Submitted via IRC for Fnord666
Criminals recently stole code-signing certificates from router and camera maker D-Link and another Taiwanese company and used them to pass off malware that steals passwords and backdoors PCs, a researcher said Monday.
The certificates were used to cryptographically verify that legitimate software was issued by D-Link and Changing Information Technology. Microsoft Windows, Apple's macOS, and most other operating systems rely on the cryptographic signatures produced by such certificates to help users ensure that executable files attached to emails or downloaded on websites were developed by trusted companies rather than malicious actors masquerading as those trusted companies.
Bleeping Computer adds:
"The exact same certificate had been used to sign [official] D-Link software; therefore, the certificate was likely stolen," says Anton Cherepanov, a security researcher for Slovak antivirus company ESET, and the one who discovered the stolen cert.
Cherepanov says BlackTech operators used the stolen cert to sign two malware payloads —the first is the PLEAD backdoor, while the second is a nondescript password stealer.
According to a 2017 Trend Micro report, the BlackTech group has used the PLEAD malware in the past. Just like in previous attacks, the group's targets for these most recent attacks were again located in East Asia, particularly in Taiwan.
The password stealer isn't anything special, being capable of extracting passwords from only four apps —Internet Explorer, Google Chrome, Mozilla Firefox, and Microsoft Outlook.
Following Cherepanov's report about BlackTech using one of its certificates, D-Link revoked it last Tuesday, July 3. Before the revocation, the certificate was being used to secure the web panel of mydlink IP cameras.
(Score: 0) by Anonymous Coward on Wednesday July 11 2018, @12:34PM
Information wants to be Free!
Death to America!
(Score: 2) by JoeMerchant on Wednesday July 11 2018, @01:12PM (3 children)
Isn't this the whole point of central authorities, so compromised keys can be revoked?
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 2) by DannyB on Wednesday July 11 2018, @01:26PM (1 child)
As far as a Brand-X router goes, the Brand-X mother ship would seem to qualify as the central authority. The Brand-X servers could revoke certificates.
The real problem here seems to be that Brand-X doesn't realize the significant trust placed in their private keys and certificates and take appropriate measures to protect them. It would be too expensive to implement actual security measures.
Those Brand-X and Brand-Y and Brand-Z private keys and certificates have a huge hacker target on them. Don't they realize that? Or maybe they just don't care. After all if Management is good, then Remote Management (by a hacker) must be even gooder.
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 2) by JoeMerchant on Wednesday July 11 2018, @03:16PM
D-Link isn't Cisco, but it's hardly small-time either. US$650M in annual sales, that's a lot of routers. https://www.dlink-jp.com/wp-content/uploads/2013/08/D-Link_Annual_-Report_2016.pdf [dlink-jp.com]
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 4, Interesting) by fyngyrz on Wednesday July 11 2018, @03:31PM
The point of a certificate "authority" is to shut the barn door well after the horse has bolted, while charging you a recurring fee for something you could just as well done yourself.
Certificate authorities are a scam. Certificates are fine; encryption, even if not all that reliable, as any security breach shows, is valuable. Presuming _identity_ is known because a cert is present... that is just being gullible.
(Score: 0) by Anonymous Coward on Wednesday July 11 2018, @07:41PM
Stupid windows-using Taiwanese companies. America's disgraceful slaveware legacy.
(Score: 3, Insightful) by bitstream on Wednesday July 11 2018, @08:48PM
Was the certificate stolen from the client firmware etc or from the systems at the manufacturer?
It's a critical point.
Still it's obvious one should not trust manufacturers at all. Just ask Cisco physical delivery re-routing and Belkin http-ad-insertion. Besides that.. suit dweebs in the loop so no confidence.
This also makes the point that the phone-home function that D-Link and others implement in their devices is a really BAD idea. Bad code, bad management, bad setup, bad dependency. Just.. don't.. do.. it. So a tip is to deny by default outgoing traffic to thwart any such crap function.