The cybersecurity firm Emsisoft has reported that an unknown threat actor is using fake code-signing certificates to impersonate their organization and to target customers using its security products. Code signing certificates are digital signatures that are used to sign an application so that users, software, and the OS can verify that the software has not been tampered with since it was signed by the publisher. Threat actors take advantage of code signing certificates by creating fake certificates that appear to be related to the trustworthy entity. Typically, this is in an attempt to trick an analyst into believing that any security alerts pertaining to the application are a false positive, which sometimes tricks the user into allowing the application.
Emsisoft believes that the threat actor gained initial access to the environment through either brute-forcing RDP or through the use of stolen credentials. Following this, an open-source remote application known as “MeshCentral” was installed on the host – this application was renamed to “smss.exe” and signed by the fake “Emsisoft Server Trusted Network CA.” While Emsisoft’s security product flagged and quarantined the file due to the invalid signature, if an analyst was to treat this as a false positive due to the spoofed certificate, this would give the attackers full access to the compromised device.
This form of attack is not novel by any means and has been successfully leveraged by many groups in the past. Perhaps the best form of prevention is to ensure that all security analysts are aware of this form of attack. Apart from spreading awareness, an organization could also ensure that their security controls are set to block files with invalid signatures from running. Additionally, ensure that RDP ports are only open on devices where it is absolutely necessary, and employ rules that would detect attacks such as network brute force or port scanning/sweeping.