Author: Akashdeep

Reading Time : 8 minutes

In recent years, the software industry has witnessed a surge in code signing attacks. Hackers have been exploiting vulnerabilities in code signing certificates to launch sophisticated attacks on software supply chains, leaving organizations with significant financial and reputational damages. Recent cyberattacks, such as the SolarWinds and Codecov breaches, have highlighted the devastating effects of code signing attacks, causing governments and industry experts to take notice.

The US government, for instance, has issued alerts and advisories warning against the risks of code signing attacks, urging software developers to secure their software supply chains with robust security measures. The need for code signing tools has never been more critical, as they can provide a reliable defence against the potential harm of these attacks.

According to early data from Sonatype’s 8th annual State of the Software Supply Chain Report, released on October 18, 2022, Sonatype has recorded an average 700% jump in repository attacks over the last three years. These figures are massive and what’s more concerning is the threat it poses to customers. 

In this blog, we’ll delve deeper into the rise of code signing attacks, explore recent attacks and their consequences, examine reports from government organizations, and discuss the importance of code signing tools in safeguarding software supply chains. By the end of this blog, you’ll have a better understanding of the current threat landscape and what measures you can take to secure your software supply chain against code signing attacks.

Modern Attacks used by APTs

Through time not only our defenses are fortified with cutting-edge technology, but the attacks used by APTs are also getting smart. Hackers are getting swifter in their movements.   

Some types of code signing attacks that modern APTs use are listed here:-

• Code Signature Spoofing

  Attackers can steal legitimate code-signing certificates and use them to sign their malware, bypassing antivirus and other security measures.

• Compiler Backdoors

  Attackers can plant backdoors in compilers, which are then used to inject malicious code into legitimate software programs during the compilation process.

• Man-in-the-Middle Attacks

  Attackers can intercept and modify software packages as they are being downloaded, injecting malicious code, or manipulating the code’s behaviour to cause harm.

• Dependency Confusion Attacks

  In this type of attack, attackers take advantage of vulnerabilities in the software development process to inject malicious code into the software supply chain by exploiting dependencies that have the same name as legitimate ones.

But who shoulders the security factor?

Any successful cybersecurity program requires a comprehensive strategy that involves both humans and machines. However, in recent years, APT groups have exploited vulnerabilities in the human factor by leveraging social engineering tactics to penetrate the system undetected. Such attackers exploit security teams’ assumptions about adware and other seemingly harmless applications to move laterally within the network and avoid detection by security solutions.

They can even use legitimate tools already present in the system to their advantage. To mitigate these risks, it is crucial to not only invest in cutting-edge technology but also to educate employees on best practices. A comprehensive approach that combines advanced technology with employee training is necessary to ensure that the human factor is not a weak link in the security chain. By doing so, organizations can better protect themselves from APT groups and other sophisticated threats that target the human psyche.

What leads to certificate compromise?

Code-signing certificates are critical to ensuring software security. However, they are also susceptible to compromise by hackers. Attackers can obtain these certificates in various ways, such as by exploiting three key vulnerabilities.

• The first is key theft, where code-signing certificates and their private keys are often stored in unprotected locations, such as signing servers or developer workstations. A breach in these systems can provide easy access for hackers.
• The second vulnerability is internal misuse, where developers inadvertently make it easy for attackers to obtain code-signing certificates. An example of this is when D-Link accidentally published four code-signing keys in open-source firmware back in 2015.
• The third and most concerning is a signing compromise, where attackers target the signing infrastructure itself. By compromising the infrastructure, attackers can sign malware and distribute it as legitimate software, without detection. In 2019, for instance, hackers compromised ASUS’ Live Update Utility, enabling them to distribute malware to thousands of users undetected.

CodeSign secure 

Here we come into the picture, CodeSign secure is our technology that helps reduce the risk of compromise to a large extent. We directly address the issues related to the factors which ultimately lead to compromise. 

Compromise not only cost extravagant money but also user distrust. Breaches are synonymous with chaos for any organization. Patching the vulnerability as soon as possible is the top priority but nobody knows how much time it may take to fix it.  

CodeSign Secure is the shield that safeguards you from this chaos.

CodeSign Secure addresses the problems with:

• Virus scanning

  CodeSign Secure starts with virus scanning before commencing any type of signing process. It searches for any viruses or malware that may have been injected into the file before sending it away for the signing process.

• Client-side Hashing

  CodeSign secure uses client-side hashing, providing you with that extra layer of security for customers. Hashing a file at its origin helps maintain its integrity at its peak and gives the customer a clear view of the file and what comes after signing.

• Key-pair Handling

  CodeSign Secure never exposing the key while signing the file/code. The file is signed inside the HSM, and the keys are never exposed to the outside world.

• Role-based access control

  Our organization provides Role-based access control for code/file signing providing correct access and privileges to the user. Ensuring only those with proper roles can access certificates, and keys within the tool.

• Revoking compromised certificates

  When a certificate expires, it will automatically be renewed, but in the case that a certificate or key is found to have been compromised, the key can be revoked and thus the signing process cannot occur with that key and certificate.

• Timestamp your signed code

  Avoid the risks of software expiring unexpectedly when the code signing certificate expires. When a code signing certificate expires, the validity of the software that was signed will also expire unless the software was timestamped when it was signed.

• Monitor and audit key signing workflows

  Certificates and keys are associated with specific applications, and whoever is signing anything gets recorded in the logs of our tool, so we have the IP and the username of anyone attempting to sign. They will be blocked if they do not have valid credentials, or if the key or certificate has expired.

Conclusion

The Internet is going to be more chaotic in the upcoming time. These cyber-attacks are not halting anywhere soon, on the contrary they are going exponentially increase. Protecting our data must be done by us and proper precautions and measures are required to do so.

Not only do we need to use cutting-edge technology but general awareness among the masses. Regular audit policies and proper role-based authentication and access control system are needed to be in place.

Bearing all the responsibility of protecting your product is very heavy and you can always find a shoulder to rely on. We would be more than happy to be that shoulder and help to protect what truly matters to you.  

Code signing has proven to be a crucial tool for ensuring software security in the modern digital environment. To ensure that software is safe and secure, code signing has become an essential aspect of software development. Code signing is the process of digitally signing software to verify the authenticity and integrity of the code.

Given the prevalence of malware and cyber-attacks, developers need to take precautions to safeguard their code and provide users with the assurance that the software they use is reliable and trustworthy. Strict security protocols, powerful cryptographic algorithms, and authentication mechanisms to confirm code accuracy are all necessary for code signing.

It’s critical to confirm that the major operating systems and browsers trust and recognize the Certificate Authority being used for code signing. Failure to comply with these requirements may compromise software, harm one’s reputation, and erode user confidence.

But the benefits of code signing, and Sign Tool are not limited to software developers alone. CISOs and CTOs can also benefit from these tools by ensuring that the software used within their organizations is secure and trustworthy. By using code signing and the Sign Tool, they can be assured that any software downloaded and used within their organization is genuine and has not been tampered with. This can prevent data breaches, malware infections, and other security threats that could harm the organization.

What’s more interesting is that the global average cost of a data breach increased 2.6% from $4.24 million in 2021 to $4.35 million in 2022 — the highest it’s been in the history of IBM Security’s “The Cost of a Data Breach Report.

Code signing provides several benefits to both software developers and end-users. It assures users that the software they are downloading is genuine and has not been tampered with by a third-party. This increases trust in the software and makes users more likely to download and use it. Code signing also protects software developers from intellectual property theft by verifying their ownership of the code. It also prevents malware and viruses from being spread through unauthorized code.

Therefore, developers should carefully consider the necessity of and prerequisites for code signing.

You might still be indecisive about using code signing. Let’s examine a cyber breach to understand the graveness of code signing.

SolarWinds cyber breach

SolarWinds which is a very prominent company in IT got hacked. It was after this breach that supply-chain attacks got more widely known. Hackers were able to access Orion, the company’s IT monitoring system, which is utilized by over 30,000 businesses, including municipal, state, and federal authorities. Through an Orion software update hackers were able to spread backdoor malware. 

Now that looks too scary for an organization, and it must not happen with any organization as organization compromise is the ultimate compromise of user data and these attacks should be mitigated at any cost.

Want to get a detailed explanation and timeline of the SolarWinds breach, follow this link to get an explanation from an expert.

How can our organization help?

Our organization has come up with the most efficient and user-friendly code-signing solution “CodeSign Secure“. What makes us the best out in the market?

• CodeSign Secure starts with virus scanning before commencing any type of signing process. It searches for any viruses or malware that may have been injected into the file before sending it away for the signing process.
• CodeSign secure uses client-side hashing, providing you with that extra layer of security for customers. Hashing a file at its origin helps maintain its integrity at its peak and gives the customer a clear view of the file and what comes after signing.
• Never exposing the key while signing the file/code. The file is signed inside the HSM, and the keys are never exposed to the outside world.
• Our organization provides Role-based access control for code/file signing providing correct access and privileges to the user. Ensuring only those with proper roles can access certificates, keys within the tool.

• Timestamp your signed code

  Avoid the risks of software expiring unexpectedly when the code signing certificate expires. When a code signing certificate expires, the validity of the software that was signed will also expire unless the software was timestamped when it was signed.

• CodeSign Secure follows the latest NIST (National Institute of Standards and Technology) guidelines of code signing.
• Monitor and audit key signing workflows- Certificates and keys are associated with specific applications, and whoever is signing anything gets recorded in the logs of our tool, so we have the IP and the username of anyone attempting to sign. They will be blocked if they do not have valid credentials, or if the key or certificate have expired.

• Enable automated code signing in SDLC processes

  We have the ability to sign from a client tool, via APIs, or via the command line so it is very straightforward and simple to integrate our tool into SDLC processes, including tools like Jenkins and Bamboo.

• Compare signing from different build servers

  our tool will check that the code being signed is the most up to date version of the code on the build servers in use by the client, ensuring an older or potentially malicious version of the code is not being signed.

• Revoking compromised certificates

  When a certificate expires, it will automatically be renewed, but in the case that a certificate or key is found to have been compromised, the key can be revoked and thus the signing process cannot occur with that key and certificate.

Our organizations CodeSign Secure has some amazing tools inside that have made different types of signing operations simple.

But what files they can sign? Let us get some insight.

Encryption Consulting- CodeSign Secure

Managing and using different tools for different types of file/certificate signing may prove to be a hefty task especially when submerged by a stockpile of different files that need to be signed. Obviously, one option is to buckle up and get started with the work. It may take forever to rotate between software and get the job done, or simply use our organisations top of the line solution, CodeSign Secure- a command line tool and GUI tool for code signing. A seamless solution that empowers you to protect your code and files from getting altered and safeguarding the integrity of code. The command line tool automatically detects the file extension and proceeds with the appropriate signing method. Just by giving a few inputs CodeSign Secure returns the signed file in just a matter of time.

CodeSign Secure starts with virus scanning before commencing any type of signing process. It searches for any viruses or malware that may have been injected into the file before sending it away for the signing process. This reduces the risk of signing an infected file to zero.

Talking about CodeSign Secure command-line utility tool let us give you a comprehensive explanation of how it’s done.

1. The user enters the file name. Our product intelligently segregates the files and finds which signing algorithm will be used
2. Once it finds out among Windows signing, OpenSSL signing and Jar signing which signing is to be performed user need to feed certain inputs for the signing process.
3. Like for the Windows Signing (files like .dll , .exe, .sys etc) user needs to enter the hashing algorithm, the certificate file path, time stamp server and other necessary data and you get your files signed in a matter of time.

CodeSign Secure is also capable of Macro signing. You can digitally sign any Excel workbook or Excel template. The end user’s insecurity about running code from an unidentified source is allayed when you digitally sign your macro because it links your identity to the code and displays your name in the file.

Any modifications made to the macro after the signature has been applied, such as the introduction of a virus, will render the signature invalid, safeguarding your name and reputation.

The other types of signing that we do, if we specifically see the type of file in question are

1. Windows Signing

   The Windows Signing tool can sign all types of windows files including .exe, .dll, .sys, etc. dealing with all the windows stuff. We have our own Key Storage Provider, created specifically for our signing tool, which is used to connect to our server, authenticate the client, and sign the windows files in question.

2. Jar Signer

   If you distribute your application as a JAR, EAR, or WAR file, we recommend using a jar signer to digitally sign the JAR file. Especially if other people are downloading the archive over the public internet

   We provide two options to the user either they can do the jar signing the geeky way, i.e., by Command Prompt or with Eclipse.

   The necessary data that you need to be fed to our command line tools are File path, key name, hashing algorithm, certificate location.

3. Open SSL Signing

   Signs binary files (.txt, .so) with OpenSSL. It uses the open-source tool- OpenSSL to sign the binary files and software file (.so files) with the help of OpenSSL. The necessary data that you need to feed to our command line tools are File path, key name and hashing algorithm.

Conclusion

In conclusion, code signing is an essential tool for ensuring the security and integrity of software.

Code signing ensures users that the software they are using comes from a reliable source and has not been tampered with by digitally signing software code with a special digital certificate.

Our code signing tool offers a simple and efficient way to sign your code and protect your software, making sure that it complies with the standards of today’s security-conscious digital environment.

Our code-signing tool helps you increase user trust, defend against malware and online attacks, and protect your reputation as a developer by utilizing strong encryption algorithms, stringent security protocols, and authentication mechanisms. Lastly you need not worry about the authenticity of your software when you use our code-signing tool.

We are in an age where digital signature represents the mark of authenticity; seeing the world grow at such a rapid pace today, every single thing needs verification on the internet, be it any source code, script, key pair, or any sort of utility item that a third party offers. All the content we see on the internet needs authenticity before using it. It needs to be checked before it is used, and that mark is provided by Code Signing.

The mark which we are talking about is the main point of attraction of code signing, it is the unique hash value which is calculated before the software code is delivered. Software or utility service is stamped with a digital signature and a hash value to compare whether the received service is from the original author or is tampered with by malicious threat actors.

Now coming to Software supply chain security. The whole, SDLC, software development life cycle’s steps or the activities that interact with applications or otherwise contribute to their development is referred to as the software supply chain

Software supply chain security is the process of protecting the elements, processes, and procedures used in the development and distribution of software that covers developer techniques, development tools, interfaces, third-party and proprietary code, deployment strategies, infrastructure, and interfaces.

These security-related tasks fall under an organization’s purview, as does showing consumers evidence of such efforts. 

How can Code Signing help with mitigating Software supply chain attacks?

The main concept of code signing is focused on the integrity of the code, ensuring that the piece of code being delivered to the customer is from the original author. The software’s author signs the code whenever they make changes, ensuring no action is unauthorized.

That means anything being delivered to you comes with a hash released from the author, a key, and a digital certificate to always authenticate first before use. 

Code signing is also helpful when working in a team environment. You can use code signing as you exchange source code throughout the SDLC to ensure double authentication, prevent attacks, and even prevent namespace conflicts.

Code signing follows a three-step process

• Creating a unique public-private key
• Hashing
• Decryption and Verification

Recent Software Supply Chain Attacks

SolarWinds

Software supply chain threats first gained attention after the SolarWinds hack. Hackers were able to access Orion, the company’s IT monitoring system, which is utilized by over 30,000 businesses, including municipal, state, and federal authorities.

Through an Orion software update, the hackers were able to spread backdoor malware.

So, what happened here?

The malware could not only access system data and function alongside normal SolarWinds operations, evading even antivirus software, but also the hackers could access and impersonate the victims’ accounts and users.

From the time the hackers originally broke into the system in September 2019 until the time the incident was first discovered or reported publicly in December 2020, the perpetrators stayed undetected. 

You can see the detailed video explaining the attack on our YouTube channel by following the link below –

Kaseya

IT management software provider Kaseya stated it had been the target of a supply chain assault because of a flaw in its VSA software which hackers took advantage of in July 2021.

The attackers targeted multiple managed service providers (MSPs) and their clients, subsequently identified as REvil, who utilized the vulnerability to launch ransomware operations.

Hackers could access computers via a false update by breaching the VSA server, which is used to distribute a variety of automated IT chores and applications

According to Kaseya, a total of 1,500 firms were impacted by the hack, of which about 60 were its clients.

Later, Kaseya also declared that it hadn’t paid the hacker’s alleged $70 million ($50 million) ransom.

Log4j

Millions of systems were placed in danger by the vulnerability known as Log4Shell that affected Log4j, a Java-based logging application, towards the end of 2021.

Log4j is an open-source program created by the Apache Software Foundation that logs diagnostic data about systems and relays it to users and administrators to keep things operating properly.

However, the Log4Shell vulnerability in December 2021 gave hackers access to networks, allowing them to steal data, discover logins and passwords, and launch other malicious software.

Furthermore, many people and businesses were exposed to attacks due to the widespread use of Log4j. 

Log4j vulnerability was given CVE-2021-44832, an RCE vulnerability affecting instances of Log4j 2 in instances where an attacker has permission to modify the logging configuration file and can, in turn, construct a malicious configuration using a JDBC Appender.

CodeSign Secure: A helping hand

Our organization offers a robust and reliable solution- CodeSign secure. Our solution is different because CodeSign Secure helps customers stay ahead of the curve by providing a secure Code Signing solution with tamper-proof storage for the keys and complete visibility and control of Code Signing activities.

Key feature that marks us ahead area: –

• Support for customized workflows of an “M of N” quorum with multi-tier support of approvers
• The command line signing tool provides a faster method to sign requests in bulk.
• Robust access control systems can be integrated with LDAP and customizable workflows to mitigate risks associated with granting wrong access to unauthorized users, allowing them to sign code with malicious certificates.
• Validation of code against up-to-date antivirus definitions for viruses and malware before digitally signing it will mitigate risks associated with signing malicious code.

Conclusion

Code Signing is very crucial for the current day scenarios as piracy and the level of threat posed by the malicious actors to internet is too gigantic and it costs millions of dollars upon the compromise of organisation.

We’re providing a platform for creating/generating, and importing certificates to an organization, documents (env – Windows, Linux, Jar signing, and doc signing) are signed with private key and verified with the respective certificate. Proper and detailed logging feature with an extensive GUI representation (statistical analysis). Management of tools is one of the key advantages of CodeSign Secure.

Prevention is always better than cure, preventing the malicious actors from taking control over personal and client data is always better than disaster recovery. Our organisation helps people with preventing the disaster before it happens.