What We’re Seeing with x.509 Certificates and Why You Should Worry

Improving Security for the Work from Home Era

Here at Team Cymru we have a lot of data, and we work hard to extract the insight from these various types of data and serve up the key parts to our clients and partners in a useful form. Many security vendors power their offerings in a significant way with our Pure Signal. We provide a cyber reconnaissance solution for our enterprise customers, giving them on demand access to a super majority of all activity on the internet. This allows our them to extend threat hunting beyond their perimeter. Finally, we provide data at no cost to our community partners worldwide, such as national CSIRT teams.

One of those data sets relates to x509 certificates, and the first part of this post is a summary of the 5.2 million x.509 certs and what we saw on day #2 of the new working year. In fact, we review anywhere from 2M to 8M of these certificates every single day. The second part of this post will tell you why you should care about what we are seeing.

On January 5th, the 5+ million certs breaks down as about half a million distinct certs by unique hash, and you can see that many of them have been around for years and not set to expire until they are in their teenage years. In fact, the number of unique certs varies with the volume processed, and ranges up to 1.3M in recent weeks.

Most common certificate expiry begin and end years:

Note the third line down on the chart above – at the time of observation on January 5, these were already expired certificates. (By the way, have you checked your infrastructure to see if your certs are expiring soon?)

Everyone’s perspective of what happens on the Internet is different, but we see the top 2 cert origins as USA and China.

Most common certificate countries:

Most common certificate issuer organizations:

The majority are using SHA256, but there are a few using old and insecure hashing tools.

Most common certificate signatures/hash values:

Most common certificate email domains:

SO WHAT IS THE TAKE AWAY HERE? WHY DO WE CARE ABOUT THIS?

Forged, free and stolen certificates are used constantly to masquerade as machines. The most common uses are to get malware to run on machines and to further SSL man-in-the-middle attacks.

Useful certs are available for miscreants to purchase in the Underground Economy for about a thousand dollars. Most common browsers are designed to check for revoked certificates, if it is updated to a modern version and if it is set to proactively gather the updated list of ‘bad certs’.

If your staff are still working from home, you likely have far less visibility into the tools they are using. In fact, if they were breached using a forged or stolen x.509 certificate, would you even know?

The point is, now that corporations have all lost so much visibility into their networks, bad x.509 certificates are even more of a threat against TLS/SSL, which is the basis of HTTPS…but this is one that is easy to prevent:

• Update and patch your browsers.

• Teach your staff to pay attention if a browser flags a bad certificate, ignorance is not bliss!

• Have a plan to respond if one of your certs is abused.

• Do your own infrastructure check to see if your certs are expiring soon.

Our Commercial tool Pure Signal™ RECON (known by our legacy clients and partners as “Augury”) has, as one of its 50+ data types, x.509 certificates as a search option. In fact, it has become our second most popular search type, after global network flows because miscreants often re-use certs over and between campaigns.

If you want insights into millions of certificates every day, with information on when and where those certificates appear, within the context of your investigations and threat prevention, email sales@cymru.com.