Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Trend Micro: Internet scum grab Let's Encrypt certs to shield malware
Updated It was inevitable. Trend Micro says it has spotted crooks abusing the free Let's Encrypt certificate system to smuggle malware onto computers.
The security biz's fraud bod Joseph Chen noticed the caper on December 21. Folks in Japan visited a website that served up malware over encrypted HTTPS using a Let's Encrypt-issued cert. The site used the Angler Exploit Kit to infect their machines with the software nasty, which is designed to raid their online bank accounts.
The use of encryption shields the malware from network security scanners while in transit, and the certificate helps legitimize the malicious site.
Before installing a Let's Encrypt certificate, the attackers compromised an unnamed web server, created their own subdomain for the server's website, and obtained a free HTTPS certificate for that subdomain.

[Image: WTsFx2r.jpg]

The crims installed the cert on the compromised server, and then hosted a booby-trapped advert from that subdomain, Chen explained today. The ad also contained anti-antivirus code.
Chen is critical of Let's Encrypt's policy that it's "not a content filter," saying certificate authorities have a role to play in stopping attacks like this – and that it needs to do more than just check certificates against Google's safe-browsing API. He feels there should be mechanisms in place to prevent unauthorized cert registrations for domains and their subdomains.
Let's Encrypt's Josh Aas, executive director of the Internet Security Research Group, told The Register his organization's policy – articulated in this blog post from October 2015 – still stands.
"We think the certificate ecosystem is not the appropriate mechanism to police phishing and malware on the web. Other mechanisms like Safe Browsing, SmartScreen, or in this case the advertising network's internal controls, are both more effective and more appropriate," he told The Register in an email.
"We do check the Google Safe Browsing API for phishing status before issuing certs, but we do not take action after that. It would be impractical and ineffective. We will not be revoking the certificates in question, but it looks like the sites in question have been taken down."
Essentially: secure your own servers, rather than rely on Let's Encrypt to mind the shop for you


Possibly Related Threads…
Thread Author Replies Views Last Post
  Malware devs trick Windows validation with malformed certs mrtrout 0 362 09-24-2021 , 01:11 AM
Last Post: mrtrout
  Hackers tried to exploit two zero-days in Trend Micro’s Apex One EDR platform mrtrout 0 323 08-13-2021 , 07:15 AM
Last Post: mrtrout
  Leading Protection for Cloud-based Applications from Trend Micro mrtrout 0 654 11-26-2020 , 07:29 AM
Last Post: mrtrout
  Update Sodinokibi ransomware can now encrypt open guardian 0 969 05-11-2020 , 03:37 AM
Last Post: guardian
  Trend Micro antivirus zero-day used in Mitsubishi Electric hack dhruv2193 0 1,218 01-25-2020 , 10:58 AM
Last Post: dhruv2193

Forum Jump:

Users browsing this thread: 1 Guest(s)