Posted on February 16, 2023 at 1:42 PM

Hackers use fake code-signing certificates to impersonate Emsisoft

A report has said that threat actors are using fake code-signing certificates to impersonate Emsisoft, a cybersecurity company. The hackers have been impersonating the company to target its customers that rely on security products and services. Cybercriminals are using impersonation to bypass the security defenses of the company.

Hackers impersonate Emsisoft

Code signing certificates play an important role in safeguarding online security. These certificates are like digital signatures that can be used to sign an application. This way, users, operating systems, and software can authenticate that the software has not been compromised since the publisher signed it.

Threat actors have been trying to take advantage of the process of authenticating online presence using this software by creating fake certificates. The names of these certificates seem to be linked to a trusted entity. However, these certificates are not valid, which poses a threat to the entity.

Emsisoft published a security advisory warning that one of its customers was targeted by hackers who used an executable signed by a fake Emsisoft certificate. The company has also said it believes the attack was made to trick the customer into thinking that any detection done was a false positive, which allowed the program to continue running.

The statement given by Emsisoft in the security advisory said, “the organization in question used our products, and the attacker aimed to get that organization to allow an application the threat actor installed and intended to use by making its detection appear to be as false-positive.”

The company explained that the threat actor was deploying this strategy to trick its customers into launching a targeted attack. The fake-code signing certificate allows the threat actors to conduct attacks with minimal chances of detection by security systems.

However, Emsisoft said that despite the high level of sophistication exhibited by the hackers conducting these attacks, the attack had failed and never affected the company as the hackers had hoped. The company has also said that the Emsisoft security software had blocked the file for having an invalid signature. Nevertheless, it has urged all its customers to remain vigilant and ensure that they do not suffer similar attacks in the future.

Hackers used employee credentials to gain initial access 

In the security advisory, Emsisoft said that it was likely that the hackers gained initial access to the compromised device using a brute-forcing RDP. Moreover, such access could also have been obtained if the hacker stole the credentials of employees that belonged to the target organization.

After the attacker accessed the endpoint, they installed an open-source remote access application known as MeshCentral. The security system trusts this application because it is usually used for authentic reasons.

However, in the recent case, the hackers took advantage of the application’s friendliness with security products by signing a MeshCentral executable using a fake certificate from Emsisoft. The certificate claimed to originate from the “Emsisoft Server Trusted Network CA.”

Emsisoft has not shared any details about the executable that the hackers used. However, the executable is believed to be “smsse.exe” by Virus Total. After the Emsisoft security product scanned the file, it was marked as “Unknown” because of the fake signature.

However, there was a chance that an employee mistook the warning for a false positive because of the code signature and allowed the application to run, which gave the attacker access to the device. The hackers could then use remote access to disable the security protections put in place, steal sensitive information, and even deploy ransomware.

The Emsisoft advisory has also warned its customers that they should only trust executables after confirming that a file is not malicious. Moreover, there was a need to reach out to security vendors before permitting an executable to run on the device without having a valid signature.

Emsisoft explained that the incident showed the need for organizations to set up multiple layers of protection to guarantee that if one layer does not offer the needed protection, the other will.

Emsisoft has also suggested that system administrators take extra measures to guarantee security. This includes creating a password on their Emsisoft product to guarantee that the hackers will not tamper with it or disable it if a breach occurs like the one that happened with the fake certificates.