Digital security certificates assure regular users that the websites they visit can be trusted and are free of malicious code. But if security certificates are themselves compromised, how can regular users be protected from malicious hackers?
Modern digital security certificates ensure that interactions between website visitors and website owners are encrypted and can be decrypted only by private keys available with website owners. As such, hackers and data miners find it hard to gain access to confidential information that users add to websites protected by such certificates.
At the same time, modern antivirus services immediately block websites or software that are not secured by such certificates, thereby making it difficult for hackers to inject malicious code into devices using compromised websites.
According to Haydn Johnson, senior consultant at KPMG, security certificates are trusted because 'they require payment and proof of identity to tie the code, document, or application to the legitimate organisation. They verify that the Certificate actually belongs to the person, organisation, or entity that is noted in the certificate'. This approach prevents cyber-criminals from masquerading malware as legitimate software or website."
To infect millions of users or to steal their data, several hackers have now made stealing security certificates or getting their own certificates signed by a trusted CA their top priority. Once their own certificates are signed by a CA, they can then use such certificates to evade antivirus safeguards and to infect millions of website visitors and software users with malware.
This is because once antivirus services spot trusted certificates in websites or software, they do not scan such websites or software and do not run tools like application whitelisting or intrusion prevention, thereby giving the hackers a free run.
'With a certificate, the malware is allowed to run in a trusted state. Bypassing these technologies can save a cyber-criminal organisation considerable development time and money,' Johnson adds.
Such are the benefits of having legitimate certificates for their malware, Johnson says that a number of hackers are now dedicated solely to stealing certificates and selling them to other cyber-criminals. A number of hackers have been able to pull off breaches by using legitimate certificates in the recent past, including the Nationstate malware attack in 2016 and the NotPetya ransomware attack last year.
'The use of legitimate certificates remains one of the most successful ways to bypass protections and keep malware running in the system under the radar,' says Marta Janus, senior threat researcher at Cyclance.
'A malicious file that presents a valid digital signature can often be overlooked by security solutions, some of which tend to whitelist certain certificates effectively excluding software signed with these certificates from scanning; but even in case of anti-virus alert, the user might decide to allow such a file to run - or add it to the anti-virus exclusions list - thinking that the file is trusted and merely a false positive.
'Stealing certificates is not a trivial task, so initially this technique used to be found mainly in sophisticated targeted attacks. It's not a surprise that cyber-criminals realised the potential value that legitimate certificates can have on the black market, and came up with a specialised malware for that purpose. It's fair to say that in the coming years we will probably be seeing more and more commodity malware presenting a valid digital signature,' Janus adds.