A recent Symantec research report revealed that a China-based Advanced Threat group, dubbed Suckfly, has been targeting the private keys associated with code signing certificates to propagate malware over a period of two years. This discovery added yet another validation point to a rising trend among cyber attackers to distribute malware disguised as legitimate files and applications.
Why are cyber attackers targeting the private keys of code signing certificates? The problem lies in the dichotomy of the objective, and the governance in traditional code signing practices.
Key objectives of code signing are to a) verify the integrity of the content and ensure it has not been tampered, and b) providing attribution and non-repudiation of the creator of the file or application. Code signing elevates the trust level for files and applications in providing assurances that content has not been altered, along with associating the content with an identity has been verified by a third party. Many software companies and industry groups mandate the use of code signing for these reasons.
From a practical application perspective, some browsers will protect their users by displaying warnings if the user attempts to download any unsigned applications. In other areas, some security applications mitigate risks by preventing users from downloading and/or executing files and applications that are unsigned, minimizing the executing of code from unknown or unauthorized publishers. As such, we’ve observed that organizations with an elevated security stance and a high volume of in-house software or application development typically have embraced code signing from both a publishing perspective as well as risk reduction.
With traditional code signing, the accountability and responsibility of safekeeping the private keys used in the signing is left with the publishing organization. Within these organizations, the security and management of the private keys are typically entrusted to the Development group as files and applications are mostly published by Applications or Software Developers. If the group is not trained on security best practices nor held accountable on the consequences of lost, stolen or misused keys, the larger organization face the risks of having malware signed with their private keys.
There are some industry best practices that can help organizations prevent stolen or misused keys. These include:
- Securing the private keys
- HSMs or in a purpose-built secure environment
- Tracking of private keys and signing events
- Provide visibility on who signed what, and when
- Managing the assignment and revocation of publishers
- Ensure only authorized users have access to the private keys
- Capability to audit
- Drive accountability and forensic insights on code signing activities
In addition to best practices, some organizations may value the increased security that derives from not having private keys dispersed on-site, but rather in a centralized, secure location with robust key management governance. As a provider of 65% of code signing certificates worldwide*, Symantec provides a next generation alternative to help address the gap on the lack of governance and other challenges in traditional code signing practices and addresses the risk of stolen private keys. Symantec Secure App Service, a comprehensive cloud-based code signing management solution, centralizes key management and tracking of code signing events, as well as user management.
Cybercriminals will continue to find ways to breach the security of organizations and steal important data. Strict adherence to industry best practices or leveraging solutions such as Symantec Secure App Service will help deter these efforts and allow code signing to deliver the trust that it was created for.
*Source: International survey by rsEdge, 2014