Fake code-signing certificates: Why organisations should be worried

Fake code-signing certificates, which are now available on the Dark Web for up to $1,200 apiece, now pose a significant cyber threat to organisations and individuals alike.

Fake code-signing certificates allow malicious actors to inject malware into systems by bypassing malware detection technologies in operating systems.

For years, the likes of Microsoft, Google and Apple have urged users to check for website security certificates, download apps only from official app stores, and check for code-signing certificates whenever visiting websites or downloading executables from the Web to be sure that such sites and programmes are authentic, are being shared by original developers and have not been compromised.

Code-signing certificates, for instance, go a long way in assuring users that the sites they visit and the files they download to their systems are devoid of malware. Before launching new applications or software for public use, developers use such digital signatures to establish the credibility of their products and that they are safe to access or download.

YOU MAY ALSO LIKE:

A code-signing certificate ensures that an application is compatible with all major platforms, is free from tampering, creates a trusted distribution outlet, and authenticates software developers. If any malicious actor attempts to tamper with any certified software or application, the digital signature breaks, thereby alerting users that such products have been compromised.

However, despite their watertight security mechanisms, code-signing certificates are now being compromised with increasing regularity, thereby not only destroying the authenticity of software products but also exposing end users to all kinds of malware and computer viruses.

In a recent paper, the UK's National Cyber Security Centre has warned of the dangers posed by code-signing certificates in the hands of malicious actors. The centre revealed that code-signing certificates are available to purchase on the Dark Web for up to $1,200 apiece. Their pricing makes them even more expensive than fake driver’s licences, stolen credit cards, commissioning a targeted cyber attack, or even buying a handgun.

'Since at least 2011, they [researchers] have noted a trend for both cyber criminals and APT cyber actors to sign their malware using stolen or fraudulently obtained certificates to bypass security measures. Signed code tends to be treated as trusted and some operating systems will flag up, or refuse to run, code that is not signed,' the centre warned.

It added that cyber criminals are able to obtain code-signing certificates either by breaching servers of well-known technology companies and stealing their signing facilities, or by applying for such certificates in the names of fake companies. These certificates are then used by such actors to promote their malware-infested apps, software and websites on the Web.

Recently, popular system performance-optimising software CCleaner was compromised by hackers and infected with a multi-stage malware payload that could help hackers spy on millions of PC users who used CCleaner.

According to research firm Cisco Talos, the CCleaner hack was another example of a supply chain attack where a malware used legitimate software to infect computers and helped hackers steal sensitive data and user credentials from affected systems. The infected CCleaner software was reportedly downloaded by over 4 million users between 15th August and 15th September.

According to Piriform, the developer of CCleaner, 'the compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA.'

The National Cyber Security Centre has revealed that the CCleaner hack was an instance of hackers fraudulently obtaining a code-signing certificate by breaching the company's systems. After obtaining the certificate, the hackers released the compromised software by masquerading it as a security update on 15th August.

The fact that malicious actors can now freely obtain code-signing certificates from the Dark Web and spread malicious apps and software on the Web poses a huge risk not only to individual users, but also to banks as well as companies that hold customer data.

'With stolen code signing certificates, it’s nearly impossible for organizations to detect malicious software. Any cyber criminal can use them to make malware, ransomware, and even kinetic attacks trusted and effective. In addition, code signing certificates can be sold many times over before their value begins to diminish, making them huge money makers for hackers and dark web merchants.

'All of this is fueling the demand for stolen code signing certificates,' says Kevin Bocek, chief security strategist for Venafi, whose research on the subject was cited by the National Cyber Security Centre.

'Although our research uncovered a thriving trade in code signing certificates, we were only able to scratch the surface of this market. In an ironic twist, our researchers were often limited from delving further as dark web traders didn’t trust them. We suspect that TLS, VPN, and SSH key and certificate trading is also rife, alongside the trade in code signing certificates we uncovered,' he added.