Digital Certificates
Digital Certificates [T1587.003]
Last updated
Digital Certificates [T1587.003]
Last updated
Name: Digital Certificates
ID: T1587.003
Tactics:
Technique:
Digital Certificates (T1587.003) is a sub-technique under the "Develop Capabilities" tactic in the MITRE ATT&CK framework. It involves adversaries creating, acquiring, or compromising digital certificates to facilitate their malicious activities. Digital certificates are electronic documents used to verify the authenticity of software, websites, and communications. By leveraging trusted certificates, attackers can bypass security controls, evade detection, and gain unauthorized access to sensitive systems and data.
Digital certificates are essential components in establishing trust within digital communications and software distribution. Adversaries exploit digital certificates through several methods:
Certificate Theft or Compromise: Attackers may compromise legitimate certificate authorities (CAs) or organizations' internal certificate stores to obtain valid certificates for malicious purposes.
Fraudulent Certificate Issuance: Attackers may pose as legitimate entities to trick certificate authorities into issuing valid certificates for malicious domains or software.
Self-signed Certificates: Attackers may generate and use self-signed certificates to encrypt traffic or spoof identities. While self-signed certificates typically raise warnings, attackers rely on users ignoring these warnings or having inadequate security controls.
Code Signing Certificates: Attackers may use stolen or fraudulently obtained code signing certificates to sign malicious executables, bypassing operating system security mechanisms and anti-malware software.
TLS/SSL Certificates: Attackers may use compromised or fraudulent TLS/SSL certificates to facilitate man-in-the-middle (MitM) attacks, intercept encrypted communications, and exfiltrate sensitive data.
Real-world procedures typically involve:
Reconnaissance to identify vulnerable certificate authorities or organizations with weak certificate management practices.
Exploiting vulnerabilities or conducting social engineering attacks to gain access to certificate issuance systems.
Issuing or stealing legitimate certificates to disguise malicious activities.
Deploying malware or malicious services signed with compromised certificates to evade detection and security controls.
Attackers employ Digital Certificates (T1587.003) in various stages of cyber-attacks, including:
Initial Access and Delivery: Malicious software signed with legitimate certificates bypasses endpoint protection and allows initial compromise.
Command and Control (C2): Attackers use valid certificates to secure command-and-control communications, reducing suspicion from network monitoring tools.
Persistence and Privilege Escalation: Signed malware can persistently execute with fewer alerts and elevate privileges by exploiting trust relationships established through valid certificates.
Defense Evasion: Legitimate certificates help attackers evade detection by security products, which often trust software signed by recognized authorities.
Credential Harvesting and Man-in-the-Middle Attacks: Attackers use fraudulent TLS/SSL certificates to intercept and decrypt sensitive communications, stealing credentials and confidential data.
This sub-technique appears frequently in advanced persistent threats (APTs), state-sponsored espionage campaigns, sophisticated cybercriminal operations, and targeted attacks against high-value organizations.
Detection of malicious use of digital certificates involves multiple layers, including technical monitoring, behavioral analysis, and threat intelligence:
Certificate Transparency Logs: Monitoring publicly available certificate transparency logs helps identify fraudulent or unauthorized certificate issuance.
Endpoint Detection and Response (EDR): EDR solutions can detect unusual binaries signed with uncommon or suspicious certificates.
Certificate Reputation Databases: Leveraging reputation databases and threat intelligence feeds to identify known malicious or compromised certificates.
Security Information and Event Management (SIEM): SIEM solutions aggregate logs from certificate authorities, endpoint security tools, and network devices to detect anomalies related to certificate usage.
Network Traffic Analysis: Inspecting encrypted network traffic for abnormal certificate usage patterns, unusual issuers, or expired/self-signed certificates.
Indicators of Compromise (IoCs):
Unexpected digital certificates installed on endpoints or servers.
Suspicious certificate issuers or rapidly issued certificates.
Code signing certificates associated with known malware families or threat actors.
TLS certificates with mismatched domain names or unusual validity periods.
Certificates signed by compromised or untrusted certificate authorities.
Detecting malicious use of digital certificates is critical for maintaining the integrity, confidentiality, and availability of organizational resources. The impacts of undetected malicious certificates include:
Security Control Bypass: Trusted certificates allow attackers to bypass endpoint protection, antivirus, and application whitelisting measures.
Data Exfiltration: Attackers can securely exfiltrate sensitive data using encrypted channels established with trusted certificates, making detection difficult.
Credential Theft: Fraudulent certificates facilitate MitM attacks, enabling attackers to intercept and decrypt sensitive communications and steal credentials.
Reduced Trust in Infrastructure: Compromised certificates undermine organizational trust infrastructure, potentially impacting business operations and customer confidence.
Persistent and Stealthy Attacks: Attackers employing valid certificates can maintain persistent access within environments for extended periods without detection.
Early detection and prompt response mitigate these risks by:
Preventing unauthorized access and data breaches.
Maintaining organizational trust and compliance with regulatory standards.
Reducing the dwell time of attackers within networks.
Facilitating quicker incident response and remediation efforts.
Real-world examples of attackers leveraging digital certificates include:
Stuxnet (2010):
Attack Scenario: Nation-state attackers targeted Iranian nuclear facilities using malware signed with stolen legitimate code signing certificates from Realtek and JMicron.
Tools Used: Stolen code signing certificates, custom malware.
Impact: Successfully sabotaged centrifuges, caused significant operational disruption, and remained undetected for extended periods.
Flame Malware (2012):
Attack Scenario: Advanced persistent threat (APT) malware targeting Middle Eastern organizations, using fraudulent Microsoft certificates to masquerade as legitimate Windows Update packages.
Tools Used: Fraudulent Microsoft certificates, sophisticated espionage malware.
Impact: Enabled espionage activities, data exfiltration, and prolonged stealthy operations.
Winnti Group Attacks (Various Incidents):
Attack Scenario: Cyber espionage group known for stealing legitimate code signing certificates from gaming and software companies to sign malware.
Tools Used: Stolen legitimate code signing certificates, customized backdoors, and malware toolkits.
Impact: Persistent espionage, intellectual property theft, and significant financial and reputational damage to targeted organizations.
Operation ShadowHammer (2019):
Attack Scenario: Supply chain attack against ASUS, attackers compromised ASUS Live Update utility by signing malicious updates with legitimate ASUS digital certificates.
Tools Used: Compromised ASUS code signing certificates, malicious software updates.
Impact: Over a million users potentially affected; attackers specifically targeted a smaller subset of users for further exploitation.
These examples illustrate the severity and potential impacts of adversaries exploiting digital certificates, emphasizing the critical need for robust detection and mitigation strategies.