Industry Certificate Blocking List?
Perhaps all is not quite so well in the code-signing ecosystem. Microsoft’s Privacy Security and Trust Engineering team might well suggest that the pervasive use of digital signatures would make the ecosystem more secure, but this premise needs to be tested with real-world evidence.
Code-signed malware and PUAs have been prevalent and on the increase because threat actors know that the use of code signing can still be effective in bypassing behavioural (EDR/XDR/HIPS) and static security protection mechanisms.
Digital signatures are meant to certify that a file has not been tampered with alongside identifying the source thereof with 100% confidence. Hence, we in the security industry have traditionally conferred an element of trust to digitally-signed application executables which has indeed been useful in mitigating FPs. However, it is important to acknowledge that flaws exist in this assumption of trust, along with formulating alternative handling scenarios.
A Certificate Authority (CA) is expected to have done its due diligence in vetting and verification before issuing code signing certificates, which entail a significant cost. Since there is a cost attached, one makes a not unreasonable assumption that code certificates are non-trivial to obtain. Ironically, it is this cost per certificate which renders digital signatures less trustworthy given the conflict of interest vis-a-vis the CA’s core business, i.e. CAs have a financial incentive to issue as many certificates as possible.
The remote theft of code-signing certificates is not common these days, and the use of Cloud-Signing infrastructure makes it even less likely. However, supply chain attacks seem to abound so certificate compromise within one’s own environment is a real and growing danger.
In addition, there has been a recent trend of adding arbitrary certificates to the Windows Cert Trust Center used by Microsoft’s crypto APIs during verification. The adversary can now use some cheap social engineering to become its own trusted CA!
We have also noticed a large number of samples in which malicious PE files have been injected within the scope of the digital signature of cryptographically-sound reputable PE files. This phenomenon deserves attention and explanation.
In this presentation we shall deep dive into the categorical, evidence-based nature of the use of digital signatures in recent malware and PUAs. We shall investigate the relative efficacy of CA Certificate Revocation Lists versus industry sharing of specific certificate metadata within the framework of a Certificate Blocking List. We must forge effective verification and trust solutions in the security industry to avoid treating all signed application files as essentially unsigned, which could lead to an increase in FPs. This is part of the Battle for Cyber Supremacy for sure.
Please note that the essence of this topic is likely to be covered at another conference prior to AVAR 2024, but we feel its message is important for the different audience at AVAR.