TLS Threats Uncovered: How Small Errors Revealed Code-Signing Abuse by Winnti Umbrella Group

On May 3, security vendor ProtectWise released a 49 page report that outlined a series of operational security mistakes made by threat actors believed to be affiliated with Chinese intelligence. Several groups appeared to coordinate malicious efforts, leading ProtectWise to dub the collective the Winnti Umbrella. The implicated aliases that appeared to be technically linked include Winnti, PassCV, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF.

Research by ProtectWise indicates that Winnti Umbrella groups specialized in obtaining code-signing certificates they could use to digitally sign malware, so it would appear to be legitimate. Users implicitly trust software signed by a valid certificate, so they can be easily fooled when legitimate certificates are used by bad actors.

Tom Hegel, a senior threat researcher with ProtectWise notes, “Based on our findings, attacks against smaller organizations operate with the objective of finding and exfiltrating code-signing certificates to sign malware for use in attacks against higher-value targets.”

According to Data Breach Today, “Signing software with a valid key tells users of the software that it hasn’t been modified or tampered with. It’s catastrophic if that chain of trust is broken, because security software is unlikely to flag a tampered program that has been signed with a valid one [certificate].”

But code signing was not the only egregious misuse of encryption by the group. It appears that Winnti Umbrella also used encryption to hide in encrypted tunnels. Ars Technica confirms that the groups affiliated with Winnti Umbrella appear to have used compromised domains to deliver malware and command control over infected machines. “The attackers usually rely on TLS encryption to conceal malware delivery and command-and-control traffic. In recent years, the groups rely on Let’s Encrypt to sign TLS certificates.”

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi notes that the Venafi Platform secures the request and issuance process for code signing from abuse and attack. But the bigger risks come after certificate issuance and during code signing use. Bocek warns that “The factors that organizations should pay particular attention to include which code is signed and how the code signing key and certificate are being used, especially in high throughput.”

To confirm the validity of your code signing certificates, Bocek recommends that, “Organizations should securely generate code signing keys and securely request code signing certificates, so that issuance is completed according to an approved workflow. It also helps to log all code signing certificate requests, and deliver code signing certificates only to authorized users. This reduces the risk of an attacker manipulating the request process, so they receive a valid code signing certificate.” The Venafi Platform helps organizations streamline all of these efforts to control code signing certificates.

Sadly, many organizations are not following that advice. ProtectWise notes examples of organizations that were storing certificates on a local machine or a network share where the keys were relatively easy to find. They state that attackers were “clearly going after the easier targets that are likely to not be following the best practices around managing code-signing certificates.”

Are code signing certificates being misused in your organization?

Related blogs

• Code Signing Certificates: A Dark Web Best Seller
• Crypto Mining, Code Signing Compromise: Are Your Certificates Safe?
• The CCleaner Compromise: Was a Code Signing Certificate the Culprit?

Scott Carter

All too often TLS/SSL attacks remain a hidden threat. After all, they do hide in TLS encrypted traffic to avoid detection. Any infiltration that successfully leverage encryption is extremely difficult to detect and diagnose. But every once in a while, bad actors make critical mistakes that allow threat researchers to gain insight into the full extent of the attacks. Winnti Umbrella is the most recent example of these kinds of mistakes; collectively they reveal a great deal about the anatomy of a TLS code-signing attack.