Report: Chinese Actors Steal Code-Signing CertificatesProtectWise Says Group's Mistakes Proved Helpful During Investigation
Obtaining a code-signing certificate from a software company is extremely valuable for hackers. The certificate can then be used to then digitally sign malware that appears legitimate to the computer on which it's installed.
Security vendor ProtectWise says a series of operational security mistakes has allowed it to gain insight into a group believed to be affiliated with Chinese intelligence that specializes in stealing such certificates.
ProtectWise says its research further shows that several disparate Chinese hacking groups observed by other security companies for at least nine years are actually connected and share resources.
"We've been able to map their infrastructure on those mistakes that they've made," says Tom Hegel, a senior threat researcher with ProtectWise, who authored the report.
ProtectWise dubbed the group Winnti Umbrella to reflect other groups that it believes are technically linked. Those aliases include Winnti, PassCV, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF.
The company privately circulated its report for about four months to victims and other security companies before releasing it publicly on Thursday. It is expected the group will subsequently take steps to mask its infrastructure and attack methodologies, Hegel says.
An Advance Team
The group appears to initially target gaming studios and high-tech businesses with the intent of extracting the code-signing certificates.
But that's just the beginning. The broader goal of Winnti and its associated groups appears politically motivated, targeting Uyghur and Tibetan activists, Thailand's government and technology companies. Winnti appears to be an initial advance front, working to scout out footholds that could be used by other actors within the broader group.
"Kinda cool," writes the security analyst known as The Gruqq in a tweet. "An APT group operating in a support and logistics role. They're basically a cyber engineers unit. Enabling the teams operating in front line roles to accomplish their mission. I wonder do other countries have such division of labor?"
Kinda cool. An APT group operating in a support and logistics role. They're basically a cyber engineers unit. Enabling the teams operating in front line roles to accomplish their mission.— the grugq (@thegrugq) May 6, 2018
I wonder, do other countries have such division of labor? https://t.co/IaHdqedIxg
Hegel says the research is based on attacks that ProtectWise investigated that occurred this year and last year when the group became very active.
Last year, victims were hit with emails that inquired about open positions with the companies, according to ProtectWise's report. The attachments contained resumes that, if opened, tried to download malware to the host. The attackers also used the Browser Exploitation Framework in an attempt to download Cobalt Strike, a penetration testing tool.
"We've been able to map their infrastructure on those mistakes that they've made."
—Tom Hegel, ProtectWise
This year, the group has focused on phishing attacks that seek to extract credentials for Office 365 and Gmail. Once inside an account, Winnti looks for storage drives where code-signing certificates may be stored.
"In other cases, the attackers attempt to use other files and documentation in the cloud storage to help them traverse or gain privileges on the network," the report says. "The targets in 2018 include IT staff, and commonly sought out files include internal network documentation and tooling such as corporate remote access software."
Winnti has used URL shortening services, which helped ProtectWise gain insight into the campaigns using public analytics.
Hegel says the group has also made other mistakes. In one example, the group either failed or forgot to connect to its own command-and-control infrastructure, revealing connections it made that originated from the Xicheng District of Beijing. The group also made mistakes when registering new domain names, he says.
"They tend to reuse the same infrastructure again," Hegel says.
Even if an attacker succeeds in getting inside a network, in theory, it should be difficult to access a software signing key. That kind of data is among a company's most sensitive information.
Signing software with a valid key tells users of the software that it hasn't been modified or tampered with. It's catastrophic if that chain of trust is broken, because security software is unlikely to flag a tampered program that has been signed with a valid one.
Hegel says the group tends to focus on smaller organizations and use the stolen code-signing certificates against higher-value targets. It has been easy pickings: ProtectWise has seen examples of organizations keeping certificates on a local machine or a network share where the keys are easy to find.
"My sense is they are clearly going after the easier targets that are likely to not be following the best practices around managing code-signing certificates," Hegel says.
In 2011, the security vendor F-Secure spotted one of the first uses of a stolen coding-signing certificate. It was stolen from Malaysia's Agricultural Research and Development Institute, which later found out had one of its server compromised.
The stolen certificate was used to sign a backdoor that was wrapped inside a PDF file. The PDF file contained attack code designed to exploit a vulnerability in Adobe Reader 8.
Stolen code-signing certificates appeared to become more widely available among cybercriminals by 2015, according to Recorded Future. But in a twist, it appears the certificates weren't stolen but rather bought directly from issuing authorities, writes Andrei Barysevich, the company's director of advanced collection, in February.
Cybercriminals were providing the details of real corporations in attempts to purchase signing certificates in those companies' names, he writes. Illegitimate certificates have been issued to bad actors by Comodo, Symantec and Thawte.
The certificates "have proved to be extremely effective in malware obfuscation," Barysevich writes. "We believe that legitimate business owners are unaware that their data was used in the illicit activities."