BlackTech APT Steals D-Link Cert for Cyber-Espionage Campaign

Discussion in 'Security and Anti-Virus Software' started by hmscott, Jul 20, 2018.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,800
    Messages:
    16,646
    Likes Received:
    20,487
    Trophy Points:
    931
    BlackTech APT Steals D-Link Cert for Cyber-Espionage Campaign
    By Catalin Cimpanu , July 10, 2018 12:05 AM
    https://www.bleepingcomputer.com/ne...als-d-link-cert-for-cyber-espionage-campaign/
    [​IMG]

    A lesser-known cyber-espionage group known as BlackTech has been caught earlier this month using a stolen D-Link certificate to sign malware deployed in a recent campaign.

    "The exact same certificate had been used to sign [official] D-Link software; therefore, the certificate was likely stolen," says Anton Cherepanov, a security researcher for Slovak antivirus company ESET, and the one who discovered the stolen cert.

    D-Link cert used to sign PLEAD malware samples
    Cherepanov says BlackTech operators used the stolen cert to sign two malware payloads —the first is the PLEAD backdoor, while the second is a nondescript password stealer.

    According to a 2017 Trend Micro report, the BlackTech group has used the PLEAD malware in the past. Just like in previous attacks, the group's targets for these most recent attacks were again located in East Asia, particularly in Taiwan.

    The password stealer isn't anything special, being capable of extracting passwords from only four apps —Internet Explorer, Google Chrome, Mozilla Firefox, and Microsoft Outlook.

    Following Cherepanov's report about BlackTech using one of its certificates, D-Link revoked it last Tuesday, July 3. Before the revocation, the certificate was being used to secure the web panel of mydlink IP cameras.

    APT used another certificate, but that one was older
    In addition to the malware samples signed with the D-Link cert, Cherepanov also discovered some BlackTech malware samples signed with a certificate belonging to Taiwanese tech firm Changing Information Technology, Inc..

    But unlike the D-Link certificate, this one had been revoked last year, on July 4, 2017, meaning it wasn't that useful really that useful.

    By signing the malicious files, BlackTech made their malware appear as a legitimate app from a trusted source to the underlying OS.

    It's no surprise seeing a supposed nation-state attacker with nearly unlimited resources abusing stolen certificates. A Recorded Future investigation published at the start of the year revealed that most common crooks couldn't afford to buy digital certificates off the black market due to their prohibiting costs. Most stolen certificates remain only in the arm shot of APTs and highly-advanced financial crime groups."
     
    Aivxtla likes this.
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,800
    Messages:
    16,646
    Likes Received:
    20,487
    Trophy Points:
    931
    Hackers Using Stolen D-Link Certificates for Malware Signing
    By Ionut Arghire on July 09, 2018
    https://www.securityweek.com/hackers-using-stolen-d-link-certificates-malware-signing

    "A cyber-espionage group is abusing code-signing certificates stolen from Taiwan-based companies for the distribution of their backdoor, ESET reports.

    The group, referred to as BlackTech, appears highly skilled and focused on the East Asia region, particularly Taiwan. The certificates, stolen from D-Link and security company Changing Information Technology Inc., have been used to sign the Plead backdoor, ESET's security researchers say.

    The Plead campaign is believed to have been active since at least 2012, often focused on confidential documents and mainly targeting Taiwanese government agencies and private organizations.

    Evidence of the fact that the D-Link certificate was stolen comes from the fact that it was used to sign non-malicious D-Link software, not only the Plead malware, ESET explains.

    After being informed on the misuse of its certificate, D-Link revoked it, along with a second certificate, on July 3. In an advisory, the company said that most of its customers should not be affected by the revocation.

    “D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong,” the company said.

    Changing Information Technology Inc., also based in Taiwan, revoked the misused certificate on July 4, but the threat actor continued to use it for malicious purposes even after that date, ESET reveals.

    The signed malware samples also contain junk code for obfuscation purposes, but all perform the same action: they either fetch from a remote server or open from the local disk encrypted shellcode designed to download the final Plead backdoor module.

    The malware can steal passwords from major web browsers, such as Chrome, Firefox, and Internet Explorer, and from Microsoft Outlook.

    According to Trend Micro, the Plead backdoor can also list drives, processes, open windows and files on the compromised machine, can open remote shell, upload files, execute applications via ShellExecute API, and delete files.

    “Misusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions – as the stolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking past security measures without raising suspicion,” ESET notes.

    The use of code-signing certificates for malware delivery isn’t a novel practice, and the Stuxnet worm, which was discovered in 2010, is a great example of how long threat actors have been engaging in such practices. The first to target critical infrastructure, Stuxnet used digital certificates stolen from RealTek and JMicron, well-known Taiwanese tech companies."
     
  3. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,800
    Messages:
    16,646
    Likes Received:
    20,487
    Trophy Points:
    931
    Valid D-Link Certificate Used by Plead Malware Campaigns
    July 10, 2018 by Milena Dimitrova+
    A new malware campaign leveraging stolen digital certificates has been discovered by security researchers at cybersecurity firm ESET. The researchers spotted the malware campaign when some of their systems marked several files as suspicious.
    https://sensorstechforum.com/valid-d-link-certificate-plead-malware/

    "Plead Malware Using the Stolen Certificates
    It turned out that the flagged files were digitally signed via a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software meaning that the certificate was most likely stolen, the researchers said in their report.

    Having confirmed the file’s malicious nature, we notified D-Link, who launched their own investigation into the matter. As a result, the compromised digital certificate was revoked by D-Link on July 3, 2018.

    The analysis showed that there are two different malware families abusing the certificate – Plead malware which is a remotely controlled backdoor, and a related password stealing component. According to researchers from TrendMicro, the Plead backdoor is used by a cyber-espionage group known as BlackTech.

    Along with the Plead malware samples signed with the stolen D-Link certificate, samples signed via a certificate by a Taiwanese security company, Changing Information Technology Inc, have also been discovered. It appears that the BlackTech hackers are still using the certificate even though it was revoked on July 4, 2017, a year ago.

    The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region, the researchers noted.

    It should be noted that “the signed Plead malware samples are highly obfuscated with junk code, but the purpose of the malware is similar in all samples: it downloads from a remote server or opens from the local disk a small encrypted binary blob“. The binary blob contains encrypted shellcode, which serves to download the final Plead backdoor module.

    As for the the password stealer component, it is used specifically to harvest saved passwords from the following list of popular applications:
    • Google Chrome
    • Microsoft Internet Explorer
    • Microsoft Outlook
    • Mozilla Firefox
    Stolen Certificates in Malware Distribution Still a Trend
    Last year researchers at Venafi discovered that the illegal trade of digital code signing certificates was blooming. The certificates are mostly used to verify software products, proving their status as legitimate. If compromised, these certificates can be deployed to install malware on devices and networks without being detected.

    The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates, researchers said."
     
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,800
    Messages:
    16,646
    Likes Received:
    20,487
    Trophy Points:
    931
    Stolen Code Signing Certificates Are the Hottest Dark Web Trend
    Dark Web news flash – digital code signing certificates cost way more than guns in underground markets. Apparently, a single certificate may cost up to $1,200, whereas a handgun is sold for about $600.
    October 31, 2017 by Milena Dimitrova+
    https://sensorstechforum.com/code-signing-certificates-dark-web/

    "According to researchers at Venafi, the trade of digital code signing certificates is currently blooming. The certificates are mostly used to verify software products, proving their status as legitimate. If compromised, these certificates can be deployed to install malware on devices and networks without being detected.

    Stolen Certificates Make Detection Nearly Impossible
    With stolen code signing certificates, it’s nearly impossible for organizations to detect malicious software. Any cybercriminal can use them to make malware, ransomware, and even kinetic attacks trusted and effective.” Kevin Bocek, chief security strategist at Venfai, recently said.

    Researchers have known for quite some time that cybercriminals actively seek code signing certificates to distribute malware through computers, Peter Warren, chairman of the Cyber Security Research Institute, explained. The CSRI, in partnership with the Cyber Security Centre at the University of Hertfordshire, carried out a six-month investigation reaching the following conclusion:

    The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates.

    The worst thing is that code signing certificates can be re-sold over and over before their value decreases. This way cybercriminals and Dark Web dealers can make huge money. This fact alone is enough to keep on driving the demand for stolen certificates.

    This is not the only troublesome trend discovered in the Dark Web. Flashpoint researchers recently revealed that access to Windows XP desktop computers is being offered for only $3, whereas access to Windows 10 systems costs $9.

    These two Dark Web trends combined can lead to various malicious outcomes compromising both consumers and enterprises."
     
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,800
    Messages:
    16,646
    Likes Received:
    20,487
    Trophy Points:
    931
    How Cybercrime Exploits Digital Certificates
    POSTED IN GENERAL SECURITY ON JULY 28, 2014
    https://resources.infosecinstitute.com/cybercrime-exploits-digital-certificates/
    "What is a digital certificate?
    The digital certificate is a critical component of a public key infrastructure. It is an electronic document that associates the individual identity of a person to the public key associated with it.

    A certificate can then be associated with a natural person, a private company or a web service as a portal. The certificate is issued by an organization, dubbed Certification Authority (or CA), recognized as “trusted” by the parties involved, and is used ordinarily for the operations of public key cryptography.

    The Certification Authority issues a digital certificate in response to a request only after it verifies the identity of the certificate applicant.

    The process of telematics verification of certificates can be done by anyone since the CA maintains a public register of digital certificates issued and a register related to revoke the ones (Certification Revocation List or CRL).

    Each digital certificate is associated with a time period of validity, so certificates may be revoked if expired.

    Other conditions that could cause the revocation of a digital certificate are the exposure of its private key, and any change of the relationship between the subject and its public key, for example the change of the mail address of the applicant.

    In the process of asymmetric cryptography, each subject is associated with a pair of keys, one public and one private. Any person may sign a document with its private key. Everyone with intent to verify the authenticity of the document can verify the document using the public key of the signer, which is exposed by the CA.

    Another interesting use linked to the availability of the public key of an entity is the sending of encrypted documents. Assuming you want to send an encrypted document to Pierluigi, it is sufficient that you sign them with his public key exposed by the CA. At this point, only Pierluigi with his private key, associated with the public key used for the encryption, can decrypt the document.

    The public key of each subject is contained in a digital certificate signed by a trusted third party. In this way, those who recognize the third party as trustworthy just have to verify its signature to accept as valid the public key it exposes.

    The most popular standard for digital certificates is the ITU-T X.509, according to which a CA issues a digital certificate that binds the public key of the subject to a Name Badge (Distinguished Name), or to an Alternative Name (Alternative Name) such as an email address or a DNS record.

    The structure of an X.509 digital certificate includes the following information:
    • version
    • serial number
    • ID algorithm
    • body emitter
    • validity
    • subject
    • information on the public key of the subject
    • signature algorithm of the certificate
    • signature of certificate
    It is likely you’ll come across the extensions used for files containing X.509 certificates, the most common are:
    • CER – Certified with DER encoded, sometimes sequences of certificates.
    • DER – DER encoded certificate.
    • PEM – Base64-encoded certificate to a file. PEM may contain certificates or private keys.
    • P12 – PKCS # 12 certificates and may contain public and private keys (password protected).
    Another classification of digital certificates is the intended use. It is useful to distinguish authentication certificates and subscription certificates.

    A subscription Digital Certificate is used to define the correspondence between an individual applying for the certificate and its public key. These certificates are the ones used for the affixing of digital signatures that are legally valid.

    A Certificate of Authentication is mainly used for accessing web sites that implement authentication via certificate, or sign up for e-mail messages in order to ensure the identity of the sender. An authentication certificate is usually associated with an email address in a unique way.

    A digital certificate in the wrong hands
    Security experts recognize 2011 as the worst year for certification authorities. The number of successful attacks against major companies reported during the year has no precedent, many of them had serious consequences.

    Comodo was the first organization to suffer a cyber attack. High managers at Comodo revealed that the registration authority had been compromised in a March 15th, 2011 attack and that the username and password of a Comodo Trusted Partner in Southern Europe were stolen. As consequence, a Registration Autorithy suffered an attack that resulted in a breach of one user account of that specific RA. Its account was then fraudulently used to issue nine digital certificates across seven different domains, including: login.yahoo.com (NSDQ:YHOO), mail. google.com (NSDQ:GOOG), login.skype.com, and addons.mozilla.org. All of these certificates were revoked immediately upon discovery.

    In August of the same year, another giant fell victim to a cyber attack: the Dutch Certification Authority DigiNotar, owned by VASCO Data Security International. On September 3rd, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over the operational management of DigiNotar’s systems. A few weeks later, the company was declared bankrupt.

    But the list of victims is long. KPN stopped issuing digital certificates after finding a collection of attack tools on its server likely used to compromise it. The company informed the media that there wasn’t evidence that its CA infrastructure was compromised, and that all the actions to respond the incident had been started as a precaution.

    Experts at KPN discovered the tools during a security audit: they found a server hosting a DDoS tool. The application may have been there for as long as four years.

    Unfortunately, the defeat is not finished, because in the same period, GemNET, a subsidiary of KPN (a leading telecommunications and ICT service provider in The Netherlands), suffered a data breach, and according to Webwereld, the hack was related to CA certificates.

    The list of victims is reported in the following table published by the expert Paolo Passeri on his blog hackmageddon.com. It includes also other giants like GlobalSign and DigiCert Malaysia.

    [​IMG]
    Figure – CA incidents occurred in 2011 (Hackmageddon.com)

    Why attack a Certification Authority?
    Cybercriminals and state-sponsored hackers are showing a great interest in the PKI environment, and in particular they are interested in abusing digital certificates to conduct illicit activities like cyber espionage, sabotage or malware diffusion.

    The principal malicious uses related to the digital certificates are:

    Improve malware diffusion
    Installation of certain types of software (e.g. application updates) its code to be digitally signed with a trusted certificate. For this reason, cyber criminals and other bad actors have started to target entities managing digital certificates. By stealing a digital certificate associated with a trusted vendor and signing malicious code with it, it reduces the possibility that a malware will be detected as quickly.

    Security experts have estimated that more than 200,000 unique malware binaries were discovered in the last couple of years signed with valid digital signatures.

    The most famous example is represented by the cyber weapon Stuxnet used to infect nuclear plants for the enrichment of uranium in Iran. The source code of the malware was signed using digital certificates associated to Realtek Semiconductor and JMicron Technology Corp, giving the appearance of legitimate software to the targeted systems.

    Stuxnet drivers were signed with certificates from JMicron Technology Corp and Realtek Semiconductor Corp, two companies that have offices in the Hsinchu Science and Industrial Park. Security experts at Kaspersky Lab hypothesized an insider job. It is also possible that the certificates were stolen using a dedicated Trojan such as Zeus, meaning there could be more.

    [​IMG]
    Figure – Digital certificate used to sign Stuxnet

    In September 2013, cyber criminals stole digital certificates associated with Adobe. According to security chief Brad Arkin, a group of hackers signed a malware using an Adobe digital certificate, compromising a vulnerable build server of the company. The hacked server was used to get code validation from the company’s code-signing system.

    “We have identified a compromised build server with access to the Adobe code signing infrastructure. We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate … This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications* that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms … Our forensic investigation is ongoing. To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server. We also have forensic evidence linking the build server to the signing of the malicious utilities. We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM,”reported the company advisory (written by Arkin).
    [​IMG]
    Figure – Adobe Breach Advisory

    The hackers signed with a valid and legitimate Adobe certificate at least a couple of malicious codes, a password dumper, and a malicious ISAPI filter. The two malicious programs were signed on July 26, 2012.

    In April 2014, security researchers at Comodo AV Labs detected a new variant of the popular Zeus Trojan, enhanced with a digital signature of its source code to avoid detection. This instance is digitally signed with a stolen digital certificate, which belongs to Microsoft Developer.
    [​IMG]
    Figure – Adobe Digital Certificate abused by cyber criminals

    Economic Frauds
    A digital signature gives a warranty on who signed a document and you can decide if you trust the person or company who signed the file and the organization who issued the certificate. If a digital certificate is stolen, victims will suffer an identity theft and related implications.

    Malware authors could design a specific malicious agent that could be spread to steal digital certificates. In the case of certificates associated with a web browser, it is possible to trick victims into thinking that a phishing site is legitimate.

    Cyber warfare
    Cyber espionage conducted by cyber criminals or state sponsored hackers are the activities most frequently carried out with stolen certificates. Digital certificates are used by attackers to conduct “man-in-the-middle” attacks over the secure connections, tricking users into thinking they were on a legitimate site when in fact their SSL/TLS traffic was being secretly tampered with and intercepted.

    One of the most blatant case was the DigiNotar one, when different companies like Facebook, Twitter, Skype, Google and also intelligence agencies like CIA, Mossad, and MI6 were targeted in the Dutch government certificate hack.

    In 2011, Fox-IT security firm discovered that the extent and duration of the breach were much more severe than had previously been disclosed. The attackers could have used the stolen certificates to spy on users of popular websites for weeks, without their being able to detect it.

    “It’s at least as bad as many of us thought … DigiNotar appears to have been totally owned for over a month without taking action, and they waited another month to take necessary steps to notify the public,” said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

    Fox-IT was commissioned by Diginotar to conduct an audit, dubbed “Operation Black Tulip,” and discovered that the servers of the company were compromised.

    Another clamorous case was discovered in December 2013 by Google, which notices the use of digital certificates issued by an intermediate certificate authority linked to ANSSI for several Google domains.

    ANSSI is the French Cyber Security agency that operates with French intelligence agencies. The organization declares that an intermediate CA is generating fake certificates to conduct MITM attacks and inspect SSL traffic. Be aware that an intermediate CA certificate carries the full authority of the CA, and attackers can use it to create a certificate for any website they wish to hack.

    “ANSSI has found that the intermediate CA certificate was used in a commercialdevice, on a private network, to inspect encrypted traffic with the knowledge of the users on that network.”

    Google discovered the ongoing MITM attack and blocked it. Google also declared that ANSSI has requested to block an intermediate CA certificate.
    [​IMG]
    Figure – Digital certificate warning

    “As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the IGC/A.

    “The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively. The reinforcement of the whole IGC/A process is currently under supervision to make sure no incident of this kind will ever happen again,” stated the ANSSI advisory.

    The ANSSI attributed the incident to “Human Error” made by someone at the Finance Ministry, sustaining that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network.

    Misusing Digital Certificates
    Digital certificates have been misused many times during recent years. Bad actors abused them to conduct cyber attacks against private entities, individuals and government organizations. The principal abuses of digital certificates observed by security experts:

    Man-in-the-middle (MITM) attacks
    Bad actors use digital certificates to eavesdrop on SSL/TLS traffic. Usually these attacks exploit the lack of strict controls by client applications when a server presents them with an SSL/TLS certificate signed by a trusted but unexpected Certification Authority.

    SSL certificates are the privileged mechanism for ensuring that secure web sites really are who they say they are. Typically, when we access a secure website, a padlock is displayed in the address bar. Before the icon appears, the site first presents a digital certificate, signed by a trusted “root” authority, that attests to its identity and encryption keys.

    Unfortunately web browsers, due to improper design and lack of efficient verification processes, accept the certificates issued by the trusted CA, even if it is an unexpected one.

    An attacker that is able to obtain a fake certificate from any certification authority and present it to the client during the connection phase can impersonate every encrypted web site the victim visits.

    “Most browsers will happily (and silently) accept new certificates from any valid authority, even for web sites for which certificates had already been obtained. An eavesdropper with fake certificates and access to a target’s internet connection can thus quietly interpose itself as a ‘man-in-the-middle’, observing and recording all encrypted web traffic traffic, with the user none the wiser.”

    [​IMG]
    Figure – MITM handshake
    Cyber attacks based on signed malware
    Another common cyber attack is based on malware signed with stolen code-signing certificates. The techniques allow attackers to improve avoidance techniques for their malicious codes. Once the private key associated with a trusted entity is compromised, it could be used to sign the malicious code of the malware. This trick allows an attacker to also install those software components (e.g. drivers, software updates) that require signed code for their installation/execution. One of the most popular cases was related to the data breach suffered by security firm Bit9. Attackers stole one of the company’s certs and used it to sign malware and serve it. The certificate was used to sign a malicious Java Applet that exploited a flaw in the browser of targeted browser.
    Malware installed illegitimate certificates
    Attackers could use also malware to install illegitimate certificates to trust them, avoiding security warnings. Malicious code could for example operate as a local proxy for SSL/TLS traffic, and the installed illegitimate digital certificates could allow attackers to eavesdrop on traffic without triggering any warning. The installation of a fake root CA certificate on the compromised system could allow attackers to arrange a phishing campaign. The bad actor just needs to set up a fake domain that uses SSL/TLS and passes certificate validation steps. Recently, Trend Micro has published a report on a hacking campaign dubbed “Operation Emmental”, which targeted Swiss bank accounts with a multi-faceted attack that is able to bypass two factor authentication implemented by the organization to secure its customers. The attackers, in order to improve the efficiency of their phishing schema, used a malware that installs a new root Secure Sockets Layer (SSL) certificate, which prevents the browser from warning victims when they land on these websites.
    [​IMG]
    Figure – Certificate installed by malware in MS store

    CAs issued improper certificates
    Improper certificates are issued by the CAs and hackers use them for cyber attacks. In one of the most blatant cases, DigiCert mistakenly sold a certificate to a non-existent company. the digital certificate was then used to sign malware used in cyber attacks.

    How to steal a digital certificate
    Malware is the privileged instrument for stealing a digital certificate and the private key associated with the victims. Experts at Symantec tracked different strains of malware which have the capability to steal both private keys and digital certificates from Windows certificate stores. This malicious code exploits the operating system’s functionality. Windows OS archives digital certificates in a certificate store.

    “Program code often uses the PFXExportCertStoreEx function to export certificate store information and save the information with a .pfx file extension (the actual file format it uses is PKCS#12).The PFXExportCertStoreEx function with the EXPORT_PRIVATE_KEYS option stores both digital certificates and the associated private keys, so the .pfx file is useful to the attacker,” states a blog post from Symantec.

    The CertOpenSystemStoreA function could be used to open certificates stored, meanwhile the PFXExportCertStoreEx function exports the content of the following certificate stores:
    • MY: A certificate store that holds certificates with the associated private keys
    • CA: Certificate authority certificates
    • ROOT: Root certificates
    • SPC: Software Publisher Certificates
    Invoking the PFXExportCertStoreEx function with the EXPORT_PRIVATE_KEYS option, it is possible to export both digital certificates and the associated private key.

    The code in the following image performs the following actions:
    • Opens the MY certificate store
    • Allocates 3C245h bytes of memory
    • Calculates the actual data size
    • Frees the allocated memory
    • Allocates memory for the actual data size
    • The PFXExportCertStoreEx function writes data to the CRYPT_DATA_BLOB area that pPFX points to
    • Writes content of the certificate store.[​IMG]
    Figure – Malware code to access certificates info

    The experts noticed that a similar process is implemented by almost every malware used to steal digital certificates. Malicious code is used to steal certificate store information when the computer starts running.

    Once an an attacker has obtained the victim’s private key from a stolen certificate, it could use a tool like the Microsoft signing tool bundled with Windows DDK, Platform SDK, and Visual Studio. Running Sign Tool (signtool.exe), it is possible to digitally sign every code, including malware source code.

    Abuse prevention
    I desire to close this post introducing a couple of initiatives started to prevent the abuse of digital certificates. The first one is started by a security researcher at Abuse.ch, which has launched the SSL Black List, a project to create an archive of all the digital certificates used for illicit activities. Abuse.ch is a Swiss organization that was involved in the last years in many investigations on the principal major banker Trojan families and botnets.

    “The goal of SSLBL is to provide a list of bad SHA1 fingerprints of SSL certificates that are associated with malware and botnet activities. Currently, SSLBL provides an IP based and a SHA1 fingerprint based blacklist in CSV and Suricata rule format. SSLBL helps you in detecting potential botnet C&C traffic that relies on SSL, such as KINS (aka VMZeuS) and Shylock,” wrote the researcher in a blog post which introduces the initiative.

    The need to track abuse of certificates has emerged in recent years, after security experts discovered many cases in which bad actors abused digital certificates for illicit activities, ranging from malware distribution to Internet surveillance.

    Authors of malware are exploiting new methods to avoid detection by defense systems and security experts. For example, many attackers are using SSL to protect malicious traffic between C&C and infected machines.

    Each item in the list associates a certificate to the malicious operations in which attackers used it. The abuses include botnets, malware campaigns, and banking malware.

    The archive behind the SSL Black List, which actually includes more than 125 digital certificates, comprises SHA-1 fingerprints of each certificate with a description of the abuse. Many entries are associated with popular botnets and malware-based attacks, including Zeus, Shylock and Kins.
    [​IMG]
    The SSL Black List is another project that could help the security community to prevent cyber attacks. When the database matures, it will represent a precious resource for security experts dealing with malware and botnet operators that are using certificates in their operations.

    Abuse.ch isn’t the only entity active in the prevention of illicit activities of certificates. Google is very active in the prevention of any abuse of stolen or unauthorized digital certificates. Earlier this year, the company has its Certificate Transparency Project, a sort of a public register of digital certificates that have been issued.

    “Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates,”states the official page of the project.

    Unfortunately, many certificate authorities still aren’t providing logs to the public.

    References
    http://www.firmadigitalefacile.it/cosa-e-un-certificato-digitale/

    http://securityaffairs.co/wordpress...are-under-attack-why-steal-a-certificate.html

    http://hackmageddon.com/2011/12/10/another-certification-authority-breached-the-12th/

    http://securityaffairs.co/wordpress...n-use-of-fraudulent-digital-certificates.html

    http://securityaffairs.co/wordpress...control-lets-digitally-sign-malware-code.html

    http://www.symantec.com/connect/blogs/diginotar-ssl-breach-update

    http://www.cybersquared.com/2011/01/the-rise-of-digitally-signed-malware/

    http://securityaffairs.co/wordpress...ficate-used-to-sign-malware-who-to-blame.html

    http://securityaffairs.co/wordpress...lacklist-new-weapon-fight-malware-botnet.html

    http://www.darkreading.com/attacks-...icates-compromised-cia-mi6-tor/d/d-id/1099964?

    http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates

    http://blog.zeltser.com/post/56162725038/how-digital-certificates-are-used-and-misused

    http://securityaffairs.co/wordpress...ficate-used-to-sign-malware-who-to-blame.html

    http://securityaffairs.co/wordpress...len-digital-certificates-to-sign-malware.html

    http://files.cloudprivacy.net/ssl-mitm.pdf

    http://securityaffairs.co/wordpress/4544/hacking/stuxnet-duqu-update-on-cyber-weapons-usage.html

    http://www.globalsign.com/company/press/090611-security-response.html

    http://www.wired.com/threatlevel/2011/10/son-of-stuxnet-in-the-wild/

    http://securelist.com/blog/incidents/29725/stuxnet-signed-certificates-frequently-asked-questions/

    http://nakedsecurity.sophos.com/201...icate-authority-issues-dangerous-certficates/

    http://www.f-secure.com/weblog/archives/00002269.html

    http://nakedsecurity.sophos.com/201...y-firm-hacked-unsecured-phpmyadmin-implicated
     

Share This Page