Are Rogue Code Signing Keys in Your Environment?

Phil Hagen

Share this Project

Although this specific example has been exposed as part of a joke, the threat is real – code signing keys are often targeted by advanced attackers.  Keys stolen during other breach operations have been used to sign malicious software.

Perhaps this was inevitable – it appears the attackers behind the Sony breach are using stolen code signing keys to sign the latest variants of the “Destover” malware. This results in a binary that is signed and “trusted” to execute – often without further security inspection. While not a new tactic, it clearly demonstrates the critical place endpoint visibility has in today’s information security posture.

Properties of binary signed with stolen code signing keys.

Stolen code signing key, from SecureList.

Many “preventive” technologies ignore signed binaries, as they’re deemed “trustworthy”. Of course there’s no need to waste automated analysis cycles on things that we “trust”. However, with a rogue code signing key on the loose, the attacker can create whatever code they like – and deploy the malware as a signed package that evades many “modern” enterprise security technologies. The potential damage increases significantly if the attackers have acquired multiple code signing keys or choose to sell the key to other malicious actors.

While the code signing architecture is designed to handle compromised keys, similar thefts in the past have made it clear how complicated – or utterly broken – the certificate revocation process is within most environments. It could be weeks or months before a typical environment is sufficiently updated to reject code signed with the stolen keys.

However, a proper endpoint solution has your back – even before the key was leaked. By observing the hierarchy and artifacts from each and every executable event, you can quickly and easily determine if the stolen code signing keys have been used by executables in your environment. If you perform continuous real-time sweeps for the keys at execution time – at scale – you can have notice within minutes or hours of the suspect executable running. A binary archival system can provide the reverse engineering team with the malware samples they need – even if they never hit a disk. All of these functions will give the incident response team a tremendous lead on their attackers.

In fact, within hours of the revelation that Sony’s stolen code signing keys were in use, Red Canary deployed a detector that will identify any executable signed with the stolen keys at runtime. Our clients will receive timely notification of any related event so they can remediate quickly and completely. In addition, we performed a sweep of the past several weeks worth of endpoint collection data among all of our clients to give them immediate piece of mind that the suspect code signing keys have not been active in each of their respective enterprises.

Endpoints matter – that much is clear. Leveraging the millions of artifacts created each day requires best of breed technology and an efficient process created and executed by skilled analysts. Red Canary provides that value today.