Why code signing is the talk of the dark web

Code signing certificates are an essential part of our software world. Every software update is signed with a unique machine identity, combining a time stamp with an encryption algorithm in the form of a x.509 certificate issued by a trusted certificate authority. This allows other machines to know they are authentic and can be trusted.

Developers sign their code with a private key, and an end-user uses the public key from that developer to validate that the code hasn’t changed since the developer signed it. If someone has altered the code, the signature will provide an untrusted alert, in the same way a website with an untrusted or expired certificate does with transport layer security (TLS) machine identities. Without this system of identity, it would be impossible to deliver software. Without this you couldn’t use Windows, Mac, or iPhone let alone fly on a modern Airbus or Boeing aircraft. And it’s quickly becoming the same way in the cloud-native world of Kubernetes.

While essential, these identities hold a privileged position with the highest levels of authentication and trust, making them a hot commodity for nefarious characters looking to infiltrate systems. In recent years we have seen this system of identity come under attack. Our research shows there is a growing buzz around code signing machine identities on the dark web, with a raft of recent attacks contributing to the noise -- it would seem code signing machine identities are the next big thing.

Code signing machine identities are the talk of the town on the dark web

Findings from research we recently commissioned with dark web investigators Forensic Pathways into conversations and markets on the dark web reveal that code signing certificates are a hot topic among threat actors. We saw posts advertising code signing certificates for just $100 -- a drop in price from when we first investigated this and found code signing machine identities on sale for $1200 in 2017. There were also numerous queries on how to get hold of them and discussions around how to use them. The results of this investigation are clear: cybercriminals are on the hunt for code signing certificates and know how to exploit them.

If a code signing certificate is compromised, the resulting damage can be extremely harmful to businesses. A hacker can use a certificate to sign malicious code, hoodwinking security tools and passing off their malware as legitimate software. Take the recent Nvidia Lapsus$ attack, for example. Hackers used an old stolen certificate to sign two binaries and infect Windows machines, resulting in the theft of 1TB of data. The leaked certificate had expired in 2014, but it didn’t matter as Windows allows developers to use out-of-date certificates to sign code, creating a loophole ripe for exploitation by hackers.

Similar attack methods have become the weapon of choice for state-sponsored threat groups. North Korean groups, which reportedly generate as much as $1 billion a year in cybercriminal profits, often use code signing certificates to carry out cyberattacks. Earlier this year, we also saw attacks in Ukraine in which hackers used signed machine identities to deploy malware across various organizations.

In the case of Solarwinds, nation state actors were able to sneak malicious code into the software build pipeline, which was later signed with a valid code signing machine identity which allowed the software to be widely distributed and trusted. This malicious code enabled the actors to set up backdoors which enabled them to install even more invasive malware and spyware, helping them to steal and exfiltrate private information. As many as 1800 government entities and Fortune 500 companies were impacted.

How teams can boost code signing certificate security

These large-scale breaches indicate the huge damage that can be inflicted on companies if threat actors get their hands on code signing certificates, highlighting why companies must do more to protect these vital assets and prevent misuse internally. Here are five steps that security teams can take to improve their code signing security:

1. Automate, automate, automate in your DevOps pipeline: Machines now build machines. Modern software development runs at machine speed and uses automation like GitLab, GitHub, and Jenkins to run the manufacturing process of software builds. Integrating the protection and use of code signing into these pipelines is the first and most important requirement. Not only does this protect where the hackers are targeting it gets developers involved. Otherwise, they’ll find a way to circumvent controls and see security teams as just being the “same-old slow and no.”
2. Store private keys in an encrypted, secure and centralized location: a private key is only as secure as its means of storage. Many private keys are not stored in secure locations; administrators will often save a key in a file system or even on their desktops. Private code signing keys should never leave an encrypted secure location, even when a developer accesses it for a code signing operation.
3. Monitor use of private keys: As well as controlling access to private keys, teams also need to monitor usage. It is important to maintain an irrefutable log for every code signing operation, including which code signing tool was accessed and by whom, what software they signed with it, and which machine they accessed it from.
4. Apply a multi-level approval process: When accessing the most critical code signing keys, developers should require approval from at least one additional person -- ideally more -- before they are allowed to use them.
5. Define and enforce an access policy: To further limit misuse, teams need strict code signing policies and workflows based on controlled parameters. A policy could determine who has authority to access which code signing keys or state that developers can only access keys from approved computers during a defined time of day.
6. Rotate private keys: Teams can add an extra layer of security by rotating private keys. This ensures that the old key will no longer provide access or enable a threat actor to ‘sign’ if a code signing certificate is compromised. Rotating keys can be a cumbersome process, especially for large organizations, but it doesn’t have to be with the right software.

There’s no doubt that code signing machine identities are essential tools for software developers. With stolen certificates proven to be like gold dust for cybercriminals, and poorly managed certificates creating huge areas of vulnerability for organizations, threat actors are taking note, and their presence on the dark web is growing. Without clearly defined and rigorously enforced policies and workflows from security teams, organizations remain vulnerable to attack. Having a control plane that enables the automation of code signing machine identity management is essential to ensuring that these valuable assets are protected. The industry must act now.

Photo credit: mikser45 / Shutterstock

Kevin Bocek is VP Security Strategy & Threat Intelligence, Venafi.