The attack, the company said in a detailed report, occurred on April 2, when a threat actor targeted DigiCert’s support team with a malicious payload delivered via a customer chat channel, disguised as a screenshot.
The malware infected two endpoints, one of which was identified on April 3, and another on April 14. DigiCert blames the late discovery of the second infection on the malfunctioning security solutions running on the endpoint.
According to the company, the hackers pivoted from the infected system to its internal support portal, using a limited access function to obtain EV Code Signing certificates.
This was possible because DigiCert’s authenticated support analysts can proxy into customer accounts, which provides them with access to specific functions, including initialization codes for pending Code Signing certificate orders.
“Possession of an initialization code, combined with an approved order, is sufficient to obtain the resulting certificate. Since the threat actor was able to obtain these two pieces of information for a finite set of approved orders, they were able to obtain EV Code Signing certificates across a set of customer accounts and CAs,” DigiCert says.
By April 17, the company identified and revoked 60 certificates associated with the incident, including 27 explicitly linked to the threat actor. Of these, 11 were reported by the community and were used to sign the Zhong Stealer malware family, DigiCert says.
“In our investigation, we did not find evidence that the threat actor misused other internal systems other than the Code Signing initialization codes within specific accounts,” the company says.
DigiCert says that all certificates potentially linked to this activity were revoked by April 17, and pending orders were canceled to close the attackers’ access.
Additionally, the company improved its security and access controls to enforce multi-factor authentication for administrative workflows, prevent access to initialization codes from proxied support users, restrict the file types that can be sent using support chat and Salesforce case attachments, and improve logging.
Related: Edtech Firm Instructure Discloses Data Breach Amid Hacker Leak Threats
Related: Over 40,000 Servers Compromised in Ongoing cPanel Exploitation
Related: FBI Warns of Surge in Hacker-Enabled Cargo Theft
Related: Two US Security Experts Sentenced to Prison for Helping Ransomware Gang
