HP unveils hackers use fake firms to get trusted certificates
HP Wolf Security has recently unveiled research suggesting that threat actors may be forming fake companies to obtain certificates that validate their fraudulent PDF reader websites. According to HP, this latest insight reveals a significant ChromeLoader campaign that uses valid code-signing certificates to circumvent Windows security protocols and user alerts, thereby increasing the likelihood of successful infections.
The research highlights that attackers are signing installation files with legitimate code-signing certificates. As a result, the installations are neither hindered by AppLocker security policies nor trigger warnings for users. This indicates that the certificates were either stolen from genuine companies or created by the threat actors solely to procure valid code-signing certificates.
The identified campaigns employ malvertising tactics to lure victims to well-crafted websites purporting to offer legitimate tools, such as PDF readers and converters. By visiting these infected sites, attackers can gain control over the victim's browsers, redirecting searches to websites under attacker control. The research notes that depending on the certificate issuer, the revocation process can be lengthy, sometimes spanning several months, rendering the malware dangerous for extended periods.
Kevin Bocek, Chief Innovation Officer at Venafi, commented on the implications of such findings. "Code signing certificates are incredibly powerful machine identities, and their misuse by attackers is a growing concern. These certificates tell machines that software is friend not foe, allowing it to be installed and run without raising alarms," Bocek stated.
"Normally, if malicious software is detected, the machine would block the installation – but with a valid certificate, even malicious code is treated as safe. This highlights just how powerful and dangerous these machine identities are in the wrong hands. Malicious code powered by code signing eliminates the ability to stop unauthorised code."
Bocek drew parallels with other high-profile instances of such vulnerabilities being exploited. "If stolen—or fraudulently obtained—attackers can use them to distribute malware under a trusted name, making attacks like the ChromeLoader campaign identified by HP especially hard to stop. We've seen this with high-profile cases like Nvidia's Windows code signing certificates and the SolarWinds breach, where code-signed malware was installed on millions of machines causing havoc globally."
He further underscored the broader implications for cybersecurity, especially in the context of advanced technological developments. "The rise of hackers targeting machine identities because they authenticate and authorise code, containers, and applications to connect and run is important for all security teams. As cloud-native technologies grow and more developers—especially with AI-powered coding assistants—the need to secure machine identities like code-signing certificates is only more urgent. Experts are calling for a control plane for machine identity that brings together protection across a business from code signing to TLS certificates. Neglecting this advice leaves companies dangerously exposed."