- Aug 17, 2017
- 1,448
By Kacy Zurkus
Researchers from Masaryk University in the Czech Republic and Maryland Cybersecurity Center (MCC) monitored suspicious organizations and identified four that sold Microsoft Authenticode certificates to anonymous buyers. The same research team also collected a trove of Windows-targeted malware carrying valid digital signatures.“Recent measurements of the Windows code signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carrying valid digital signatures,” researchers wrote. In their work, the researchers also discovered several cases of potentially unwanted programs (PUPs), revealing that along with their ability to sign malicious code, bad actors are also able to control a range of Authenticode certificates.
Gaining this type of unauthorized access has traditionally been easy for attackers using drive-by downloads and phishing, according to Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies. “And while endpoint security achieved some increases in efficacy over the last five years with the evolution of end point protection platforms, we only ever treated the symptom – and the not cause – of permissive access," Gumbs said. “If an attacker can use a trusted signed certificate to install malware, then the malware will use the access rights granted to that user or the access rights left behind in the form of NTLM hashes to further penetrate the network," he continued. "While this development is a worrying one, applying a least access privilege model would reduce the threat greatly.”
Full article Windows Malware Carries Valid Digital Signatures
Researchers from Masaryk University in the Czech Republic and Maryland Cybersecurity Center (MCC) monitored suspicious organizations and identified four that sold Microsoft Authenticode certificates to anonymous buyers. The same research team also collected a trove of Windows-targeted malware carrying valid digital signatures.“Recent measurements of the Windows code signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carrying valid digital signatures,” researchers wrote. In their work, the researchers also discovered several cases of potentially unwanted programs (PUPs), revealing that along with their ability to sign malicious code, bad actors are also able to control a range of Authenticode certificates.
Gaining this type of unauthorized access has traditionally been easy for attackers using drive-by downloads and phishing, according to Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies. “And while endpoint security achieved some increases in efficacy over the last five years with the evolution of end point protection platforms, we only ever treated the symptom – and the not cause – of permissive access," Gumbs said. “If an attacker can use a trusted signed certificate to install malware, then the malware will use the access rights granted to that user or the access rights left behind in the form of NTLM hashes to further penetrate the network," he continued. "While this development is a worrying one, applying a least access privilege model would reduce the threat greatly.”
Full article Windows Malware Carries Valid Digital Signatures