Code Signing Certs Traded for $1000+ on Darknet

[Exterminator]

Digital code signing certificates are being traded on the dark web for over $1000, undermining trust in the entire authentication system on which the internet is based, according to new Venafi research.

The cybersecurity vendor teamed up with the Cyber Security Research Institute in a six-month project to peel back the curtain on the shadowy underground markets used to buy and sell illegal goods and services.

It found code signing certificates available for purchase for up to $1200, making them more expensive than some counterfeit passports, handguns and stolen credit cards.

Attackers can use these certificates to hide the malware used for attacks in encrypted channels, making them highly sought-after.

Venafi chief security strategist, Kevin Bocek, explained that the certs could be sold many times over before losing their value, ensuring they are a major money-maker for cyber-criminals.

He described the research as a “rude awakening” for the system which essentially defines trust on the web.

“With no knowledge of which certificates should really be trusted, IT teams will have to either assume they can’t trust their applications and software, or risk criminals using their certificates to slip past defenses undetected to distribute malware. Neither option is acceptable,” he told Infosecurity.

“The only way organizations can effectively protect themselves is by having complete intelligence and control over every single certificate in use and trusted. But since firms have an average of more than 16,000 certificates they’re unaware of, this is no small feat. This is why it’s so important to automate the discovery, inventory and reputation scoring of every digital certificate, and for every code signing certificate in use, it’s key must be protected and every use controlled and audited.”

The researchers claim they only scratched the surface of the illegal darknet trade in code signing certificates, explaining they believe TLS, VPN and SSH key and certificate trading is also rife.

 

[cruelsister]

Yikes! Looks like they want to make this one the Horror of the Week when it is really not. When reading the article one is led to believe that if a person runs into malware signed by a certificate purchased on the darkWeb- Bing Bang Boom- you will be infected.

Not Really...

The truth is that there is a BIG difference between having a legit certificate and actually being a trusted vendor. For instance, I can start a company (Meghan's Malware & More- aka MMM), code a little program and seek out an Organization from which I can buy such credentials. The price varies, from like less than 200USD/year at GoDaddy to about 700USD at Symantec. So yeah, now MMM has a certificate for software coded by us that we can make malicious. But so what? Most traditional AV's couldn't give a damn about whether something is signed but instead will make decisions based on MD5 and/or mechanism. And for those products with a Trusted Vendors List our company must first become Trusted- we will have to have some track record of legitimacy in order to make that list and not just some jive-time certificate.

So what can I do with the Symantec credentials that I just foolishly purchased (I WANT CASH!!!!). Easy- advertise on the DarkWeb! I can sell it many times over for 1000USD a pop to ignorant prepubescent wannabe Script Kiddies. What these chumps don't realize is that they have now increased the detection footprint of their malware- because once one is detected not only will that specific MD5 be blacklisted, but anything in the future signed with that certificate will also be detected and trashed just on principle. So MMM can code the baddest zero-day malware EVER and even ClamAV will stop it because the credentials were blacklisted.

So to sum- the topic covered in this article is a lot less than meets the eye.

(ps- for any interested today I am running a special on a MMM certificate signed by Symantec!!!!! Only 800USD!!! Best price on the DarkWeb!!!)

 

[Solarquest]

@cruelsister,

Considering code signing certificates, Extended Validation Code Signing Certificates and Trusted vendors (certificate),
how do the AV you know behave with these certificates if not blacklisted yet?
Do they still scan the signed files, check MD5/sha, check with the cloud, monitor them with BB or do they only do it e.g. for "code signing certificates" but not for the EV or trusted vendor ones ?
Thank you