DigiCert recently took action to address a security breach in its internal support portal by revoking certificates that were fraudulently obtained. The breach was identified following a cyberattack that exploited their support system.
Details of the Cyberattack
The attack, as detailed by DigiCert, occurred on April 2 when an attacker targeted their support team using a deceptive payload. This malware was disguised as a screenshot and delivered through a customer chat channel.
The infection spread to two endpoints, with one being detected swiftly on April 3, while the second was not identified until April 14. DigiCert attributed the delay in detecting the second infection to malfunctioning security solutions on the affected endpoint.
Impact on Certificates
From the compromised system, the attackers managed to access DigiCert’s internal support portal. They exploited a limited access function to obtain EV Code Signing certificates by leveraging the ability of authenticated support analysts to proxy into customer accounts, gaining access to crucial initialization codes.
This breach enabled the attackers to acquire EV Code Signing certificates for a specific set of customer accounts. DigiCert reported that by April 17, they had revoked 60 certificates related to the breach, including 27 directly linked to the attackers. Eleven of these were reportedly used to sign malware.
Security Enhancements and Future Precautions
DigiCert assured that all certificates potentially impacted by this incident were revoked, and pending orders were canceled to thwart any further unauthorized access. To bolster security, they have implemented several measures, including enforcing multi-factor authentication on administrative actions and restricting access to initialization codes by proxied support users.
Further preventive steps include limiting the file types that can be transmitted through support chat and Salesforce case attachments, along with enhancing logging capabilities for better monitoring.
These upgrades are part of DigiCert’s commitment to strengthening its defenses against future threats and ensuring the integrity of its systems and customer data.
