Stealing Certificates to Sign Malware will be the Next Big Market for Hackers

Hackers are always on the lookout for new ways to monetize their activities.  We know cyber attackers have the first-move advantage and are currently outpacing security capabilities and implementations.  Even now, they run undetected and unabated through the networks of many large and respected companies and government sites.  When they are detected or choose to show their position, what makes news is the breach, data loss, and potential financial liabilities.  What is rarely spoken of is how such incidents on trusted organizations can be used to greatly amplify broader cyber-attacks across the systems of other entities and their respective customer base.

Danger 2.jpg

As attackers are rummaging and shopping around compromised networks, one of the highly valued targets are the certificates of the host.  These are used when communication, updates, and applications are sent to customers and partners to validate content is coming from a legitimate and trustworthy source.  Certainly not as sexy as credit card numbers, but in the wrong hands it can be a much more powerful tool to professional attackers.  These stolen credentials are being used to ‘sign’ malware which will get past typical defenses and then infect and compromise the computers of the host’s customer base.

Say for example you have a media or game company that requires end-users to install an application to access news, movies, songs, games, entertainment, or anything really.  The content pushes, program updates, and even security patches are electronically signed by the host, to ensure they are legitimate.  This is good security practice that is often used by app stores, anti-malware software, network filters, etc.  If this host company is compromised and their certificates are then used to ‘sign’ a malicious update, one which will compromise the target system and open it to the attackers, the entire community is at a heightened risk of these slipping past the security controls.  Chances are very good that recipients will receive and install code designed to hack their systems.  Now imagine that such users have this app on their phone, home system, and most worrisome their work computer.  All could be quickly compromised, at the speed of updates.  Most security defenses will not stop such an attack until it becomes known the certificates have been stolen.  Even then, it is not such a simple process to revoke usage across an entire community.  It can take years to close the vulnerability on all the potential targets.

Welcome to the 3rd Level of future cybersecurity attacks.  Here is my prediction: the broader community of attackers will soon realize the value of these certificates and begin to regularly harvest them as a resource for resale to discrete buyers, much like how vulnerabilities are being sold today.  Additionally, we will see more darknet services emerge where a malware writer can pay to have their software ‘signed’ with a stolen certificate for propagation to targeted communities.  This will be the next big market for hackers and will become a standard practice for cyber warfare teams worldwide.

Hold on, this is going to be a bumpy ride.

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts


My Blog: Information Security Strategy

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.