A private key stolen from VPN provider Ivacy for software signing has been used by attackers to sign malware, as reported by security company SentinelOne. The certificate has since been revoked by the certificate authority DigiCert. In late May, researchers on platform X reported that malware had been signed using an Ivacy certificate.
Software developers can sign their software to make it trusted by the operating system or security software. In the case of unsigned software, the operating system might display a warning or require additional steps for installation.
A code signing certificate is a digital certificate that is used to sign software or executable files in order to establish the authenticity and integrity of the code. In the context of Windows operating systems, code signing certificates play a crucial role in ensuring the security of software distribution and installation. Therefore it is a big bounty for those who want to stole it. With it, the attacker gains exactly what he needs the most. Namely:
Authentication and Trust: When a software developer signs their code using a code signing certificate, they are essentially attaching a digital signature to the software. This signature is generated using a private key that is associated with the code signing certificate. This private key is held securely by the developer. When users download or install software, the digital signature is checked against the public key associated with the certificate, which is stored in the operating system’s trusted certificate store.
User Confidence: When a user attempts to run or install software that is signed with a valid code signing certificate, the operating system displays information about the certificate. This information includes details about the certificate issuer, the organization that created the software, and whether the certificate is trusted. This helps users make informed decisions about the safety and legitimacy of the software.
Integrity Check: Code signing doesn’t alter the software itself; instead, it creates a unique digital signature that represents the software’s current state. If the software is altered in any way after it is signed, the digital signature will no longer match, and the operating system will detect the tampering. This prevents attackers from injecting malicious code into the software without detection.
Developer Identity: Code signing certificates also help users identify the developer or publisher of the software. This is particularly important in cases where users need to ensure that the software comes from a reputable source.
Code signing certificates provide a layer of security and trust for software distribution on Windows platforms. They help users verify the authenticity of the software they are installing and protect against tampering or unauthorized modifications. This is especially important in the age of increasing cyber threats and malware distribution.
A code signing certificate consists of a private and public key. According to researcher Aleksandar Milenkoski, it’s likely that Ivacy’s private key, necessary for signing their own software, was stolen at some point. Attackers stealing signing keys is not uncommon. In Ivacy’s case, the key fell into the hands of a group of attackers known as ‘Bronze Starlight.’ This group primarily focuses on espionage, using ransomware attacks as diversion tactics, Milenkoski stated.
According to the researcher, malware signed with the Ivacy certificate was deployed against gambling companies in Southeast Asia. How the key and certificate were stolen from Ivacy remains unknown.
“VPN providers are a prime target, as they can grant attackers access to sensitive user data and communications,” said Milenkoski.