After malware attack: Criminals used DigiCert's codesigning certificates

In April, the certification authority DigiCert issued several Code Signing Certificates to malware authors. The attackers had previously compromised the computers of customer service employees at DigiCert using malware. Because various security measures failed, the criminals gained access to a protected customer portal – including all the necessary information to retrieve the certificates.

The attackers are likely the group responsible for “Zhong Stealer.” The group specializes in attacks against customer service representatives. They infected two DigiCert employees' PCs and thus gained access to a function that simulates customer access in the DigiCert portal. Initialization codes for certificates were stored there, which – along with a hardware token and corresponding software at the customer's site – enabled not only the retrieval of the certificates but also the associated key material.

The attackers thus hijacked a total of 27 certificates and used them to sign malware, thereby bypassing Windows' SmartScreen. In internal investigations, DigiCert found 33 additional certificates and various suspicious orders and revoked them within 24 hours of discovery.

In its root cause analysis, DigiCert identified several insufficient security measures: Apparently, no CrowdStrike sensor was installed on one of the two compromised computers – the criminals roamed there for ten days. On the second computer, there was an alarm, but the malware still ran. Conceptual gaps in the risk analysis for certificate initialization codes allowed the retrieval of the valuable certificates, and the Salesforce customer portal also did the company a disservice. It blindly forwarded the malware, a .scr file in ZIP format, to support staff, thus providing an ideal breeding ground.

EU Companies Also Affected

Among the affected customers are PC manufacturers Shuttle, Lenovo, and Palit, as well as Tencent, the operator of the video service TikTok, and the Leipzig-based security company DigiFors. In total, DigiCert's reported list includes 61 certificates from organizations in thirteen countries, predominantly in Asia. However, EU companies are also affected: In addition to a German GmbH, one company each from Switzerland, France, Poland, and Portugal is affected.

Further trouble awaited DigiCert on Walpurgis Night from Microsoft. On April 30, the Redmond-based software company added a detection for the malware “Trojan:Win32/Cerdigent.A!dha” with a signature update to its in-house antivirus solution Defender, which, under certain conditions, promptly removed two root certificates of the CA (“DigiCert Assured ID Root CA” and “DigiCert Trusted Root G4”) from the Windows trust store. Consequently, on affected Windows PCs, TLS connections to websites with DigiCert certificates could not be established.

However, whether there is a connection between the two incidents remains doubtful: Almost two weeks passed between the last revoked malware certificate and the faulty signature update, and in the current list of root certificates accepted by Microsoft, the certificates are still included.

DigiCert is not the first time it has encountered certificate-related difficulties: The year before last, the company faced a threat of legal action from a customer. The customer refused to exchange their certificates, which had been revoked due to formal errors, on short notice. It is in good company: D-Trust, a subsidiary of Bundesdruckerei, had caused thousands of administrators to work overtime über die Osterfeiertage for the same reason.

(cku)