On Monday, McAfee released its threat report for the fourth quarter of 2013. The report reveals that the number of malware samples signed with digital certificates has increased considerably in the last part of 2013.
McAfee has collected a total of 8 million signed malware samples. However, 2.3 million of them were collected in Q4 2013 alone, which shows that this has become an increasing problem. The number of malicious software signed with a digital certificate has increased by 52%.
Kevin Bocek, Venafi’s vice president of security strategy and threat intelligence, believes that the report shows that cybercriminals are attacking the trust established by digital certificates and cryptographic keys.
“There’s little to no visibility in to what keys and certificates are trusted throughout enterprises and no ability to take action, either to enforce policy or respond to attacks. The escalation in these types of attacks underscore the problem of unsecured certificates loud and clear. With over 17,000 keys and certificates in typical Global 2000 organizations, there’s a huge attack surface,” Bocek has told Softpedia.
“The rise in these attacks should not be a surprise: keys and certificates allow an attacker to gain trusted status. From SSL, to code signing, to SSH for administrators and servers, to iOS and Android architectures, we’ve built security systems of the future on keys and certificates,” he added.
“They are foundational to our modern world, yet trusting these technologies blindly puts us all in grave peril. Cybercriminals know unprotected keys and certificates are a weak spot in our defenses and will continue to attack there.”
While the rise in signed malware samples is largely attributed to rogue content delivery networks that enable cybercriminals to wrap their creations in a signed installer, stolen or compromised certificates still represent a major issue.
The expert points to the numerous ways in which compromised or stolen certificates can be abused.
“The attacks on keys and certificates are unlike other common attacks seen today. With a compromised or stolen key you can impersonate, surveil, and monitor your targets as well as decrypting traffic or impersonating trusted website, code, or administrators,” Bocek said.
“Discovering a compromised key and certificate doesn’t kick an attacker out nor solve the problem; until a key and certificate is revoked and replaced the threat doesn’t go away. The Mask APT operation recently showed that hundreds of organizations had SSH keys and SSL keys and certificates stolen,” he explained.
“Cybercriminals know unprotected keys are certificates is a weak spot in our defenses and will continue to attack there.”