Jerry on Mastodon

Just about the entire internet uses certificate authorities to establish trust. Here, a simple old-school social engineering trick broke this trust and allowed hackers to get signed certificates from DigiCert for their malware.

There is a better way to establish certificate trust that doesn't rely on a 3rd party, and it's free too. It's called DANE, which binds the trust directly to the Domain Name System by using DNSSEC. DANE is ideal for code signing certificates (and other uses), but is overlooked.

This attack is virtually impossible under DANE. A vulnerable support person is of no use. Hackers would need to directly compromise the target's DNS infrastructure, the registrar, and the top-level domain authority. All three. Nearly impossible compared to just finding some dupe at the CA in a public chat room.

https://hackread.com/hackers-digicert-issue-certificates-sign-malware/

#DANE #CertificateAuthorities #DigiCert

Hackers Trick DigiCert Into Issuing Certificates Used to Sign Malware

DigiCert revokes 60 code signing certificates after hackers used a malicious support chat attachment to sign the Zhong Stealer malware.

Hackread - Cybersecurity News, Data Breaches, AI and More
May 10 at 10:31pmWeb