If there’s one major security trend of 2015 I’d predict causing even more trouble next year it’s abuse of crypto keys and digital certificates. Cybercriminals have simply found that abusing this layer of the internet is far easier, cheaper and often more effective than more traditional forms of attack.
Digital certificates stolen from Sony Pictures were later used to sign malware in order to make attacks more effective; and the same technique was linked to the Anthem and Premera healthcare breaches in the States.
And of course it was a similar strategy which contributed to the success of the Stuxnet attack.
Kaspersky Lab even said this week that the number of new malware files it detected this year have actually dropped, as hackers instead use stolen or bought digital certs to achieve the same ends.
Kevin Bocek is chief security strategist at Venafi – a firm which helps secure cryptographic keys and digital certs. He told me these foundational layers of trust on which the internet rests are being undermined by the latest developments in the black hat community.
“We’ve all seen that movie scene where the bad guy dresses up as a painter to gain access to a building; this is now what is happening in the cyberworld,” he told me.
“Bad guys are trading keys and certificates on the dark web and using them to crack into company systems – just look at Sony, the Snowden revelations and Stuxnet. They all involved stolen or misused keys and certificates.”
It doesn’t bode well for the future, with even current systems being architected in the same way – based on digital certificates.
“My concern is that moving forward industrial control centre malware could become bioweapons,” Bocek claimed. “This is because the moment you sign the malware with a valid certificate, it is essentially like a bio weapon. In the current climate, that’s frightening.”
That’s not all. The burgeoning Internet of Things space is ripe for exploitation in the same way, with cybercriminals likely to hold firms ransom by effectively taking over their smart devices.
“By taking a code-signing certificate and changing the entity it obeys, a hacker can change the firmware on a smart device to take control of it. Now when that sensor or smart device calls back to the ‘mothership’ who does it trust? The bad guy,” he explained.
“From a single point of compromise – the digital certificate – hackers and cybercriminals can take over a whole network of hundreds, thousands or even millions of smart ‘things’. This can then be used to blackmail companies – either cease operations, take on huge disruption, or pay up.”
Now, Venafi certainly has a vested interest to talk up the potential damage that abuse of certs and keys could effect.
But this is already happening in the wild with real consequences for organizations and their customers around the world.
Unfortunately 2016 is likely to see things get a lot worse before CISOs start to give this their full attention.