A security vendor has warned network security teams to be on high alert when reviewing code-signing certificates, after spotting an attempt to spoof one of its certs in order to disguise a cyber-attack.
Emsisoft claimed in a new blog post that after gaining initial access into a customer’s network, the attackers installed a dual-purpose remote access product known as MeshCentral.
It was signed with a certificate named “Emsisoft Server Trusted Network CA” in a bid to trick the security team into believing it was there legitimately, the AV vendor said.
“We believe this was done to make any detection of the application appear to be a false positive,” it said. “One of our products was installed and running on the compromised endpoint, after all, so an application that had supposedly been signed by an Emsisoft certificate may be believed to be safe and allow-listed.”
Emsisoft said the incident showed that organizations should be extra vigilant when deciding whether to allow new applications that are flagged by their security tools.
“If an organization authorizes an application that should not be allowed, an attacker may be able to disable antivirus protection, move laterally within the network, exfiltrate data and, ultimately, deploy ransomware,” it argued.
If the origin of certificates are unknown, the application should be quarantined and inspected,and only allowed if it can be conclusively proved it is safe and was installed legitimately by the organization, Emsisoft advised.
Kevin Bocek, VP ecosystem and community at Venafi, explained that threat actors are increasingly targeting machine identities due to the level of trust they typically have inside a network.
“Threat actors understand that being granted trusted access to a company’s system via fake machine identities is akin to being ushered through the digital front door. In this instance the spoofed identity was detected and flagged, but it could easily have been overlooked,” he added.
“The continued adoption of cloud native technologies is creating huge levels of complexity around machine identity management; it’s harder than ever for teams to make decisions on what can and can’t be trusted to run – especially given the speed of development environments.”
Editorial credit icon image: Piotr Swat / Shutterstock.com