Recent investigations have revealed that valid software code signing certificates are in high demand on the Dark Web, outpricing stolen credit card data, fake passports, and even guns. Threat actors could abuse these valid, but stolen, certificates, which are implicitly trusted by the operating system, to install malware on victim PCs without triggering any bells and whistles.
With bids as high as $1,200 for a single certificate, researchers believe this trend could undermine the entire authentication system the internet is based on. Besides using these certificates to plant malware, they could be used to perform man-in-the-middle attacks, impersonate legitimate websites and, ultimately, to exfiltrate sensitive data.
“We’ve known for a number of years that cybercriminals actively seek code signing certificates to distribute malware through computers,” said Peter Warren, chairman of the CSRI. “The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates.”
Malware developers have long bundled valid code signing certificates with malware to infiltrate victims’ systems, with the promise of installing (rogue) security solutions or PC optimization software. As stolen certificates are difficult to identify and tag as malicious unless the party from who they were stolen from reports the incident, companies can be caught off guard and exposed to risks.
Consequently, any organization with certificates that may have been compromised, must contact their certification authority (CA) and update their certificate revocation list (CRL) with the stolen certificates.