No longer just a spy game

Malware that is signed with compromised certificates creates a means for hackers to bypass system protection mechanisms based on code signing.

The tactic extends far beyond high profile cyber-spying ops, such as the Stuxnet attack against Iranian nuclear processing facilities or the recent CCleaner-tainted downloads infection.

Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide.

"Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors," Tudor Dumitras, one of the researchers, told El Reg.

"Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states.

Security researchers have warned that someone's obtained copies of code-signing certificates from two Taiwanese companies and is using them in a malware campaign.

Abusing code-signing certificates in this way is an attempt to present malware as the legitimate product of the vendor whose key signed it.

Security vendor ESET spotted the certificates being used to sign files that its systems were marking as suspicious.

One was from D-Link and the other from Changing Information Technology (CIT).

Both certificates have since been revoked.

Whether end users will get the message and replace the certificates on their machines is, as always, an open question.

But because all of this executes through a Terminal window, it bypasses MacOS's GateKeeper malware protection, despite being unsigned code.

Apple's response: "Our Gatekeeper can't repel stupidity of that magnitude!"

I mean, there's only so much you can do if users are running shady code from the internet.

Heck, I bet if the script asked for sudo access, plenty of people would have given it.

Last edited by Thunderforge8 on Tue Jul 03, 2018 3:38 pm

A day after the world got confused whether or not the Switch was truly hacked a group of programmers have released Pegaswitch, a “toolkit” that allows for limited code execution, allowing users to execute some unsigned code on the Switch.

To be clear, this is not a full jailbreak but instead a proof-of-concept that could lead to a jailbreak.

“It allows you to call individual functions, no real programming possible yet,” said a hacker calling themselves LiveOverflow.

“But it’s enough to start exploring the system.

No persistence, no arbitrary code execution.”

To try the exploit you must run the program on your machine and set the DNS server for the Switch to your machine’s IP address.

Certification misuse can fool IT system into accepting malware

A new malware campaign that misuses a stolen digital certificate has been identified security researchers at ESET.

They found that crooks had acquired code-signing certificates from router and camera maker D-Link.

The malware attack was discovered when they received suspicious files containing valid D-Link Corporation code-signing certifications.

Chief cybersecurity officer at Venafi, Kevin Bocek told Computer Business Review: “If you steal trusted machine identities from global technology companies, you can execute highly effective attacks that don’t raise any alarms.”

ESET identified two different types of malware that were utilising the stolen certification.

Researchers unmask trade in code-signing certs

There's a flourishing trade in illicit code-signing certificates, and even extended validation certificates can be purchased for a few thousand dollars.

That's the conclusion of a study by American and Czech researchers, with input from Symantec Labs (the company's technical director Christopher Gates is a co-author).

The research found that the success of Microsoft's Windows Defender SmartScreen has forced attackers to change tactics.

During 2017, however, paper says “these methods have become secondary to purchasing certificates from underground vendors”.

The paper cited platform protections like SmartScreen as driving this change.

Criminals recently stole code-signing certificates from router and camera maker D-Link and another Taiwanese company and used them to pass off malware that steals passwords and backdoors PCs, a researcher said Monday.

The certificates were used to cryptographically verify that legitimate software was issued by D-Link and Changing Information Technology.

Microsoft Windows, Apple’s macOS, and most other operating systems rely on the cryptographic signatures produced by such certificates to help users ensure that executable files attached to emails or downloaded on websites were developed by trusted companies rather than malicious actors masquerading as those trusted companies.

Somehow, members of an advanced persistent-threat hacking group known as BlackTech obtained the certificates belonging to D-Link and Changing Information Technology, the researcher with antivirus provider Eset said in a blog post.

The attackers then used the certificates to sign two pieces of malware, one a remotely controlled backdoor and the other a related password stealer.

Both pieces of malware are referred to as Plead and are used in espionage campaigns against targets located in East Asia.

Updated Changes that mean signing certificates for Windows can only be sold in hardware form – or from an as-yet undefined cloud-based "service – from the start of February are likely to have a big effect on software development.

US trade body the Certificate Authority Security Council decided in December that "best practice" for code-signing certificates was to embed them in hardware devices, a policy endorsed with upcoming changes from Microsoft that kick in next week.

This could present an upheaval for software developers, according to a Reg reader who flagged up the story and asked to remain anonymous.

"ISVs who need to buy new certificates may find themselves having to revise their build processes," our anonymous tipster said.

"It's interesting that one-man-and-a-dog shops won't be especially affected by the procedural changes, but will complain about the approximate doubling of certificate prices.

Meanwhile, large ISVs with automated build-and-test systems won't especially worry about an extra few hundred pounds, but may have to revise their processes a lot."

Developers remain unconvinced by CASC's novel innovation

Changes introduced this week that mean code-signing certificates for Windows can only be sold in hardware form or run through a cloud-based "service" are continuing to be a concern for some developers.

Industry trade body the Certificate Authority Security Council CASC decided in December that "best practice" for code-signing certificates was to embed them in hardware devices, a policy endorsed in changes by Microsoft that kicked in on 1 February.

The CASC told El Reg that keys for new certificates could be stored on USB hardware keys or held in the cloud at Azure Key Vault.

It conceded there may be teething issues but played down suggestions that the changes might overly inconvenience developers, as previously reported.

His concerns center on how the changes sit alongside the practice of automated quality assurance QA in code development.

Subtle attack thwarts macOS code-signing process

A recently discovered security vulnerability in how third party vendors are checking Apple's "code-signing" process potentially made it easier to trick macOS users into running malicious third-party code.

Developers have been warned of the risk, but users still need to upgrade their software to guard against attacks exploiting the shortcomings, disclosed on Tuesday.

The flaw created a means to impersonate Apple, according to researchers at cloud identity manager Okta.

Specifically, by exploiting this vulnerability, a hacker could trick users of third-party security tools into believing their code is Apple-approved, making it easier to get them running malicious code on a macOS machine.

The trick is quite subtle and relies on a number of preconditions – so exploitation would be difficult in practice.

One of the breakthroughs of the Stuxnet worm that targeted Iran's nuclear program was its use of legitimate digital certificates, which cryptographically vouched for the trustworthiness of the software's publisher.

Following its discovery in 2010, researchers went on to find the technique was used in a handful of other malware samples both with ties to nation-sponsored hackers and, later on, with ties to for-profit criminal enterprises.

What's more, it predated Stuxnet, with the first known instance occurring in 2003.

The researchers said they found 189 malware samples bearing valid digital signatures that were created using compromised certificates issued by recognized certificate authorities and used to sign legitimate software.

The results are significant because digitally signed software is often able to bypass User Account Control and other Windows measures designed to prevent malicious code from being installed.

Forged signatures also represent a significant breach of trust because certificates provide what's supposed to be an unassailable assurance to end users that the software was developed by the company named in the certificate and hasn't been modified by anyone else.

Cryptographic software assurance backed by Google, Red Hat, Purdue U

The Linux Foundation, with the support of Google, Red Hat, and Purdue University, is launching a service called sigstore to help developers sign the code they release.…

While the looming era of quantum computing promises massive increases in processing power, it has also sparked fears that it will render today’s digital security useless.

Today, BlackBerry announced what it claims is “quantum-resistant” code signing to its lineup of cryptography tools.

“Quantum computing will solve groundbreaking problems in health care, transportation, astrophysics, government, and many other fields; however, it also gives bad actors the potential to crack traditional public key cryptosystems and then attack the underlying data they protect,” said Charles Eagan, chief technology officer at BlackBerry, in a statement.

“By adding the quantum-resistant code signing server to our cybersecurity tools, we will be able to address a major security concern for industries that rely on assets that will be in use for a long time.”

Just as the world needs dramatically more computing power for things like artificial intelligence, autonomous vehicles, and 5G networks, the tech world fears it is inching closer to the end of Moore’s Law, which projected regulator increases in processing power.

That has spawned a race to develop quantum computing by players such as IBM, Microsoft, NASA, a range of startups, and the Chinese government.

The v10.15 will bring tighter security, the escape hatch should remain open for now

Imagine for a moment the possibility that macOS 10.15, due to arrive later this year, will run only apps signed with a valid Apple developer certificate, with no option to white-list unsigned apps via the company's Gatekeeper security mechanism.

That would mean the only application code you could run on macOS 10.15 would be software created and signed by registered third-party developers, who right now have to pay $99 a year for said status.

It's been suggested that Apple is planning to ban all unsigned programs in macOS 10.15 and onwards, and a Register reader within the industry has insisted to us he's heard this on good authority.

It's equally plausible the scenario has been fabricated or overblown to encourage Apple to tip its hand.

The last time this reporter got an immediate, unequivocal response from Apple was in 2006 when, after asking about the health of then CEO Steve Jobs (visibly frail at the time and two years after Jobs disclosed his cancer diagnosis), the company's comms chief herself sent an email insisting, "Steve’s health is robust and we have no idea where these rumors are coming from."

On 11th October, four years after the launch of the grand robot hotel experiment by Japan’s Henn na Hotel chain, security engineer Lance R. Vick tweeted an unsettling image of one of the hotel’s smart home-enabled bedside eggs.

In place of the robot’s leering cartoon eyes is an admin screen displaying unsigned code, meaning: any guest with the time and the will to figure out how to crack into the settings could have hypothetically accessed the robot’s eyes, ears, and brain by uploading an app.

Vick, who helps lead the ethical hacker group “ !”, sees the obvious salacious implications of bedside robo-peepholes, but more significantly, a cavalier acceptance of recording devices in public spaces.

“I saw exposure as vital,” he said, “as this hotel chain has been reportedly trying to make deals to roll out their technology package to many more hotels leading up to the 2020 Olympics, which will greatly increase the risk this exploit might be used to spy on or blackmail people.” Given that there are nearly 8 billion people in the world, this seems like a close call.

Vick told Gizmodo that he’d informed the hotel and asked whether they had a bug bounty program or disclosure policy.

Ninety days, a few tweets, and a Tokyo Reporter story later, the Henn na Hotel Maihama Tokyo Bay put out a statement saying that it had removed the robots from the rooms, investigated them for unauthorised apps, and “took countermeasures against unauthorised access.” Tapia robot manufacturer MJI Robotics also issued a statement saying that they had inspected all robots in H.I.S.