Security researchers have claimed that the destructive, information-stealing malware attack on Sony Pictures last month allowed hackers to grab a digital certificate from the company which could enable future attacks to evade malware filters.
Kaspersky Lab’s Global Research and Analysis Team (GReAT) reported last week that the Destover malware – which is related to the DarkSeoul and Shamoon wipers – was used to sabotage Sony systems and steal valuable information.
It was also reported that phone numbers and travel aliases of movie stars including Daniel Craig, Brad Pitt and Natalie Portman were leaked, as well as sensitive info on Sony staff and even forthcoming films.
Now Kaspersky Lab is claiming to have discovered a new variant of Destover in the wild which was signed with a legitimate Sony digital certificate on 5 December.
It added in a blog post:
“So what does this mean? The stolen Sony certificates (which were also leaked by the attackers) can be used to sign other malicious samples. In turn, these can be further used in other attacks. Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective. We've seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software and default-deny policies.”
The security vendor said it has reported the certificate to COMODO and Digicert, with the latter already confirmed as having blacklisted it to close down the attack vector.
Kevin Bocek, vice president of security strategy and threat research at security firm Venafi, argued that stolen certificates have become popular as a fast, easy and effective way for attackers to inject malware undetected onto corporate networks.
“Global companies typically have tens of thousands of keys and certificates and the majority do not take an accurate inventory of them, do not know where they are deployed, who is using them and do not have the right systems in place to secure them,” he added.
“Enterprises must start to get a better handle on all of their certificates and keys deployed, determine anomalies in the environment based on established policies, and then quickly revoke and replace anything suspect or out of policy.”