Wave Systems Corp. (fka WAVXQ)

[Genz2]

Stolen certificates from D-Link used to sign password-stealing malware

Wave VSC 2.0 - https://www.wavesys.com/products/wave-virtual-smart-card

Wave Endpoint Monitor - https://www.wavesys.com/malware-protection

https://arstechnica.com/information-technology/2018/07/stolen-certificates-from-d-link-used-to-sign-password-stealing-malware/

This isn't the IP camera software you think it is.

Criminals recently stole code-signing certificates from router and camera maker D-Link and another Taiwanese company and used them to pass off malware that steals passwords and backdoors PCs, a researcher said Monday.

The certificates were used to cryptographically verify that legitimate software was issued by D-Link and Changing Information Technology. Microsoft Windows, Apple’s macOS, and most other operating systems rely on the cryptographic signatures produced by such certificates to help users ensure that executable files attached to emails or downloaded on websites were developed by trusted companies rather than malicious actors masquerading as those trusted companies.

Somehow, members of an advanced persistent-threat hacking group known as BlackTech obtained the certificates belonging to D-Link and Changing Information Technology, the researcher with antivirus provider Eset said in a blog post. The attackers then used the certificates to sign two pieces of malware, one a remotely controlled backdoor and the other a related password stealer. Both pieces of malware are referred to as Plead and are used in espionage campaigns against targets located in East Asia. The Japan Computer Emergency Response team recently documented the Plead malware here. AV provider Trend Micro recently wrote about BlackTech here.

“The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region,” Eset researcher Anton Cherepanov wrote in Monday’s post.

Don’t try this at home

In a support announcement, D-Link officials said that two separate code-signing certificates were recently misappropriated by a “highly active cyber espionage group.” The post said most D-Link customers won’t be affected by the theft, but it also suggested some people may experience errors when viewing mydlink IP cameras within Web browsers. Company engineers are in the process of releasing updated firmware to fix the errors. People using mydlink mobile applications aren’t affected.

Both D-Link and Changing Information Technology have revoked the stolen certificates. Until the D-Link firmware is issued, the company’s support announcement is advising people who want to use browsers to view their affected D-Link cameras to temporarily ignore the certificate revocation warnings. This is bad advice that could be abused by malware operators. Users should disregard it.

The best-known example of malware that abused stolen code-signing certificates was the Stuxnet worm that targeted Iran’s nuclear enrichment program almost a decade ago. The malware used legitimate certificates belonging to RealTek and JMicron which are both, like D-Link and Changing Information Technology, known technology companies based in Taiwan.

Last year, researchers published research that showed that malware signed by OS-trusted code-signing certificates was more common than most people assumed, with the first known instance occurring in 2003. Earlier this year, researchers documented several underground services that sold counterfeit signing credentials that are unique to each buyer. The thefts reported Monday are an indication misappropriated certificates remain a widely used technique for concealing malicious software.

Stolen Taiwanese Certs Used in Malware Campaign

https://www.infosecurity-magazine.com/news/stolen-taiwanese-certs-used/?utm_source=dlvr.it&utm_medium=twitter

Security researchers have discovered yet another cyber-attack campaign using stolen certificates to circumvent traditional security tools.

The tactic was being used to launch a remotely controlled backdoor dubbed Plead and a related password stealer, according to Eset senior malware researcher, Anton Cherepanov.

Plead was spotted last year being used by a group known as BlackTech to compromise targets in East Asia including Hong Kong, Japan and Taiwan, and as such could be a Beijing-backed venture.

Two certificates were used to sign the malware, one belonging to Taiwanese security company Changing Information Technology and another issued by D-Link.

“We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen,” explained Cherepanov.

After being notified of the discovery, D-Link revoked the certificate last week, he added.

However, BlackTech is still using the Changing Information Technology certificate, despite it also having been revoked last week.

Kevin Bocek, chief cybersecurity officer at Venafi, pointed out that the use of stolen certificates is not new and was in fact popularized by the Stuxnet authors.

“If you steal trusted machine identities from global technology companies, you can execute highly effective attacks that don’t raise any alarms. This is just one more demonstration of how machine identities, in this case code signing certificates, are being abused by malicious actors. There’s no doubt we’re going to see a lot more of these attacks in the future,” he added.

“Code-signing certificates are often a core component of DevOps and cloud infrastructure; and because organizations are using a lot more machine identities, these risks will only grow. In fact, researchers are already seeing a dramatic rise in the trade of stolen code-signing certificates on the dark web.”