What We’re Seeing with x.509 Certificates and Why You Should Worry

Improving Security for the Work from Home Era

Detecting cyber threats wth x.509 certificates

Here at Team Cymru we have a lot of data, and we work hard to extract the insight from these various types of data and serve up the key parts to our clients and partners in a useful form. Many security vendors power their offerings in a significant way with our Pure Signal. We provide a cyber reconnaissance solution for our enterprise customers, giving them on demand access to a super majority of all activity on the internet. This allows our them to extend threat hunting beyond their perimeter. Finally, we provide data at no cost to our community partners worldwide, such as national CSIRT teams.

 

One of those data sets relates to x509 certificates, and the first part of this post is a summary of the 5.2 million x.509 certs and what we saw on day #2 of the new working year. In fact, we review anywhere from 2M to 8M of these certificates every single day. The second part of this post will tell you why you should care about what we are seeing.

 

On January 5th, the 5+ million certs breaks down as about half a million distinct certs by unique hash, and you can see that many of them have been around for years and not set to expire until they are in their teenage years. In fact, the number of unique certs varies with the volume processed, and ranges up to 1.3M in recent weeks.

 

Most common certificate expiry begin and end years:

 

Number of certs Valid from Valid to
518007 2020 2021
440775 2017 2027
175627 2018 2019
148734 2019 2029
105957 2020 2022
96026 2014 2024
86243 2018 2028
62291 2019 2021
62233 2006 2031
57036 2020 2030

 

 

Note the third line down on the chart above – at the time of observation on January 5, these were already expired certificates. (By the way, have you checked your infrastructure to see if your certs are expiring soon?)

 

Everyone’s perspective of what happens on the Internet is different, but we see the top 2 cert origins as USA and China.

 

Most common certificate countries:

 

Number of certs Country code
777560 US
621140 CN
154789 BE
19964 GB
11700 AU
8304 TW
8143 PL
7867 DE
8143 IE
4705 XX

 

 

Most common certificate issuer organizations:

 

Number of certs Organization
1215950 DigiCert Inc
264686 GlobalSign nv-sa
131601 TrustAsia Technologies
60242 Let’s Encrypt
54271 Digital Signature Trust Co.
44782 GlobalSign
31346 HW
28893 VeriSign
23396 The USERTRUST Network
21624 Huawei

 

The majority are using SHA256, but there are a few using old and insecure hashing tools.

 

Most common certificate signatures/hash values:

 

Number of certs Algorithm
2068349 sha256WithRSAEncryption
240018 sha1WithRSAEncryption
36791 sha384WithRSAEncryption
17755 md5WithRSAEncryption
4440 ecdsa-with-SHA1
2998 sha512WithRSAEncryption
2089 ecdsa-with-SHA256
902 ecdsa-with-SHA384
185 dsaWithSHA1
64 sha1WithRSA

 

Most common certificate email domains:

 

Number of certs Domain
9627 sangfor.com.cn
9221 bt.cn
6826 fortinet.com
4644 example.com
3304 huawei.com
2867 vmware.com
1918 topocalhostsec.com.cn

 

So what is the take away here? Why do we care about this?

 

Forged, free and stolen certificates are used constantly to masquerade as machines. The most common uses are to get malware to run on machines and to further SSL man-in-the-middle attacks.

 

Useful certs are available for miscreants to purchase in the Underground Economy for about a thousand dollars. Most common browsers are designed to check for revoked certificates, if it is updated to a modern version and if it is set to proactively gather the updated list of ‘bad certs’.

 

If your staff are still working from home, you likely have far less visibility into the tools they are using. In fact, if they were breached using a forged or stolen x.509 certificate, would you even know?

 

The point is, now that corporations have all lost so much visibility into their networks, bad x.509 certificates are even more of a threat against TLS/SSL, which is the basis of HTTPS…but this is one that is easy to prevent:

 

  • Update and patch your browsers.
  • Teach your staff to pay attention if a browser flags a bad certificate, ignorance is not bliss!
  • Have a plan to respond if one of your certs is abused.
  • Do your own infrastructure check to see if your certs are expiring soon.

 

Our Commercial tool Pure Signal™ RECON (known by our legacy clients and partners as “Augury”) has, as one of its 50+ data types, x.509 certificates as a search option. In fact, it has become our second most popular search type, after global network flows because miscreants often re-use certs over and between campaigns.

 

If you want insights into millions of certificates every day, with information on when and where those certificates appear, within the context of your investigations and threat prevention, email sales@cymru.com.