DigiCert Revokes Certificates After Support Portal Hack

DigiCert, a prominent certificate authority, has taken decisive action following a cyberattack that compromised its internal support portal. The incident, which occurred on April 2, involved hackers delivering malware through a customer chat channel, leading to unauthorized access and the subsequent revocation of multiple certificates.

What Happened

The attack began when a threat actor used a malicious payload disguised as a screenshot to infect an analyst's system via a customer chat interface. This infection led to the compromise of two endpoints, with the first identified on April 3 and the second on April 14. The delay in detecting the second infection was attributed to malfunctioning security solutions on the affected endpoint.

Once inside, the attackers leveraged their access to the internal support portal, exploiting a feature that allowed authenticated support analysts to proxy into customer accounts. This access enabled the hackers to obtain initialization codes for pending EV Code Signing certificate orders. By acquiring both the initialization codes and approved orders, the threat actor successfully obtained several certificates linked to various customer accounts.

By April 17, DigiCert had identified and revoked a total of 60 certificates associated with this breach, including 27 that were directly linked to the attackers. Notably, 11 of these certificates were reported to have been used to sign the Zhong Stealer malware family.

Why It Matters

This incident underscores the vulnerabilities that can exist within support operations, particularly when access controls are not adequately enforced. The ability for support analysts to proxy into customer accounts, while useful for service delivery, can also create significant risks if not managed properly. The successful acquisition of EV Code Signing certificates poses a serious threat, as these can be used to sign malicious software, thereby lending it an air of legitimacy.

📬 Stay ahead of the threat

Get the latest SOC guides, threat intel, and detection engineering — straight to your inbox.

Affected Users or Organizations

The breach affected multiple customers of DigiCert, particularly those whose accounts were linked to the compromised certificates. The potential misuse of these certificates could have far-reaching implications, impacting not only the affected organizations but also their clients and partners who rely on the integrity of signed software.

Recommended Actions

  • Enhance Access Controls: Organizations should review and strengthen access controls for support operations, ensuring that sensitive functions are restricted and monitored.
  • Implement Multi-Factor Authentication: Enforcing multi-factor authentication for administrative workflows can significantly reduce the risk of unauthorized access.
  • Limit File Types in Support Channels: Restricting the types of files that can be sent through support chat and case attachments can help mitigate the risk of malware delivery.
  • Improve Logging and Monitoring: Enhanced logging of support activities can aid in the timely detection of suspicious behavior and potential breaches.
  • Conduct Regular Security Audits: Regular audits of security protocols and incident response plans can help organizations stay prepared for potential threats.

As organizations continue to navigate the complexities of cybersecurity, incidents like the DigiCert breach serve as critical reminders of the importance of robust security measures and vigilant monitoring.