Security

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

By John Leyden

29 SHARE

The CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from hack targets, according to leaked intel released by Wikileaks on Thursday.

Forged digital certificates were reportedly used to "authenticate" malicious implants developed by the CIA. Wikileaks said:

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

Eugene Kaspersky, chief exec of Kaspersky Lab, sought to reassure customers. "We've investigated the Vault 8 report and confirm the certificates in our name are fake. Our customers, private keys and services are safe and unaffected," he said.

Hackers are increasingly abusing digital certs to smuggle malware past security scanners. Malware-slinging miscreants may not even need to control a code-signing certificate. Security researchers from the University of Maryland found that simply copying an authenticode signature from a legitimate file to a known malware sample – which results in an invalid signature – can result in antivirus products failing to detect it.

Learn client-server C programming – with this free tutorial from the CIA

READ MORE

Independent experts reckon the CIA used Kaspersky because it's a widely known vendor.

Martijn Grooten, security researcher and editor of industry journal Virus Bulletin, said: "The CIA needed a client certificate to authenticate its C&C comms, couldn't link it to CIA and used 'Kaspersky', probably just because they needed a widely used name. No CA hacking or crypto breaking involved. Clever stuff, but not shocking. Not targeted against Kaspersky."

Revelations about the abuse of digital certificates by the US spy agency came as Wikileaks released CIA source code and logs for a malware control system called Hive, as previously reported.

Security expert Professor Alan Woodward criticised the release with a reference to the Equation Group (NSA hacking unit)/Shadow Brokers leak. "Wikileaks is now releasing source for exploits in Vault 7. Do they remember what happened last time such exploit code was leaked? Standby for another WannaCry." ®

Sign up to our NewsletterGet IT in your inbox daily

29 Comments

More from The Register

US government sues ex-IT guy for breaking his NDA (Yes, we mean Edward Snowden)

Uncle Sam tries to plug leaker's pay, ends up plugging leaker's book

US Air Force probes targeted malware attack, blames... er, the US Navy? What?

War crimes trial takes a fresh twist

Client-attorney privilege? Not when you're accused of leaking Vault 7 CIA code

Lawyer for Joshua Schulte unhappy about agency review

CIA notices Big Red sh!tstorm around Pentagon's JEDI: Um, can we have multiple cloud vendors, please?

US spy agency plans to award multibillion-dollar deal in 2021

In a desperate bid to stay relevant in 2020's geopolitical upheaval, N. Korea upgrades its Apple Jeus macOS malware

Nork cash grab nasty gets stealthier

Protip: No, the CIA will not call off a pedophilia probe into your life in exchange for Bitcoin

Kaspersky warns of fake 'dirty agent' scam circulating

Oil be damned: Iran-based crooks flinging malware at Middle Eastern energy plants again – research

ZeroCleare wipes up where Shamoon left off

Israel's NSO Group: Our malware? Slurp your cloud backups plus phone data? They've misunderstood

After report claimed its sales pitches boasted of doing that

Stop us if you've heard this one: US government staff wildly oblivious to basic computer, info security safeguards

Now for deep-diving Congress hearings... LMAO JK JK they will do nothing

Kaspersky warns of encryption-busting Reductor malware

Infection manipulates browsers to snoop on TLS comms

Whitepapers

Cyber Intrusion Services Casebook 2018

Threat actors are continuously adopting new means to achieve their objectives.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.

Dark Reading Report: The State of IT Operations & Cybersecurity Operations

This new study from Dark Reading finds that while these two groups are getting better at collaborating, several key roadblocks continue to undermine their success.