Hackers are using fake code-signing certificates impersonating cybersecurity firm Emsisoft to target customers using its security products, hoping to bypass their defenses:
We recently observed an incident in which a fake code-signing certificate supposedly belonging to Emsisoft was used in an attempt to obfuscate a targeted attack against one of our customers. The organization in question used our products and the attacker’s aim was to get that organization to allow an application the threat actor installed and intended to use by making its detection appear to be a false-positive.
The attack failed – our product detected and blocked it – but we are issuing this alert so that both our customers and users of other company’s products are aware of the tactics that were used in this case.
Kevin Bocek, VP Ecosystem and Community at Venafi had this to say:
“Spoofing has been an issue for companies for a long time, but more commonly associated with website spoofing linked to phishing – so it’s interesting that the same ‘change one letter’ approach is being applied to code signing machine identities. The fact that we’re seeing threat actors impersonating companies with fake code-signing certificates is a sign of the times, as we are increasingly seeing threat actors targeting machine identities, due to the level of trust they have within the network. Threat actors understand that being granted trusted access to a company’s system via fake machine identities is akin to being ushered through the digital front door. In this instance the spoofed identity was detected and flagged, but it could easily have been overlooked.
“The continued adoption of cloud native technologies is creating huge levels of complexity around machine identity management, it’s harder than ever for teams to make decisions on what can and can’t be trusted to run – especially given the speed of development environments. With the number of machine identities across an organization growing exponentially, organizations need a control plane to automate the management of machine identities. This provides teams with the observability, consistency and reliability needed to effectively manage their machine identities and spot any bad actors from trying to spoof their way in.”
This is yet another thing for you to keep your eyes out for as the attack surface that threat actors use is clearly evolving.