BlackTech Threat Group Steals D-Link Certificates To Spread Backdoor Malware (bleepingcomputer.com) 25
Security researchers have discovered a new malicious campaign that utilizes stolen D-Link certificates to sign malware. From a report: A lesser-known cyber-espionage group known as BlackTech was caught earlier this month using a stolen D-Link certificate to sign malware deployed in a recent campaign. "The exact same certificate had been used to sign [official] D-Link software; therefore, the certificate was likely stolen," says Anton Cherepanov, a security researcher for Slovak antivirus company ESET, and the one who discovered the stolen cert. Cherepanov says BlackTech operators used the stolen cert to sign two malware payloads -- the first is the PLEAD backdoor, while the second is a nondescript password stealer. According to a 2017 Trend Micro report, the BlackTech group has used the PLEAD malware in the past. Just like in previous attacks, the group's targets for these most recent attacks were again located in East Asia, particularly in Taiwan. The password stealer isn't anything special, being capable of extracting passwords from only four apps -- Internet Explorer, Google Chrome, Mozilla Firefox, and Microsoft Outlook.
Re: (Score:2)
But it really isn't special in the technical sense. Every password stealer targets those applications.
A boring, common threat isn't special. It may be a serious threat to users of infected systems, but it isn't novel.
We've known for years that storing credentials in those applications is a bad idea, so both the threat vector and the implementation aren't really new. So yes, I agree that it "isn't anything special".
"passwords from only four apps" (Score:2)
Yea, a significant 4 apps - 3 web browsers and MS Outlook.
"Only"
Who doesn't use a HSM these days? (Score:2)
Why do places that use certificates and know the damage they can do if stolen, not use HSMs? $60 gets you a NitroKey. $600 gets you a YubiKey HSM, so they are not expensive. A YubiKey HSM can even be configured to require a manual tap on the unit to confirm there is an actual live body there actually wanting to do a signing transaction.
Re: (Score:3)
Most cybersecurity professionals are half-witted hacks, so changing a "secure" process is often a difficult fight.
If the company already has a "secure" process for generating, storing, and using its signing keys then I would expect that process to endure for quite some time.
I'd agree that HSMs should be part of the process, but key ceremonies often involve several layers of management and oversight. As a result, changes need universal buy-in throughout the organization. Upper management won't understand the
Re: (Score:2)
The last HSM I purchased cost $16,000 dollars (for a single PCI card with card reader).
In what org does the person with the knowledge of the software signing process have the autonomy to sign off $16,000?
Of course, to do it right you need three. So $48,000.
HSMs need not be expensive, but they are, partly because of the FIPS certification process and partly because people can get away with it.
Re: (Score:2)
Re: (Score:2)
Yep. I found the APIs and driver support to be convoluted and messy.