Malware distributed disguised as security certificate updates

News by Chandu Gopalakrishnan

New campaign uses fake digital certificate updates to infect systems of visitors to websites that have been compromised

A new campaign has started using fake digital certificate updates to infect systems of visitors to websites that have been compromised, reported Kaspersky researchers.

The report comes hard on the heels of a disclosure by the Let's Encrypt project that it had to revoke over three million digital certificates after discovering a flaw in its certificate authority code.

“We detected the infection on variously themed websites — from a zoo to a store selling auto parts. The earliest infections found date back to 16 January, 2020,” said the Kaspersky Securelist report.

Visitors to these compromised websites usually see a warning that the security certificate of the website has expired and an “update” must be downloaded, prompting the users to download a disguised malware on their systems.

“As incidents involving certificate issuance and deployment becoming more well-known and mainstream, this is bound to give attackers one more avenue to devise attacks as part of their social engineering efforts. Unfortunately, and also unsurprisingly, we are bound to see an uptick of this kind of campaign during times of post-incident chaos as attackers thrive on that,” commented Pratik Savla, EngSec at Venafi.

“Such attackers have also become much bolder as is apparent from a shift that is observed in the case of malicious iframes where in the past, it was common for a threat actor to inject their iframes towards the bottom of a webpage. But now one can encounter it anywhere in the webpage. Additionally, today a large percentage of malicious websites are actually legitimate websites that are infected with malicious code.”

Aggravating the issue is the existence of legacy devices in the market. Over a billion Android devices that use version 6.0 or the earlier ones remain vulnerable to hackers and malware as they do not receive security updates anymore, reported consumer magazine Which?.

In the light of more and more companies offering the opportunity to work remotely during the Covid-19 scare, chances of people using unsecured personal devices to access organisational networks have increased.

“Businesses should communicate clearly with workers to ensure they are aware of the risks, and do everything they can to secure remote access for those self-isolating or working from home. Otherwise, cyber-criminals could cash in whilst businesses are on the back foot,” commented David Emm, principal security researcher, Kaspersky.

Websites get compromised easily and remain so for a longer time as most site owners or hosting providers do not regularly check the content that they serve, noted Salva. Reliance on AV products often gives a false sense of security as they often fail to detect such malicious behaviour due to different obfuscation techniques being used, he explained.

“One course of action to minimise the risk of such incidents is for site owners to regularly patch any third-party web applications they use to remediate known vulnerabilities as well as they need to regularly inspect their pages for any kind of unauthorised change or modification,” said Savla

“They also need to be on the look-out for any kind of obfuscated JavaScript within webpages. For users, they need to patch all client applications. Some of them should also be able to inspect the source of a site page and report any instances of compromise to the site owner. Otherwise, even with widespread awareness of a campaign/attack, users are still at risk of being compromised."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews