A cryptographic certificate tells us if a website or program is trusted and from a valid company. This trust model only works if we trust that the issuers of certificates have taken appropriate steps to verify ownership before issuing a certificate for a company. This verification allows us to believe that a certificate for any given company name was legitimately created for that company to either cryptographically sign their program or authenticate their website. Unfortunately, the belief that a certificate accurately reflects the company who made the program or website may not always be true.
Certificate validation has never been 100% accurate. The Stuxnet worm, for example, used a valid signed certificate to bypass driver installation warnings back in 2011. A new report by Recorded Future indicates this was just the start. In 2015 a hacker by the name C@T started selling certificates with valid trust chains. C@T found enough information from different companies that he could make certificate requests to major Certificate Authorities (CAs) by impersonating these companies. In 2016 and 2017 three more sellers started selling comprised certificates as well. Through the next year, researchers found more malicious software signed by compromised certificates than before. At a price of $299 to $1,599, malware authors could purchase these certificates and have them be made available in 2 to 4 days. Software signed by these certificates was not caught by most antivirus software. For example, the report researchers tested a Remote Access Trojan (RAT) signed by a false certificate and found only 2 antiviruses could identify the file as malicious. Both were based on heuristics. Of the four sellers who were originally found selling false certificates, two are no longer selling and the other two are only selling to Russian speakers.
Users must be aware of this new threat when running both trusted and unknown software. Even if the software is signed with a valid certificate, that doesn’t mean the software can be trusted fully. The best defense is good antivirus software on your network and firewall. Users must also ensure the certificate matches the manufacture of the software.
The companies that the certificate sellers compromised were likely attacked without their knowledge, meaning they have no idea that malicious hackers were generating these certificates. Past simple impersonation, trojans like Trojan.Zbot can steal private keys directly and send them to a command and control server as one of their attack methods. This risk can be mitigated by separating your computer, with the private key, from the rest of the network and never using it for day-to-day work. —Trevor Collins