Venafi®, the inventor and leading provider of machine identity management, today published a new report analyzing attack patterns of the state-backed Chinese hacking group, APT41 (also known as the Winnti Group). The research, APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks, shows that:
- APT41 is unique among China-based threat groups as they leverage specially crafted, non-public malware typically reserved for espionage activities for financial gain, likely outside the scope of state-sponsored missions.
- Critical to the success of this attack method, APT41 has made code signing keys and certificates — which serve as machine identities that authenticate code — a primary target.
Also Read : Can Security Services Keep up With Today’s Dynamic Environments?
- Compromised code signing certificates are used as a shared resource for large teams of attackers because they act as an attack force multiplier and dramatically increase the odds of success.
- This strategic, long-term focus is a primary factor in APT41’s ability to successfully compromise a wide range of high value targets across multiple industries including healthcare, foreign governments, pharmaceuticals, airlines, telecommunications, and software providers.
Venafi warns that APT41’s success means their unique use of compromised code signing machine identities and supply chain attacks will become the preferred method of other threat groups—and businesses need to be prepared for more nation-state attack groups that use compromised code signing machine identities.
“APT41 has repeatedly used code signing machine identities to orchestrate a string of high-profile attacks that support China’s long-term economic and political goals and military objectives,” commented Yana Blachman, threat intelligence specialist at Venafi. “Code signing machine identities allow malicious code to appear authentic and evade security controls. The success of attacks using this model over the last decade has created a blueprint for sophisticated attacks that have been highly successful because they are very difficult to detect. Since targeting the Windows software utility CCleaner in 2018 and the ASUS LiveUpdate in 2019, APT41’s methods continue to improve. Every software provider should be aware of this threat and take steps to protect their software development environments.”
One of APT41’s preferred methods of entry is to compromise the supply chain of a commercial software vendor. This lets them efficiently target a pool of companies that use the commercial software to gain access to carefully chosen victims. APT41 then uses secondary malware to infect only those targets that are of interest for cyberespionage purposes. Once compromised, APT41 spreads laterally across victim networks using stolen credentials and a variety of reconnaissance tools. APT41 uses unique pieces of malware to steal valuable intellectual property and customer-related data only from these very specific targets.
Code signing machine identities are so crucial to APT41’s attack methods that the group is actively managing a library of code signing certificates and keys stolen or purchased from underground dark web marketplaces and other Chinese attack groups to bolster their supplies. Previous Venafi research has shown that code signing certificates are readily available for purchase on the dark web, selling for up to $1,200 each.
“Today, attackers are disciplined, highly skilled software developers, using the same tools and techniques as the good guys,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “They recognize that vulnerabilities in the software build environment are easy to exploit, and they’ve spent years developing, testing and refining the tools needed to steal code signing machine identities. This research should set off alarms with every executive and board because every business today is a software developer. We need to get a lot more serious about protecting code signing machine identities.”
For more such updates follow us on Google News ITsecuritywire News
