Chinese Hacking Group APT41 Attacks 100+ Companies Across The Globe – Expert Source/Comments

On Wednesday, September 16th, the Department of Justice announced that Chinese hackers from a group called APT41 hacked into at least 100 companies in the U.S and worldwide. The series of attacks involved the theft and abuse of code-signing certificates – yet another textbook example of the need to protect and manage keys and certificates, especially those used to sign code.

Experts Comments

September 18, 2020
Chris Hickman
Chief Security Officer
Keyfactor
All too often, code signing certificates are treated as an inconvenient requirement of building software and not given the necessary care and security controls. Code signing keys are usually kept on build machines or developer computers with no additional security or controls to protect them. If the machine can be accessed by stolen or hijacked credentials, the keys can be removed from that machine. Very few companies audit the use of those code signing certificates and would be challenged to.....Read More
All too often, code signing certificates are treated as an inconvenient requirement of building software and not given the necessary care and security controls. Code signing keys are usually kept on build machines or developer computers with no additional security or controls to protect them. If the machine can be accessed by stolen or hijacked credentials, the keys can be removed from that machine. Very few companies audit the use of those code signing certificates and would be challenged to know if a key has been copied or stolen. These attacks should serve as a wake up call to the entire software development community to finally take the security of code signing certificates seriously. Very few organizations have any idea of the number of code signing certificate that are in use, where they are located and by whom or by what they are being used. In the interest of frictionless development and rapid product releases in many organizations, there are as many code signing certificates as there are developers. This leads to keys being treated in unsecure ways, such as keeping them in software or simply protecting them with a password. The software industry needs to take the protection of these keys seriously and treat them with the same diligence as they do other valuable assets. Keys need to be: 1. Centralized into a secure location and protected with appropriate security hardware like an HSM. 2. Keys should only be usable when a signing transaction is approved thus eliminating the scenario in which malware or a hijacked machine is used. 3. Audit logs of signing key usage should be reviewed and periodically audited. 4. The number of keys should be kept to a minimum number. Ideally less than five for an organization. Modern code signing solutions are no longer a ‘nice to have’ they are now a ‘need to have’ - and a matter of national security.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.