In a recent disclosure, the Digicert certification authority revealed details of a security incident that allowed attackers to obtain certificates capable of generating digital signatures for drivers and applications on the Windows platform. The attackers managed to execute their code on two Digicert employees’ computers by exploiting a support chat system, posing as individuals seeking assistance with a ZIP archive application issue. The malicious code was found within an executable file in scr format contained in the archive.
On April 2, the first attack occurred, during which four attempts to deliver malicious code were blocked by internal security systems, but one attempt was successful. The issue was detected and resolved on April 3. Following complaints from third-party security researchers regarding the discovery of malicious applications certified by Digicert certificates, a re-evaluation was conducted on April 14. This analysis uncovered a compromise of an analyst workstation on April 4, a system that had not been equipped with CrowdStrike software utilized by Digicert for attack detection and prevention.
Once inside the internal system, the attacker gained access to a helpdesk portal where they could view client orders. Exploiting this access, the attacker obtained initialization codes for “EV Code Signing” certificates that were confirmed but not yet issued to clients. These codes were utilized to acquire certificates on behalf of clients.
Following the incident analysis, 60 certificates were revoked, with 27 directly linked to the attacker and 33 revoked as a preventive measure due to lack of confirmation of client receipt. Some of the compromised certificates were used by the attackers to digitally sign malware from the Zhong Stealer family.