New report from Venafi shows Chinese threat actors targeting code signing certificates for use in software supply chain attacks
Venafi®, the inventor and leading provider of machine identity management, today published a new report analyzing attack patterns of the state-backed Chinese hacking group, APT41 (also known as the Winnti Group). The research, APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks, shows that:
- APT41 is unique among China-based threat groups as they leverage specially crafted, non-public malware typically reserved for espionage activities for financial gain, likely outside the scope of state-sponsored missions.
- Critical to the success of this attack method, APT41 has made code signing keys and certificates — which serve as machine identities that authenticate code — a primary target.
- Compromised code signing certificates are used as a shared resource for large teams of attackers because they act as an attack force multiplier and dramatically increase the odds of success.
- This strategic, long-term focus is a primary factor in APT41’s ability to successfully compromise a wide range of high value targets across multiple industries including healthcare, foreign governments, pharmaceuticals, airlines, telecommunications, and software providers.
Venafi warns that APT41’s success means their unique use of compromised code signing machine identities and supply chain attacks will become the preferred method of other threat groups—and businesses need to be prepared for more nation-state attack groups that use compromised code signing machine identities.
“APT41 has repeatedly used code signing machine identities to orchestrate a string of high-profile attacks that support China’s long-term economic and political goals and military objectives,” commented Yana Blachman, threat intelligence specialist at Venafi. “Code signing machine identities allow malicious code to appear authentic and evade security controls. The success of attacks using this model over the last decade has created a blueprint for sophisticated attacks that have been highly successful because they are very difficult to detect. Since targeting the Windows software utility CCleaner in 2018 and the ASUS LiveUpdate in 2019, APT41’s methods continue to improve. Every software provider should be aware of this threat and take steps to protect their software development environments.”
One of APT41’s preferred methods of entry is to compromise the supply chain of a commercial software vendor. This lets them efficiently target a pool of companies that use the commercial software to gain access to carefully chosen victims. APT41 then uses secondary malware to infect only those targets that are of interest for cyberespionage purposes. Once compromised, APT41 spreads laterally across victim networks using stolen credentials and a variety of reconnaissance tools. APT41 uses unique pieces of malware to steal valuable intellectual property and customer-related data only from these very specific targets.
Code signing machine identities are so crucial to APT41’s attack methods that the group is actively managing a library of code signing certificates and keys stolen or purchased from underground dark web marketplaces and other Chinese attack groups to bolster their supplies. Previous Venafi research has shown that code signing certificates are readily available for purchase on the dark web, selling for up to $1,200 each.
“Today, attackers are disciplined, highly skilled software developers, using the same tools and techniques as the good guys,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “They recognize that vulnerabilities in the software build environment are easy to exploit, and they’ve spent years developing, testing and refining the tools needed to steal code signing machine identities. This research should set off alarms with every executive and board because every business today is a software developer. We need to get a lot more serious about protecting code signing machine identities.”
Venafi is the cybersecurity market leader in machine identity management, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, SSH, code signing, mobile and IoT. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise—on premises, mobile, virtual, cloud and IoT—at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.
With more than 30 patents, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 5000 organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; the top four credit card issuers; three out of the top four accounting and consulting firms; four of the top five U.S. retailers; and the top four banks in each of the following countries: the U.S., the U.K., Australia and South Africa.
For more information, visit: www.venafi.com.