Folks, if you work in industry where software is your company’s primary product—be it a web service, enterprise software, or embedded software—you better listen up and pay attention. Earlier this month, the US Department of Justice indicted five Chinese hackers and two Malaysian businessmen on intrusions that hit more than 100 companies.
Who were the hackers after?
According to the indictment as reported by Bloomberg, the hackers targeted computer hardware manufacturers, software development companies, telecommunications providers, video game companies, and social media companies.
What were they after?
According to the DOJ, the attacks facilitated the theft of source code, software code signing certificates, customer account data and valuable business information.
The first set of indictments came in August of 2019 with the rest coming last month. It’s still unclear if the hackers were working directly for the Chinese government, though there is evidence that they may have been proxies for the Chinese government.
In July 2020, Garmin, a world leading manufacturer of GPS devices, experienced a broad outage in their website and with their mobile app effecting their customers worldwide. During this outage, Garmin couldn’t receive calls, emails or online chats and their users experienced outages of software services that they had purchased.
According to Malwarebytes, one of the most common ways that companies get infected with WastedLocker is through the usage of fake software update alerts such as this one:
Evil Corp gang, assumed to be run by Russians, has primarily been targeting US companies with this malware which encrypts critical software files that they hold at ransom, sometimes as high as $10M in Bitcoin.
Even though the US DOJ offered a $5M bounty for leading to arrest of these individuals in December 2019, they were still at it 6 months later.
This is what really concerns me
These attacks are just the latest prominent examples of incidents. Earlier this year, we discussed the dangers of Pipemon to video game manufactures. Security company Ecylpsium reported about not protecting firmware (read our blog about it). Landry’s had a breach of firmware in its retail POS terminals. And before that A.P. Møller-Maersk was crippled for weeks. And before that, computer manufacturer, ASUS, accidentally infected millions of customer computers as well.
I get the sense that the industry may not be taking this threat seriously enough, nor doing enough to prevent it.
According to Yana Blachman, a principle threat intelligence analyst at Venafi, “Attackers see the opportunity in targeting the source of software since they try to increase the infection rate and the number of targets. This is what is called shifting ‘upstream’ in the software supply chain.
Attackers understand that targeting an organization directly is complex and will typically yield slower and fewer results and therefore prefer the approach of a supply chain attack. In a supply chain attack, the trusted software or service become the new targets for the attackers who will try to contaminate the software code signing process and deliver their malware through a ‘legitimate’ tunnel. A malicious signed software will typically raise less attention and becomes the perfect enabler for a successful attack.”
Who protects the protector?
In many of these cases, companies could have simply used code signing to protect the software they use internally or deliver to their customers. It’s an encryption technology that has been around for 30 years and is effective.
However, what is alarming is that hackers are now targeting the theft of these vital code signing keys and certificates, inserting their malware into legitimate software, signing it with the stolen keys, and then distributing it. To the rest of the world, the malware-infected software update looks legit because it has a valid signature.
This is exactly why several years ago, Venafi began researching how to help companies protect their code signing keys and certificates. Here are just a few tidbits that we learned from our customers (names withheld to protect the innocent) during the early days of our market research:
- How many code signing certificates are in use at your company? “I dunno.”
- What group is responsible for safeguarding the use of those keys? “It depends.”
- How do you enforce any policies that you have around code signing? “We don’t.”
- Are you aware of your code signing certs being misused, either internally or externally? “We would rather not answer that.”
- Where do you store your code signing keys? “It depends. Sometimes on ourdeveloperslaptops, build servers, or web servers depending on the application.”
It’s no wonder that businesses have a tough time safeguarding its code signing keys and certificates.
If you’re not familiar with “Security Considerations for Code Signing” written by NIST, I encourage you to download it. This paper explains why securing code signing keys in a hardware security module isn’t adequate anymore. The use of a code signing key needs to be protected by a process that is easily enforced.
Check out these recommendations! Some of them are obvious, but others not as much:
- Identify specific users which can use code signing keys
- Establish policies and procedures for reviewing, vetting and approving code before it is signed
- Use separate code signing keys for development/test signing than those used for production signing
- Conduct periodic audits to determine who has been signing code, with which certificates, and with which tools
Hackers know how to steal code signing keys and credentials, and they have become effective at doing that. The NIST guidance is designed to prevent that from happening.
And, that’s why Venafi developed Venafi CodeSign Protect. CodeSign Protect provides visibility, intelligence, automation, and protection for code signing keys and enforces policies and processes used to protect them.
I really don’t want the next blog I write about code signing security threats to include your company as the latest example. Please take the time to look at how you can improve the security of your code signing process.
- Protecting Your Software Infrastructure in these Uncertain Times
- Study: How Well Are You Protecting Code Signing Certificates?
- The Hidden Dangers of Unsigned Firmware