ZDNet reports on an increasing trend by malicious actors to leverage code-signing certificates to bypass perimeter security appliances as a way to infect their targets:
Code-signing certificates are designed to give your desktop or mobile app a level of assurance by making apps look authentic. Whenever you open a code-signed app, it tells you who the developer is and provides a high level of integrity to the app that it hasn’t been tampered with in some way. Most modern operating systems, including Macs, only run code-signed apps by default.
But not only does code-signing have an affect on users who inadvertently install malware, code-signed apps are also harder to detect by network security appliances. The research said that hardware that uses deep packet inspection to scan for network traffic “become less effective when legitimate certificate traffic is initiated by a malicious implant.”
That’s been picked up by some hackers, who are selling code-signing certificates for as little as $299. Extended validation certificates which are meant to go through a rigorous vetting process can be sold for $1,599.
The certificates, the researchers say, were obtained by reputable certificate issuing authorities, like Comodo, and Symantec and Thawte — both of which are now owned by DigiCert.
Organizations need to consider blacklisting certificates known to be leveraged by attackers. Often times, due to the price of the certs, the same code-signing certificate will be used across multiple malware variants developed by a single group. This actually makes it much easier to block multiple attacks in one fell swoop.
It is standard operating procedure for cyber defense teams to block malware based on the hash and filename, among other datapoints. By blocking the certificate during the code-signing certificate validation phase, endpoint defense systems may be able to prevent the malware from running. If the cert matches a blacklisted one, the validation fails, and the attack will be thwarted.
So I would argue that being able to block code-signing certificates makes it a lot easier to stop a variety of malware from a single attack group. Blacklisting hashes and filenames is an extremely important ingredient in cyber defense, but so should blocking certificates.