Digital certificates act as identity and access management for machines, just as usernames and passwords protect the security of humans. Because certificates allow machines to communicate securely, they play an essential role in every organization’s digital ecosystem and our global economy. But these high stakes make certificates a lucrative bet for cyber criminals.
We have seen organized cyber crime invest in more and more attacks built around stolen or forged certificates. And now with CertLock, we are seeing a new wave of attacks that specifically target, and take advantage of, the importance of certificates.
In late May, members of a security forum received reports that users could not run or install security programs on their computers. What they saw instead was an alert that stated their publisher had been blocked. The source of this issue came from CertLock, a new Trojan that impedes security programs by disallowing their certificates. As a result, CertLock prevented signed installers from running, and prevented programs that executing blocked certificates.
While cyber criminals have targeted certificates in the past, CertLock represents a new, and troubling, stage in certificate focused security incidents.
“The use of malicious certificates is nothing new: Stuxnet used stolen digital certificates to make sure it was seen as trusted software,” says Kevin Bocek, chief security strategist for Venafi. “Other malware variants, like SuperFish, have allowed cyber criminals get access to digital certificates so they can look inside of encrypted communications. However, CertLock ups the ante by telling Windows to refuse the digital certificates for security software.”
Researchers are already issuing tools to intercept the CertLock attack, but experts believe certificate attacks will only continue to evolve.
“This Trojan should serve as a reminder that every application, code and cloud service is a machine that is identified with a digital certificate,” concludes Bocek. “It’s imperative every organization know all the machine identities in use, and be able to change them on demand, just like we do with usernames and passwords."