By Gorazd Božič, head of SI-CERT
One of the measures that protects us against malicious code is digital code signing. If the operating system cannot find the code author’s digital signature verified by a trusted certificate authority, it rejects the installation of the application. The user must then perform a more or less arduous task of manually approving the exception. By doing so, the user inadvertently accepts the responsibility for installing unknown software. Computer virus creators have adapted quickly and started obtaining code-signing certificates, also in the guise of Slovenian companies.
At SI-CERT, we handled the first incident of this sort in April 2020. The analysis of a Maze ransomware sample showed that the malware was code-signed by a recently established micro-company from Slovenia offering consultancy services. At first glance, there were no signs of the company being involved in any kind of software development that would require them to own a code-signing certificate. Moreover, the company had neither a domain nor a website.
We considered three possibilities:
- The company suffered a cyber attack in which the attackers stole the certificate.
- Someone had managed to convince the company to obtain the certificate and share it with a third party (the virus creators).
- Someone had stolen the company’s identity and used it to obtain the certificate.
The first possibility did not seem very probable as the company with only one employee had neither a domain nor a website, so there was nothing to hack into (aside from the owner’s personal computer). In addition, the attackers would have to have hacked someone who had already had a valid certificate. The second assumption bore the question of whether the perpetrators would have found it worthwhile to go through the process of searching and convincing an owner to invest their time and money into obtaining a certificate. After all, many would find such a request suspicious. In this scenario, it would be reasonable of the company owner to expect a solid “commission” for the certificate, thus making the operation more expensive for the perpetrators.
A few months later, we were informed of three other Slovenian companies that were listed as having signed malware – in this case Ryuk ransomware. The companies had similar characteristics: two micro and one small company offering construction, transportation and wood trade services. Similarly, these companies were in no way involved in software development, nor did they have any visible online presence.
In November 2020, Malware Bazaar started monitoring digital certificates used for code-signing malware. At the moment, there are 229 entries on the list with the number expected to increase in the future. On it we can find 22 certificates issued to companies with names ending in “d.o.o.”. Considering the fact that the same acronym is used to label limited liability companies in the entire territory of former Yugoslavia, we expected a number of certificates to be issued to companies outside Slovenia. However, it turned out that all the companies were micro companies based in Slovenia. Two companies were missing the information about their size, and one of the companies was not in the company register. However, the name in the code-signing certificate said “in bankruptcy” (in Slovenian), which confirmed that this company was also Slovenian. The percentage of Slovenian companies was definitely high, and what was even more interesting was the fact that no “d.o.o.” company was from Croatia or Serbia.
Another interesting detail that caught our eye was the fact that 87 % of all certificates on the list were issued by certificate authority Sectigo from the USA.
Actions of SI-CERT
We notified Sectigo of the issue as we concluded that the perpetrators had found a loophole in their identity verification process. Sectigo has already confirmed that they cancel certificates if they are used to code-sign malware. However, a better solution would be for them to determine why the perpetrators are so successful at identitying theft and would not issue the certificates in the first place. Is it possible to improve the process or will the certificate authority fall silent and continue with their practice? Another question in the matter is how can a certificate authority from the USA validate whether a certificate request was even submitted by the representative of a Slovenian company. This is one of the shortcomings of the remote certification commercial model that has positioned itself as the dominant model from the start.
Another interesting aspect is a relatively high share of Slovenian companies on the list. We can only guess the reason for this situation, but we hope to find more answers in further investigations.
About the author
Gorazd Božič is the head of the Slovenian National Computer Emergency Response Team (SI-CERT) which was established in 1995. Between 2000 and 2008, Gorazd was the chair of the European CERT group TF-CSIRT, which brings together all known CERTs in the wider European region and provides the accreditation and certification programme for CSIRTs – the Trusted Introducer. Gorazd is involved in national awareness-raising programmes for cybersecurity and has been the Slovenian representative to the the Management Board of ENISA, the European Network and Information Security Agency, since its formation in 2004 until 2018. He also offers support and mentorship to newly-formed CSIRTs in South East Europe. Currently, Gorazd is the chair of the EU CSIRTs Network, defined in Article 12 of the NIS Directive.
Also this year GÉANT joins the European Cyber Security Month, with the 'Cyber Hero @ Home' campaign. Read articles from cyber security experts within our community and download resources from our awareness package on https://dev.connect.geant.org/csm2021