Code-signing certificates have become a high-value target for cybercriminals. Here’s how to keep your certificates safe
There’s a lot of buzz right now about a report, recently released by BlackBerry that reveals how five related APT groups have conducted attacks on a global scale for nearly a decade—all without detection.
The report, titled “Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android,” digs into a series of backdoors, malicious toolsets and remote access trojans (RATs), but one tactic shared by all groups is the use of stolen code-signing certificates.
According to Blackberry, “All five groups examined in this report have been observed attacking video game companies to steal code-signing certificates which they used to sign their malware, as well as attacking the gaming companies for criminal purposes to produce revenue.”
How Hackers Hide Their Malware
Code-signing is used to prove the identity of the source vendor of software and verify that the code hasn’t been tampered with since it was published. That starts right from the build process (signing binaries) and goes all the way through the packaged release.
However, because digital signatures from code-signing certificates are inherently trusted, they’ve become a high-value target for cybercriminals. If hackers get their hands on code-signing certificates from legitimate companies, they can sign virtually any code, including malware they’ve developed.
It goes without saying that code-signing certificates and keys can inflict some serious damage in the wrong hands. Most security professionals understand the security risks involved, but many aren’t taking the proper steps to protect these assets against misuse or theft. That’s why we’ve seen successful attacks such as Stuxnet, ShadowHamer and so many others.
Why is the gaming industry such a popular target?
Attackers always find the path of least resistance. The videogame industry moves fast, signs code frequently and often lacks the security investment required to properly protect code-signing certificates from misuse. These companies also typically have a large user base, which allows attackers to easily sign and spread their malware to millions of devices.
That said, it appears these APT groups are changing the game, literally.
No More Playing Games
The report found that these five APT groups and likely others “have shifted from signing malware with certificates stolen from video game companies to signing malware with certificates stolen from adware vendors, resulting in very low detection rates.”
Network and security teams are inundated with alerts on any given day. Most adware is signed with legitimate code-signing certificates, so identifying which of the thousands of adware alerts are legitimate threats versus a common nuisance is just not feasible for most teams. If detected, malware disguised as adware stands a much better chance of being overlooked, rather than investigated.
There are two players in any cybersecurity program: humans and machines. In this case, APT groups are preying on the human psyche. Instead of avoiding network defenses, attackers are moving straight through them, leveraging security teams’ assumptions about adware against them.
How do hackers get their hands on your code-signing certificates in the first place? There are multiple methods to their madness, but here are three key weaknesses they seek to exploit:
- Key theft: To enable developers to move fast, code-signing certificates (and their associated private keys) are often placed in unprotected locations such as signing servers or developer workstations. If attackers breach these systems, it’s game over.
- Internal misuse: Sometimes developers just make it too easy for attackers to find them. For instance, developers at D-Link accidentally published four code-signing keys in open source firmware back in 2015. Netgear suffered a similar incident just this year.
- Signing compromise: Attackers don’t need your code-signing keys to sign malware. By gaining access to your signing infrastructure, they can sign malware and pass it off as legitimate, often without detection. In 2019, ASUS unknowingly pushed malware to thousands of its own users after hackers compromised their ASUS Live Update Utility.
Today’s development teams work across disparate locations, push more frequent releases and DevOps workflows require signing at multiple stages throughout the life cycle. All these trends expose sensitive code-signing certificates to increased risk.
How to Protect Your Certificates
The reality is that every organization is in software development. Whether you’re writing code or deploying infrastructure, you need to think about the security of your code-signing processes.
Here are some recommendations to avoid code-signing breaches:
- Protect your keys: Code signing private keys should be kept in a central, hardware-protected location. HSMs are the most effective way to ensure that these keys are locked down and all actions are audited.
- Define roles and policies: Establish roles for those authorized to sign code and those authorized to approve signing requests. Ensure that even authorized developers are only granted access to sign code for a defined timeslot, number of signatures and other parameters to prevent misuse.
- Audit everything: Ensure that all code-signing transactions are audited. Keep a comprehensive log of who used which code signing keys, when and who authorized the action to identify irregularities and mitigate potential risks.