A recent report by Intrinsec highlights the growing market for the use of certificates with extended validation (EV) in cybercrime schemes. The report delves into the methods employed by attackers to acquire and exploit these certificates, along with the security threats they pose.
Digital signature technology, originally intended to verify the authenticity and integrity of software, is now being exploited by cybercriminals to evade security measures, gain administrative privileges, and deceive users with seemingly legitimate certificates. EV-certificates, particularly sought after in the black market, can cost anywhere from $2000 to $6,000.
Attackers utilize various methods to obtain these certificates, including setting up new companies, impersonating existing firms, or stealing certificates. The report cites recent attacks, such as those involving the malware QAKBOT and Grandoreiro, which utilized stolen or forged EV-certificates. The case of NVIDIA is also mentioned, where certificates stolen by the Lapsus $ group were used to sign malicious code.
The Intrinsec report underscores that attackers leverage digital signatures not only to circumvent protective mechanisms like Microsoft Smartscreen but also to enhance user trust and evade detection by antivirus programs.
Furthermore, the report sheds light on the services accessible in the black market, encompassing the delivery of physical tokens necessary for EV certificates and remote access to these tokens. These services are not only offered on specialized forums but also through communication platforms like Telegram.
Intrinsec recommends organizations to bolster measures for verifying certificate authenticity and implement stricter application management policies. The report advocates for employee training to recognize potential threats and the usage of reputation systems for identifying malicious certificates.
Overall, the report stresses the importance of continual monitoring and adjustment of security tools to thwart the increasingly sophisticated tactics employed in cybercrime.