Malware Attack on Code Signing Certificates
Code Signing: Vulnerabilities and Malware Attacks

09/29/2022 by admin with 0 comments

Code Signing: Vulnerabilities and Malware Attacks

In order to distinguish between valid software and malicious or rogue code, code signing is crucial. A code signing certificate, in more technical terms, produces a hash of the code and adds a signature by encrypting it using a private key. When the code is being executed, this signature is verified, and if the hash matches, there is confidence that the code has not been altered. Furthermore, it provides confirmation that the code is indeed from the author it is claiming to be.


Code signing offers security to code, but if it’s not used properly, it can cause problems and be open to attacks or misuse. One such instance where the code signing procedure was exploited and malicious malware was installed in systems and end points as genuine software is the recent Solar winds assault. The aim of an attacker is to choose the route that presents the least amount of difficulty.

Many companies, including the gaming sector, desire a far quicker release or deployment of their code. It is relatively typical for enterprises to skip steps or ignore security best practices, for example, which makes them vulnerable to unauthorized code signing.


Code signing: How does it work? 

There are several uses for code signing. The use of the developer’s private key to sign software code is the most evident. In order to ensure that the code is free of harmful code, to allow the recipient of the data know that the creator is who they claim to be, and to foster confidence between the developer and end-user, software is signed, as was previously described.

Users of signed code may be confident that it does not contain any malicious intent since the code signer would be held accountable if this were the case. Enterprise applications, IOT devices, development, and IT operations are among more contexts where code signing is employed (Dev Ops).


Any internal code, scripts, packages, etc., used by corporate applications, are all code signed. For the same reasons that the code is signed, the scripts and packages are also signed since they may be used by attackers to conceal dangerous payloads. Code signing is used by IOT devices for authentication and validation. messages between users on IOT devices, as well as updates to both software and firmware that are signed by developers.

Code signing certificates that make use of Public Key Infrastructures (PKIs) authenticate users inside a company’s network. The identity of the users may be verified by using the public key to “sign” their certificate with their private key. Integration and code deployment are continuous processes with Dev Ops. Because the code is distributed in several instances across containers and cloud platforms, these container images need to be signed at various points throughout the code’s lifespan.


Code Signing Abuse: Code signing malware

Code that appears genuine but includes malicious software that may fully damage a user’s machine or steal important information from them is a typical goal of code signing abuse. In order to distribute code under a reputable creator’s identity and spread malware to additional victims, attackers might potentially obtain code signing certificates from trustworthy developers. Abuse of code signing can happen in a variety of different ways.


Key Theft : Digital certificates or keys that are not properly handled or preserved provide threat actors access to trusted users’ private keys. By using these keys, they may issue certificates in the names of trusted identities and utilize those certificates maliciously within the network. They can even sign code under other identities. Keys may be kept absolutely safe from attackers by using Hardware Security Modules (HSMs), as stealing the keys from an HSM would need physical access to the device and the right authorization.


Coding Errors : If code signed software has flaws, it is a second, less obvious way that code signing might be misused. Their code signing will have been for nothing if software has flaws that threat actors find before the flaws are addressed. Even when the code is signed, attackers can still use these flaws to install malware on victims’ computers. Before deployment, code should be carefully tested to make sure there are no vulnerabilities.


System Compromise : Software that is being signed on a hacked machine may have had its code altered before signing. This enables malware payloads to be concealed, without the developer’s awareness, in code that is authentically signed. This type of code signing abuse occurred in the recent SolarWinds assault. The security of your online environment may be guaranteed by making sure your systems are up to date with all security updates.


Use of Revoked/Expired Certificates : If a certificate’s validity is not verified by a Certificate Authority (CA), it can be exploited to permit the code signing of malicious software when a key or an expired certificate is compromised. The Certificate Revocation List (CRL) should be used to store certificates that have expired or been revoked so that CAs may indicate that they should not be used for anything until they are replaced or renewed.


Well-Known Code Signing Threats

Data can be protected in the future by taking lessons from the code signing abuses of the past. Despite the fact that there have been a number of major code signing infractions in the past, we will concentrate on three of the most prominent ones today, starting with SolarWinds. The company SolarWinds discovered that its main systems had been infiltrated in 2020. In September 2019, hackers were able to enter a SolarWinds Microsoft365 account by using a supply chain assault. Threat actors were given access to the code of SolarWinds and other systems as a result, providing them the opportunity to exploit code signing.

These attackers were able to use software known as a Remote Access Trojan, or RAT, which provided them remote access to victims’ systems, by changing code before it was signed. The upgrades for Orion, a network monitoring programme made by SolarWinds, contained this RAT. This launched a campaign that equipped the victim’s gadgets with command and control infrastructure. Solar Winds had an impact on public figures, business institutions, and several US federal government agencies.


The D-Link attack was another that made use of code signing fraud. When releasing the source code for a firmware update, a company named D-Link that sells networking hardware made the mistake of disclosing its secret code signing keys. By using these keys, attackers might trick users into thinking they are receiving trustworthy code from D-Link while really sending them code of their own.

It is crucial to safeguard secret code signing keys since having your digital identity stolen might result in the loss of sensitive data, litigation, and other problems. Only one of the four signing keys exposed by the D-Link attack was genuine, but all it takes is one valid certificate for a certificate to be abused.


A well-known computer company by the name of ASUS had their code signing procedure hacked in 2019. Threat actors deployed malware to create backdoors into thousands of customers’ computer systems via the live update feature of ASUS software. As a result of the live update tool updating the computers after the malware was signed by ASUS, the attackers were able to steal sensitive data from the victims. Once more, keeping systems safe and upgrading software will prevent hackers from hijacking your code signing process.


Final Thoughts

It is needless to say that code signing certificates are extremely essential to maintain complete privacy of devices and protect sensitive information from being accessed by unauthorized sources. However, code signing has its own vulnerabilities too, and thus, administrators must always ensure that malicious softwares cannot access them. 


Leave Comment