DigiCert Support Breach Leads to Unauthorized Code Signing Certificates: A Lapse in EDR CoverageDigiCert, a leading provider of digital certificates, has reported a security incident involving the unauthorized issuance of 60 code signing certificates. The breach was discovered after customers flagged suspicious certificates issued in the names of various organizations without their consent.
The Attack Vector: A Social Engineering Gambit
The investigation revealed that the attackers targeted DigiCert’s support staff. Using a classic social engineering tactic, the threat actors contacted support agents claiming to need help with a technical issue. They attempted to send a "screenshot" for review, which was actually a malicious .scr (Windows Screen Saver) file.
While initial attempts were thwarted by security software on the first agent's machine, the attackers persisted. They eventually found a second support agent whose workstation lacked CrowdStrike EDR (Endpoint Detection and Response) protection. Without the active defense, the malware executed successfully, giving the attackers a foothold in the support environment.
Exploiting the System and Multi-Factor Flaws
Although the support system cannot generate new certificates from scratch, it does have the authority to release pending ones. The attackers exploited this function to approve and issue 60 unauthorized certificates.
DigiCert identified three critical failures that led to the breach:
Lack of File Restrictions: The system allowed the transmission of dangerous .scr file types.
Inconsistent EDR Deployment: Not all workstations were equipped with necessary security software.
Flawed Authentication: The use of device-bound authentication meant that once the malware compromised the device, the attackers could bypass multi-factor authentication (MFA) seamlessly, as the "trusted device" was already compromised.
Technically, .scr files have the same structure as .exe files, but this is often overlooked because users mistakenly associate them with "screen savers." Attackers therefore prefer to use these file types to evade user visibility and outdated security settings. This incident underscores the importance of organizations having a "Block-by-Default" policy for all executable files in chat support channels.
This incident is also a crucial case study regarding MFA. While device-bound logins help prevent remote password phishing, if the machine is infected with infostealer malware or controlled via a Remote Access Trojan (RAT), the malware can immediately impersonate an "authorized" user. Modern organizations are therefore shifting to phishing-resistant MFAs like FIDO2/WebAuthn instead.
The fact that one support machine has CrowdStrike but another does not reflects a visibility issue in IT asset management. In large organizations, if even one machine slips through security gaps, that machine becomes a threat. The "worst weakness" that hackers will exploit to gain entry into a company's critical systems.
Roche Sprints Toward Digital Pathology with $1.05 Billion Acquisition of PathAI.
Source: Bugzilla
DigiCert Support Breach Leads to Unauthorized Code Signing Certificates: A Lapse in EDR CoverageDigiCert, a leading provider of digital certificates, has reported a security incident involving the unauthorized issuance of 60 code signing certificates. The breach was discovered after customers flagged suspicious certificates issued in the names of various organizations without their consent.
The Attack Vector: A Social Engineering Gambit
The investigation revealed that the attackers targeted DigiCert’s support staff. Using a classic social engineering tactic, the threat actors contacted support agents claiming to need help with a technical issue. They attempted to send a "screenshot" for review, which was actually a malicious .scr (Windows Screen Saver) file.
While initial attempts were thwarted by security software on the first agent's machine, the attackers persisted. They eventually found a second support agent whose workstation lacked CrowdStrike EDR (Endpoint Detection and Response) protection. Without the active defense, the malware executed successfully, giving the attackers a foothold in the support environment.
Exploiting the System and Multi-Factor Flaws
Although the support system cannot generate new certificates from scratch, it does have the authority to release pending ones. The attackers exploited this function to approve and issue 60 unauthorized certificates.
DigiCert identified three critical failures that led to the breach:
Lack of File Restrictions: The system allowed the transmission of dangerous .scr file types.
Inconsistent EDR Deployment: Not all workstations were equipped with necessary security software.
Flawed Authentication: The use of device-bound authentication meant that once the malware compromised the device, the attackers could bypass multi-factor authentication (MFA) seamlessly, as the "trusted device" was already compromised.
Technically, .scr files have the same structure as .exe files, but this is often overlooked because users mistakenly associate them with "screen savers." Attackers therefore prefer to use these file types to evade user visibility and outdated security settings. This incident underscores the importance of organizations having a "Block-by-Default" policy for all executable files in chat support channels.
This incident is also a crucial case study regarding MFA. While device-bound logins help prevent remote password phishing, if the machine is infected with infostealer malware or controlled via a Remote Access Trojan (RAT), the malware can immediately impersonate an "authorized" user. Modern organizations are therefore shifting to phishing-resistant MFAs like FIDO2/WebAuthn instead.
The fact that one support machine has CrowdStrike but another does not reflects a visibility issue in IT asset management. In large organizations, if even one machine slips through security gaps, that machine becomes a threat. The "worst weakness" that hackers will exploit to gain entry into a company's critical systems.
Roche Sprints Toward Digital Pathology with $1.05 Billion Acquisition of PathAI.
Source: Bugzilla
Comments
Post a Comment