Cybercriminals are constantly on the hunt for new and effective ways to launch disruptive attacks. One area currently attracting growing attention is code-signing machine identities.
Machine identities are an increasingly important part of the modern, interconnected world. Every software update released is signed with a unique machine identity, combining a time stamp with an encryption algorithm in the form of a certificate issued by a certificate authority.
This process allows other machines to know the software is authentic and can be trusted. Developers sign their code with a private key while an end-user uses the public key from that developer to validate that the code is secure.
Machine IDs hold a privileged position when it comes to overall authentication and trust. This makes them an enticing target for criminals looking to infiltrate IT infrastructures.
During the past few years, the system of machine IDs has come under growing pressure. Research conducted by Venafi shows there is growing chatter about code signing machine identities on the dark web.
Increasingly attractive targets
According to the Venafi research[1], code signing certificates are coming under increasing demand among cybercriminals. They are also dropping in price with the researchers finding some listed for sale for as little as $100.
Researchers also found a number of posted queries from people interested in learning more about how to obtain them and put them to use.
Code signing certificates are popular because they can allow a cybercriminal to cause significant damage to a targeted organisation. An attacker can use a certificate to sign malicious code, hoodwinking security tools and passing off their malware as legitimate software.
Similar avenues of attack have also become increasingly popular with nation-state cybercriminal groups. Earlier this year, there was evidence[2] that attacks were being mounted in Ukraine during nation-state groups used signed machine identities to deploy malware across various organisations.
During the high-profile Solarwinds attack, a different group of nation-state cybercriminals was able to secrete malicious code into the software build pipeline, which was later signed with a valid code signing machine identity which allowed the software to be widely distributed and trusted.
This malicious code then enabled the criminals to set up backdoors and steal sensitive private information from other organisations. It’s estimated that as many as 1800 government entities and businesses were hit.
Six steps to achieving more effective security
To reduce the likelihood of falling victim to such an attack, organisations should take six key steps to improve their overall level of digital ID security. Those steps are:
- Embrace automation:
Because of the increasing number of machine IDs in use, manual management is no longer possible. IT teams should deploy automation tools that can manage and track the IDs throughout their lifecycle. - Protect private keys:
All private keys need to be encrypted and stored in a secure, centralised location. A private key is only as secure as its means of storage. - Constantly monitor private-key usage:
While limiting access to private keys is critical, IT teams also need to track their usage. An irrefutable log of every code-signing operation should be maintained that shows which keys were accessed and by whom. - Adopt a process of multi-level approval:
When developers seek access to critical code-signing keys, they should have to receive approval from at least one other person. This will help to further strengthen security by reducing the chance of misuse. - Document and enforce official access policies:
As a means of reducing misuse even further, organisations should have a strict set of usage policies in place. These should be clearly explained to all developers and monitored to ensure compliance. - Regularly rotate private keys:
Key rotation will ensure that old keys will no longer provide access or enable a cybercriminal to ‘sign’ if a code signing certificate is compromised. This process can be cumbersome if there are a lot of keys, however, the effort is worth it.
It’s clear that code signing machine identities will remain an important part of the software development process in the future. For this reason, taking the time to put in place management guidelines and tools to ensure their security is vital for all organisations.
[1] https://www.venafi.com/news-center/press-release/dark-web-research-illicit-code-signing-certificates-more-valuable
[2] https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
