Recently, cybercriminals have begun targeting public Certificate Authorities (CA) to obtain legitimate certificates and then sell them on the black market. Because these are verified and signed certificates obtained by unjust means, it can be exceedingly difficult to identify them.
How to Manipulate Public Certificates
The process of obtaining an authentic certificate requires much less technical hacking than one may expect. Instead, cybercriminals rely heavily on psychological manipulation and publicly available information to trick the parties involved.
So how does one obtain a certificate? A bad actor will work to impersonate an employee of the company they are targeting, often a company executive. Compared to a regular employee, an executive likely has a wider range of network permissions and database access.
The goal is to obtain a code-signing certificate. This type of certificate fully identifies the owner as a member of the entity they are impersonating. It displays that it is an approved certificate from the organization’s CA and lends further legitimacy to the threat actor.
To begin, they will identify a target and study publicly available information about them. The more verifiable information they are able to obtain, the more credible they will seem to the certificate vendor.
Once they’ve identified the target, the next step is to set up entity-impersonating infrastructure to deceive the public CA. The threat actor will need to register an email domain to redirect emails. When communicating with the public CA vendor, the domain and correspondence must appear valid. The goal of the interaction is to eventually purchase a digital certificate.
Once the certificate has been purchased, it’s important that they have it verified. By using a publicly available antivirus scanning service, the actor is able to record a “clean bill of health” for the certificate. This process shows that the certificate was reasonably obtained from the organization and is not a disguised virus. It lends credibility to the certificates and is key for bypassing detection. And since it is a bona fide certificate, this is easily accomplished.
At the end of this process, the cybercriminal now has a verified certificate that is ready to be sold. There are many underground markets for a verifiable certificate because it can be used to sign a number of malicious files that could then bypass the security of the organization.
How are Stolen Certificates Used?
Once the certificate is in the hands of the cybercriminal customer, what are their options for using it? Most commonly, it’s used to send malicious files. Since the certificate is signed and recognized by the public CA, the files avoid suspicion and detection.
Malware and adware are the most frequent sent with the stolen certificate. With the verifiable certificate, the malware will bypass most cybersecurity measures. Considering it does not produce error messages, there is a greater chance that it will be opened by a user.
A recent study found that 80% of exploited certificates remain a threat 6 years after they were originally signed. These certificates are signed by legitimate organizations for what was intended to be regular use, so most will bypass system protection measures and operate for years. As detailed above, the process to obtain these certificates is not easy, but the risks of a bad actor accessing your organization through these means should prompt a deep dive into your CA security.
How Public and Private Certificates Differ
When deploying a CA and implementing certificate-based authentication, a deal of research should go into the decision of how to design the network infrastructure. A public and private CA have different features and functions to consider.
Software Trust & Website Security
Most well-known public CAs are inherently trusted by browsers, operating systems, and other client software. This makes them particularly useful for securing publicly accessible websites. Public root certificates are by default trusted, simplifying the secure transmission of data between the website and user.
In contrast, private CAs must be manually trusted by the involved parties. The private root certificate has to be trusted separately, making the use of private certificates for website security an inefficient process.
Public CAs have to abide by industry regulations. A public CA must perform strict checks and validation against qualified databases before issuing a certificate. Since public certificates are used on such a wide array of websites and browsers to secure traffic, they must adhere to more stringent standards of operation.
On the other hand, private CAs don’t have to abide by industry standards. This allows for much greater freedom for the possible uses of private certificates. The actual certificates are far more customizable and more appropriate for use in network authentication rather than website security.
Given that certificates operate outside rigorous industry regulations, it’s important to thoroughly vet your private CA vendor. If your vendor does not follow up on security patches and industry trends, the network may be at a significant risk. Overall, it’s vital to ensure the vendor practices regular self-regulation and maintains a sound and secure operation.
Public or Private Certificates for Network Authentication
When considering a CA for network authentication, the clear choice is a private CA. The limited trust that is afforded to private CAs makes them a poor target for cybercriminals that want to sell stolen certificates. Additionally, the amount of customization that private certificates can undergo makes them nearly unusable for cybercriminals.
This customization is exactly what makes private CAs perfect for certificate authentication. Each organization can customize certificate profile mapping to fit their particular uses and security concerns. They can be used to secure internal domains and systems Public CAs cannot be used for this purpose. A private CA is able to control identity and verification procedures by connecting to SSO systems and LDAP/Active Directory.
Public CAs simply are not appropriate for network authentication. The main barrier is the incompatibility between public certificates and 802.1x authentication. When an HTTPS is verified, the domain name and the Common Name or Subject Alternative Name on the certificate is checked. 802.1x authentication does not include the domain name, creating a conflict for network authentication.
CA security affords numerous benefits that can improve any organization’s cybersecurity. But as with any security technology, there are nuances and tricks that can be exploited if a cybercriminal searches long enough. Doing the necessary research and vetting your CA vendor can be the difference between a crack in the armor and airtight network security. Check out SecureW2’s pricing page to see if our affordable and effective CA solutions can work for your organization.