• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

With Certificates, Who Do We Actually Trust?

February 27, 2018 By Trevor Collins

A cryptographic certificate tells us if a website or program is trusted and from a valid company. This trust model only works if we trust that the issuers of certificates have taken appropriate steps to verify ownership before issuing a certificate for a company. This verification allows us to believe that a certificate for any given company name was legitimately created for that company to either cryptographically sign their program or authenticate their website. Unfortunately, the belief that a certificate accurately reflects the company who made the program or website may not always be true.

Certificate validation has never been 100% accurate. The Stuxnet worm, for example, used a valid signed certificate to bypass driver installation warnings back in 2011. A new report by Recorded Future indicates this was just the start. In 2015 a hacker by the name [email protected] started selling certificates with valid trust chains. [email protected] found enough information from different companies that he could make certificate requests to major Certificate Authorities (CAs) by impersonating these companies. In 2016 and 2017 three more sellers started selling comprised certificates as well. Through the next year, researchers found more malicious software signed by compromised certificates than before. At a price of $299 to $1,599, malware authors could purchase these certificates and have them be made available in 2 to 4 days. Software signed by these certificates was not caught by most antivirus software. For example, the report researchers tested a Remote Access Trojan (RAT) signed by a false certificate and found only 2 antiviruses could identify the file as malicious. Both were based on heuristics. Of the four sellers who were originally found selling false certificates, two are no longer selling and the other two are only selling to Russian speakers.

Users must be aware of this new threat when running both trusted and unknown software. Even if the software is signed with a valid certificate, that doesn’t mean the software can be trusted fully. The best defense is good antivirus software on your network and firewall. Users must also ensure the certificate matches the manufacture of the software.

The companies that the certificate sellers compromised were likely attacked without their knowledge, meaning they have no idea that malicious hackers were generating these certificates. Past simple impersonation, trojans like Trojan.Zbot can steal private keys directly and send them to a command and control server as one of their attack methods. This risk can be mitigated by separating your computer, with the private key, from the rest of the network and never using it for day-to-day work. —Trevor Collins

Share This:

Related

Filed Under: Editorial Articles Tagged With: Hacking, Infosec news

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use