Digital Certificates

Information

• Name: Digital Certificates

• ID: T1588.004

• Tactics: TA0042

• Technique: T1588

Introduction

Digital Certificates (T1588.004) is a sub-technique under the broader MITRE ATT&CK technique "Obtain Capabilities" (T1588). This technique involves adversaries acquiring digital certificates—cryptographic credentials issued by trusted certificate authorities (CAs)—to facilitate malicious activities. These certificates can be leveraged by attackers to sign malware, establish trust in malicious infrastructure, bypass security controls, and evade detection by disguising malicious software or services as legitimate and trusted.

Deep Dive Into Technique

Digital certificates are cryptographic documents issued by trusted third-party Certificate Authorities (CAs) and are commonly used to validate the authenticity and integrity of software, services, and network communications. Adversaries exploit the inherent trust placed in these certificates to enhance the effectiveness of their attacks. Technical execution methods and mechanisms include:

• Certificate Acquisition Methods:

  • Purchasing Legitimate Certificates: Attackers purchase valid certificates from trusted CAs using fraudulent or stolen identities and credentials.

  • Stealing Existing Certificates: Attackers compromise legitimate organizations or their infrastructure to steal private keys and certificates.

  • Misuse of Certificate Authorities: Attackers exploit vulnerabilities within CAs or their verification processes to issue fraudulent certificates.

• Use of Certificates in Malicious Activities:

  • Code Signing Malware: Attackers sign malware binaries with valid, stolen, or fraudulently obtained certificates, bypassing security mechanisms such as antivirus and endpoint detection software.

  • Secure Communication Channels: Attackers use certificates to establish encrypted channels (TLS/SSL) for command-and-control (C2) communication, reducing visibility into malicious network traffic.

  • Spoofing Legitimate Services: Attackers deploy certificates to impersonate legitimate websites, software, or services, deceiving users and security systems into trusting malicious content.

• Real-World Procedures:

  • Attackers frequently target organizations with weak certificate management practices or those with access to high-value certificates.

  • Malicious actors have been known to compromise third-party vendors and service providers to gain access to legitimate certificates.

  • Sophisticated threat actors leverage stolen certificates to sign advanced persistent threat (APT) malware, significantly increasing the difficulty of attribution and detection.

When this Technique is Usually Used

Adversaries utilize digital certificates across various stages and scenarios of cyber-attacks, including:

• Initial Access and Delivery:

  • Signed malware binaries delivered via phishing emails or drive-by downloads to bypass endpoint protection solutions.

• Execution and Persistence:

  • Signed malicious drivers or kernel-mode components installed to achieve persistence and evade detection.

• Command and Control (C2) Communications:

  • Using TLS certificates to encrypt and disguise malicious communication channels, making it difficult for defenders to inspect traffic.

• Privilege Escalation and Defense Evasion:

  • Leveraging digitally signed binaries to bypass application allow-listing and other security policy restrictions.

• Supply Chain Attacks:

  • Compromising software vendors or third-party certificate holders to distribute malicious software updates or patches.

How this Technique is Usually Detected

Detection of misuse or fraudulent use of digital certificates requires proactive monitoring, robust logging, and advanced analysis techniques. Common detection methods and tools include:

• Certificate Transparency Logs:

  • Monitoring public certificate transparency logs for unauthorized or suspicious certificate issuance tied to organizational domains.

• Endpoint Detection and Response (EDR) Solutions:

  • Detecting anomalous binaries or software signed by unusual or previously unseen certificates.

• Network Traffic Analysis:

  • Inspecting TLS/SSL encrypted traffic for unusual certificate issuers or self-signed certificates.

  • Identifying unusual certificate characteristics, such as uncommon expiration dates, issuer anomalies, or mismatches between certificates and associated domains.

• Certificate Management and Auditing Tools:

  • Regular audits of internal certificate repositories and CA infrastructure to detect unauthorized issuance or use of certificates.

• Indicators of Compromise (IoCs):

  • Suspicious certificate thumbprints or serial numbers identified in threat intelligence feeds or incident reports.

  • Unusual or unexpected certificate issuers or subjects.

  • Certificates issued shortly before observed malicious activity.

Why it is Important to Detect This Technique

Early detection of malicious use or misuse of digital certificates is critical due to the following impacts and risks:

• Evasion of Security Controls:

  • Signed malware and communications bypass traditional security controls, dramatically increasing the difficulty of detection and remediation.

• Trust Exploitation:

  • Malicious use of legitimate certificates undermines trust in digital infrastructure, potentially causing widespread operational disruption and reputational damage.

• Increased Attack Persistence:

  • Attackers leveraging legitimate certificates can maintain persistence within an environment for extended periods without detection, leading to prolonged data exfiltration or espionage activities.

• Supply Chain Compromise:

  • Compromise of certificates from software vendors or trusted third parties can lead to significant cascading impacts across numerous downstream organizations.

• Regulatory and Compliance Risks:

  • Failure to detect and remediate certificate misuse can lead to regulatory penalties, loss of compliance certifications, and significant legal and financial consequences.

Examples

Real-world examples illustrating the misuse of digital certificates include:

• Stuxnet Attack (2010):

  • Attackers used stolen digital certificates from legitimate companies (Realtek Semiconductor Corp. and JMicron Technology Corp.) to digitally sign malware binaries, enabling the malware to evade detection and infect Iranian nuclear facilities.

• Operation ShadowHammer (2019):

  • Attackers compromised ASUS's update servers, using legitimate ASUS digital certificates to sign malicious software updates. This supply chain attack infected thousands of users worldwide, bypassing security controls due to the trust in ASUS-issued certificates.

• Flame Malware (2012):

  • Attackers leveraged a fraudulent Microsoft certificate obtained via cryptographic collision attacks to impersonate Windows Update servers. This allowed attackers to distribute malicious payloads to targeted systems while appearing legitimate.

• Winnti Group Attacks:

  • The Winnti threat group regularly steals and abuses legitimate digital certificates from gaming companies and software developers to sign malware, evade detection, and infiltrate targeted organizations.

• APT41 and Code Signing Abuse:

  • APT41, a Chinese state-sponsored threat actor, has repeatedly used stolen or fraudulently obtained digital certificates to sign malware and malicious tools, significantly complicating detection and attribution efforts.