A hacker is going after users of security products made by Emsisoft using fake code-signing certificates, mimicking the cybersecurity company in an effort to get past their protections. For users, software, and operating systems to verify that a program hasn’t been tampered with since the publisher signed it, code signing certificates are digital signatures that are used to sign an application.
Threat actors try to profit from this by producing false certificates with names that look connected to reliable entities but are invalid certificates. Hackers used an executable certified by a fake Emsisoft certificate to attack one of Emsisoft’s clients, the company said in a recent security alert. According to the company, this was done to deceive the client into thinking any detections were false positives and convince them to let the program run. Even though Emsisoft’s security software stopped the attack because of the file’s incorrect signature, the business is nonetheless cautioning its clients to be on the lookout for similar attempts.
“We recently observed an incident in which a fake code-signing certificate supposedly belonging to Emsisoft was used in an attempt to obfuscate a targeted attack against one of our customers,” said Emsisoft in the security advisory. “The organization in question used our products and the attacker’s aim was to get that organization to allow an application the threat actor installed and intended to use by making its detection appear to be a false-positive.”
According to Emsisoft, the threat actor most likely first got access to the infected device by brute-forcing RDP or exploiting credentials belonging to a target company employee. The attackers tried to install MeshCentral, an open-source remote access program usually trusted by security products because it is used for legitimate purposes after gaining access to the endpoint. However, a fraudulent Emsisoft certificate purporting to be from the “Emsisoft Server Trusted Network CA” was used to sign this MeshCentral executable.
Although Emsisoft withheld information about the executable, some sources found it had the name “smsse.exe” [VirusTotal]. The file was quarantined by Emsisoft’s security program when it detected the incorrect signature and categorized the file as “Unknown.” Due to the name of the digital signature, an employee may have thought this alert was false positive and enabled the program to continue, giving the attacker full access to the device.
This remote access might then be used to turn off security measures, propagate laterally throughout the network, steal confidential information, and possibly even release ransomware. Emsisoft cautions against trusting executables unless it has been shown that a file is not harmful and advises against running executables with forged signatures. In order to avoid tampering or to disable their Emsisoft product in the event of a breach like this attempted one, the business also advises system administrators to establish a password on it.