The PKI environment within which machine identities are created, maintained and used has shown its weaknesses in recent years, with the certificates themselves coming to be misused for attacks on individuals, enterprises and governments.
As discussed in the first post of this blog series, the use of rogue digital certificates can result in potentially allowing an attacker to intercept or spy on an encrypted communication between a user’s device and a secure HTTPS website. But compromised machine identities can be used for more than just surveillance. In the second post of the series, I discussed how these rogue or compromised digital certificates can also aid malware delivery; the misuse of machine identities can allow attackers to bypass code signing and inspection and protection systems, and get onto target computers without being detected.
So, who is most at risk from such attacks? These certificate attacks threaten a range of organizations, starting with the certificate authority (CA) to governments and large enterprises.
Cybercriminals will often look to target certificate authorities (CAs) themselves for a rather obvious reason; as an attacker, if you can get your hands on official signed certificates from the CA, you can join (and disrupt) that circle of trust with users, who will unknowingly share their personal and confidential information through this supposedly ‘secure’ connection.
As such, these attacks are hardly a new phenomenon. Just look at the 2011 case of Comodo. At the time, a single Iranian claimed credit for hacking into the digital certificate provider, resulting in obtaining fraudulent certificates for websites operated by Google, Yahoo, Microsoft, Skype and Mozilla. The attack was said to be the first of its kind, although it was later debunked that it was a one-man act, with experts suggesting that it may have been orchestrated by Iran's government to track and shut down dissidents.
A couple of months later, intruders broke into the network of Dutch certificate authority DigiNotar and were able to issue themselves more than 200 fraudulent certificates, including one for Google. Some experts suggested this figure rose to over 500, with stolen certificates supposedly including ones for intelligence services like the CIA, the U.K.'s MI6 and Israel's Mossad.
Indeed, the situation has got so bad that it has begun to reshape the machine identity industry in many ways, from the launch of Let’s Encrypt (offering free digital certificates) to Google and Mozilla distrusting SSL certificates issued by Symantec.
As referenced above, governments and government agencies are a huge target for all forms of cybercrime, and that includes digital certificates where you can fake that authenticated connection.
For example, reports have previously suggested that a number of cyberespionage groups are using stolen code-signing certificates to make their hacking tools and malware look like legitimate applications, with one China-based hacker group using this technique to launch targeted attacks against government and commercial organizations around the world for a number of years.
And back in 2011, researchers discovered malware circulating in the wild that used a private signing certificate belonging to the Malaysian government to bypass warnings served up by operating systems and security software when end users try and run untrusted applications. In this case, these compromised certificates enabled cybercriminals to share malware spreading via malicious PDF files.
It must be said that governments have been accused of misusing these certificates for surveillance.A few years ago, a French government agency was caught signing SSL certificates and impersonating Google, with a Turkish government agency later accused of issuing a fake digital certificate, which would allow fake Google.com services to be used in man-in-the-middle (MiTM) attacks.
Machine identity attacks can be carried out for numerous reasons; from email fraud to phishing, but nation-state attacks should not be understated. Perhaps the most notorious example here is that the Stuxnet worm, which targeted Iran’s nuclear program. The worm was said to be work of Mossad and NSA, although this has evidently never been confirmed.
A key component of the attack was that it used legitimate digital certificates, which cryptographically vouched for the trustworthiness of the software’s publisher. Researchers found 189 malware samples bearing valid digital signatures that were created using compromised certificates issued by recognized certificate authorities and used to sign legitimate software.
The Duqu malware, which some researchers have said has significant similarities to Stuxnet, also used private certificates.
Banks and other financial services firms are commonly at threat simply because that’s where the money is.
For instance, Kaspersky Labs issued a report which revealed a massive cyber attack on a major Brazilian bank. The attack was incredibly pervasive, and for five hours late last year criminals were able to intercept all of the bank’s online banking, mobile, ATM and investment transactions with the help of digital certificates.
Russian cyber criminals, meanwhile, recently stole digital certificates from one of the top five global banks, enabling them to compromise 80 million records.
Technology and security companies
As an extension of CAs, many security companies and technology vendors are at risk—perhaps not only because they run and execute software, but also because their applications can help the spread of nefarious programs. Furthermore, as evidenced by some IoT hacks, security is usually bolted on at the end of the development process.
A breach at the security firm Bit9 allowed attackers to steal one of the company’s certificates and use it to distribute malware. Elsewhere, an apparently-stolen cert was used to sign a malicious Java applet, while an attack on the browser company Opera allowed the intruder to access a code-signing certificates and use it to sign malware. Furthermore, Code-signing certificates stolen from Adobe were used to sign malicious software.
Then there’s the infamous issue of Lenovo with Superfish; Lenovo found that an adware program it was pre-installing on laptops was making itself an unrestricted root certificate authority which allowed for MITM attacks on standard consumer PCs.
Meanwhile, a security flaw found in Samsung’s IoT smart refrigerators allowed hackers to compromise Gmail credentials using MITM attacks because the fridge was not set up to validate SSL certificates.
How well are your organization’s machine identities protected against today’s attackers?