Code Signing Certs Traded for $1000+ on Darknet

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Digital code signing certificates are being traded on the dark web for over $1000, undermining trust in the entire authentication system on which the internet is based, according to new Venafi research.

The cybersecurity vendor teamed up with the Cyber Security Research Institute in a six-month project to peel back the curtain on the shadowy underground markets used to buy and sell illegal goods and services.

It found code signing certificates available for purchase for up to $1200, making them more expensive than some counterfeit passports, handguns and stolen credit cards.

Attackers can use these certificates to hide the malware used for attacks in encrypted channels, making them highly sought-after.

Venafi chief security strategist, Kevin Bocek, explained that the certs could be sold many times over before losing their value, ensuring they are a major money-maker for cyber-criminals.

He described the research as a “rude awakening” for the system which essentially defines trust on the web.

“With no knowledge of which certificates should really be trusted, IT teams will have to either assume they can’t trust their applications and software, or risk criminals using their certificates to slip past defenses undetected to distribute malware. Neither option is acceptable,” he told Infosecurity.

“The only way organizations can effectively protect themselves is by having complete intelligence and control over every single certificate in use and trusted. But since firms have an average of more than 16,000 certificates they’re unaware of, this is no small feat. This is why it’s so important to automate the discovery, inventory and reputation scoring of every digital certificate, and for every code signing certificate in use, it’s key must be protected and every use controlled and audited.”

The researchers claim they only scratched the surface of the illegal darknet trade in code signing certificates, explaining they believe TLS, VPN and SSH key and certificate trading is also rife.
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Yikes! Looks like they want to make this one the Horror of the Week when it is really not. When reading the article one is led to believe that if a person runs into malware signed by a certificate purchased on the darkWeb- Bing Bang Boom- you will be infected.

Not Really...

The truth is that there is a BIG difference between having a legit certificate and actually being a trusted vendor. For instance, I can start a company (Meghan's Malware & More- aka MMM), code a little program and seek out an Organization from which I can buy such credentials. The price varies, from like less than 200USD/year at GoDaddy to about 700USD at Symantec. So yeah, now MMM has a certificate for software coded by us that we can make malicious. But so what? Most traditional AV's couldn't give a damn about whether something is signed but instead will make decisions based on MD5 and/or mechanism. And for those products with a Trusted Vendors List our company must first become Trusted- we will have to have some track record of legitimacy in order to make that list and not just some jive-time certificate.

So what can I do with the Symantec credentials that I just foolishly purchased (I WANT CASH!!!!). Easy- advertise on the DarkWeb! I can sell it many times over for 1000USD a pop to ignorant prepubescent wannabe Script Kiddies. What these chumps don't realize is that they have now increased the detection footprint of their malware- because once one is detected not only will that specific MD5 be blacklisted, but anything in the future signed with that certificate will also be detected and trashed just on principle. So MMM can code the baddest zero-day malware EVER and even ClamAV will stop it because the credentials were blacklisted.

So to sum- the topic covered in this article is a lot less than meets the eye.

(ps- for any interested today I am running a special on a MMM certificate signed by Symantec!!!!! Only 800USD!!! Best price on the DarkWeb!!!)
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
@cruelsister,

Considering code signing certificates, Extended Validation Code Signing Certificates and Trusted vendors (certificate),
how do the AV you know behave with these certificates if not blacklisted yet?
Do they still scan the signed files, check MD5/sha, check with the cloud, monitor them with BB or do they only do it e.g. for "code signing certificates" but not for the EV or trusted vendor ones ?
Thank you
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top