WHAT’S THIS ?
CertiLeaks provides a list of Cert Hashes of leaked certificates (acquired from dark / deep web channels) that can potentially be used to sign malware. It is important to note that these fingerprints are not acquired through a reactive approach, such as analyzing a malware stream, but through a proactive one by acquiring them from dark / deep web channels and other sources. The advantage is that with a reactive approach we will always be destined to arrive late (since inevitably the certificate in question has already been used to sign malicious payloads) while with a proactive one we can get to have a stream of fingerprints belonging to certificates that, in best case scenario, will be used to sign malware in the future.
INTRODUCTION
A signed executable, often known as a digitally signed executable, is a type of computer program or application file that has been authenticated and verified by a digital signature. This digital signature is generated using a cryptographic process and is issued by a trusted entity known as a certificate authority (CA).
When software developers create an executable file, they can choose to digitally sign it with their keys. This process involves applying a unique cryptographic hash to the file and then encrypting that hash with the developer’s private key. This encrypted hash, along with the developer’s public key and other relevant information, is then bundled together to create a digital signature.
Once the digital signature is attached to the executable file, users who attempt to run or install the software can verify its authenticity. This verification is typically done by the operating system or security software that checks the digital signature against the public key associated with the developer’s private key. If the signature is valid and the file has not been tampered since signing, the software is considered trustworthy, and users can be confident that it comes from the identified developer and more generally from a trusted source.
The primary purpose of digitally signing executables is to ensure the integrity and authenticity of software. It helps prevent the distribution and execution of malicious or tampered applications, as users can trust that the signed software has not been altered by unauthorized parties.
Digital signatures play a crucial role in software distribution, especially in the context of operating systems and application marketplaces. They provide a layer of security and help users make informed decisions about the trustworthiness of the software they are installing on their devices.
RISKS RESULTING FROM LEAKED CERTIFICATES
When attackers gain access to a leaked or stolen certificate, they can exploit it to sign malware and perform malicious activities with a higher degree of success.
Generally speaking, an attack involving a stolen / leaked certificate can be similar to the following:
Acquiring the Certificate: Hackers may obtain a legitimate code signing certificate through various means. This can include hacking into a software development company’s servers, compromising the systems of individual developers or purchasing / finding stolen or leaked certificates from underground marketplaces.
Tampering with Malware: Once the hackers have a valid certificate, they can create or obtain malicious software (malware) that they intend to distribute to unsuspecting users.
Signing the Malware: The hackers use the stolen certificate to digitally sign the malware they want to distribute. By doing so, they give the malicious code an high degree of legitimacy and trustworthiness. The digital signature falsely implies that the malware comes from a reputable source, like the original software developer.
The potential benefits for attackers of code signing are:
Evading Security Measures: Digital signatures are used by various security solutions to verify the authenticity of executable files. By signing the malware with a legitimate certificate, the malicious software can potentially bypass security checks and appear harmless to some security software.
Increasing Distribution Success: By leveraging a signed executable, the hackers can increase the chances of their malware being successfully installed and executed on target systems. Many operating systems and antivirus solutions tend to trust signed files much more than unsigned ones, making it easier for the malware to propagate.
Maintaining Persistence: Some malware variants use valid certificates to maintain persistence on infected systems. The malware may use the trusted certificate to update itself or establish connections to command-and-control servers without raising suspicion from security measures.
Launching Supply Chain Attacks: In some cases, hackers may exploit the stolen certificate to compromise the software supply chain. They may insert the signed malware into software updates or distributions, potentially affecting a large number of users who trust the signed software.
and many more…
To mitigate the risks associated with stolen or leaked certificates, certificate authorities and software developers must implement robust security measures to protect their private keys and certificates.
THE ROLE OF CYBER THREAT INTELLIGENCE IN MITIGATING THE RISK OF LEAKED CERTIFICATES
Cyber Threat Intelligence (CTI) can play a crucial role in mitigating the risk of stolen / leaked certificates by providing valuable insights, early warnings, and proactive measures to organizations and security teams.
However, to the best of my knowledge, there are currently no freely available sources that can provide a proactively acquired feed of fingerprints of leaked certificates, and this is where CertiLeaks comes into play; this is how it works:
Dark Web and Underground Markets: CTI teams usually actively monitor dark web forums and underground markets where stolen certificates are traded / shared. By identifying the presence of these certificates early on, they can alert relevant parties to take appropriate action. In this case the acquired certificate is sent to an automatic processing queue.
Processing Queue: The obtained certificates are included in an automated processing queue which includes different activities among which trying to sign executables with them.
Thumbprint Extraction: The thumbprint is extracted for each of the certificates with which it was actually possible to sign artifacts arbitrarily.
Feed sharing: For the open feed, the list on my personal GitHub repository is updated at regular intervals via password protected archives.
HOW TO USE CERTILEAKS
We can propose an example of an executable originally signed with a valid (now already revoked) certificate.
The executable in question, corresponding to SHA256 84C9CBC01241D4B52453C467A28AB9190C1B87F0B7AC31CEB21E079FA919288B, has been originally signed with a leaked certificate owned by Hangil IT Co., Ltd having 28F9A8E7601F5338BF6E194151A718608C0124A8 as thumprint.
At the time of detection, this malware had an extremely low detection rate probably due to the fact that it presented a valid certificate:
However CertiLeaks provides a list of hashes of leaked certificates, (called thumbprints), that are used as unique identifiers.
If an hash is listed under the CertiLeaks repo, the corresponding certificate has already been used (at least by me :]) to sign artifacts arbitrarily and therefore should not be trusted.
To verify that an executable does not report a fingerprint included in CertiLeaks, you can use YARA with the following syntax:
rule CertiLeaks_CompromisedCert_82938_92833 {
meta:
author = "Emanuele De Lucia"
description = "Detects an executable signed with a leaked certificate"
hash1 = "84c9cbc01241d4b52453c467a28ab9190c1b87f0b7ac31ceb21e079fa919288b"
condition:
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].thumbprint == "28f9a8e7601f5338bf6e194151a718608c0124a8"
)
}The service, for now, is offered as it is and is based on a visibility which by its nature must be considered limited. CertiLeaks is to be considered a pilot service. Therefore it could be suspended, withdrawn and the information relating to it removed at any time without notice. CertiLeaks may share data and information late (or not at all) with respect to the corresponding commercial service
LIMITATIONS & NOTES
The service is offered as it is and is based on a visibility which by its nature must be considered not exhaustive. Please note that CertiLeaks is a pilot service. Therefore it could be suspended, withdrawn and the information relating to it removed at any time without notice. CertiLeaks may share data and information late or not at all with respect to corresponding commercial services in which I am actively involved. The process does not check the status of the certificates it processes.
DATA FEED
Feed of fingerprints of leaked certificates are updated at regular intervals and can be found here
Please note that the archive is password protected to prevent the information contained in the feed can accidentally harm the reputation of potentially involved companies and institutions. Password can be shared with trusted third parties by emailing me at [email protected]
