Cyber-criminals have been discovered abusing free certificate generation tool Let’s Encrypt to hide malware from security scanners and legitimize malicious sites.
Trend Micro fraud researcher, John Chen, explained in a blog post that his team saw the tool used in a malvertising attack leading Japanese victims to sites hosting the Angler exploit kit, in order to infect them with a banking trojan.
To carry out the attack, cyber-criminals created a subdomain under a legitimate domain they compromised, using a process known as “domain shadowing.”
This newly created subdomain leads to a server under their control hosting the malicious ad in question—which in turn redirects to sites hosting Angler EK.
By registering the subdomain with Let’s Encrypt, traffic from users to the malicious ad was hidden from network security tools via HTTPS, while the compromised server was protected by the Let’s Encrypt certificate.
Run by the Internet Security Research Group (ISRG)—which is backed by the likes of Cisco, Akamai, Facebook and Mozilla—Let’s Encrypt issues domain-validated (DV) certs rather than extended validation (EV), which require more background checks.
Chen argued that as a certificate authority (CA), the body needs to do more than merely check domains that it issues against Google’s Safe Browsing API.
“Cases like this one where an attacker is able to create subdomains under a legitimate domain name demonstrate a problem,” he claimed.
“A certificate authority that automatically issues certificates specific to these subdomains may inadvertently help cyber-criminals, all with the domain owner being unaware of the problem and unable to prevent it. These DV certificates can help the hacker gain legitimacy with the public.”
He argued that all stakeholders—CAs, browser, and AV companies—have a responsibility in “weeding out bad actors.”
But Let’s Encrypt stance, as articulated in a blog post back in October, is that “CAs make poor content watchdogs” and online checks and balances run by the major browser vendors are a more effective alternative.
“CAs are not well positioned to operate anti-phishing and anti-malware operations—or to police content more generally. They simply do not have sufficient ongoing visibility into sites’ content. The best CAs can do is check with organizations that have much greater content awareness, such as Microsoft and Google,” wrote ISRG executive director, Josh Aash.
“Google and Microsoft consume vast quantities of data about the Web from massive crawling and reporting infrastructures. This data allows them to use complex machine learning algorithms (developed and operated by dozens of staff) to identify malicious sites and content.”
Photo © jijomathaldesigners