Announcing the Equimelt Vulnerability
Old and Weak Equifax encryption Certificate Authority appears to be compromising many U.S. businesses, allowing for the potential of Nation State Actors to silently monitor their targets.
As a computer forensics and cyber security expert, I have been pondering conditions that would be necessary for an Advanced Persistent Threat (APT) to run silently and undetected. Computer and Cyber vulnerabilities today often start with the various insecure microchips that have been deployed on all types of devices, ranging from IP enabled oven toasters, trains, automobiles, smart phones and of course computers. Many of the integrated processor chips have onboard radio bands that can transmit and receive information across various radio frequencies, ranging from Cellular, Infrared, acoustical, BlueTooth, WiFi, 3G, 4G, CDMA, and others. For a computing enabled device to be compromised, in many instances all that has been required is for the device to be in radio band reach of another device exploiting numerous known vulnerabilities, many of these which have been long ago dumped onto the dark web for our enemies to use in devising super malware capable of compromising a target with no need for the target to click or perform any action other than be within connectivity reach of the attacker. Recently disclosed vulnerabilities impacting the Intel chipset such as Spectre and Meltdown all further contribute to widespread computer security problems.
Once a target victim is compromised by an APT, the malware needs the user to be able to run and install software, continue to use their computing devices for communications and silently monitor and exfiltrate information of the target victim. A key requirement of an effective APT is for it to render anti-virus and other malware detection programs ineffective. Based on this knowledge, I pondered how the APT would need to render the Antivirus and malware detection programs ineffective. One such requirement would be to add any files used by the malware to the Antivirus whitelist of safe and trusted files. For this to happen, the APT would likely need to compromise the router to perform packet injection and alteration of end user downloaded patch updates. In January of 2018, the NSA’s Information Assurance Division’s website, https://www.iad.gov disclosed that exactly this type of activity was observed across U.S. Government networks. [Update – the NSA appears to have removed this document from the IAD.gov website following my post today, but I had a copy of the PDF which had been posted.]
(Note: You will get a security warning when you click this link if you haven’t installed the government’s DOD root certificate)
The government also warns that routers such as Cisco’s Adaptive Security Appliance and Firepower Appliances continue to be impacted by critical security flaws that have yet to resolved the security issues according to this alert issued last month. https://www.iad.gov/iad/library/ia-advisories-alerts/iaa-u-oo-11303-18.cfm
Why Encryption Signing Certificates are Key
Encryption Signing certificates serve an important role in this process by vouching for the software update package as being authentic. I would expect that an APT would need a Rogue untrusted software signing certificate to exist on the target victim’s computer to satisfy the software signing requirement protections built into the Windows 10 operating system in signing the altered antivirus program definitions such that the APT could escape detection by the Antivirus program.
Computer Forensics Analysis of Root Certificate Trust
Following my prior delineated thought process, I decided to export certificates contained within the root trusted certificate authority on disparate organization’s Windows 10 computers. I performed further computer forensic analysis on this exported data including computing the SHA1 hash value of each of the certificates. I then compared the sampled certificate hash values against Microsoft’s latest published list of trusted root Certificate Authorities published on January 30 ,2018. https://gallery.technet.microsoft.com/Trusted-Root-Certificate-70150b50/file/188008/1/Trusted%20Root%20Program%20Participants%20As%20of%20January%2030%202018.xlsx
In performing this analysis, I discovered four very old and weak certificates that were in the root trust of many Windows 10 computers sampled from disparate organizations. The certificates I found to be widely distributed and suspect include the following:
Issued By | Issued | Expires | Signature Algorithm | SHA 1 Hash for Certificate |
CN = GeoTrust Primary Certification Authority O = GeoTrust Inc. C = US |
26-Nov-06 | 16-Jul-36 | sha1RSA | 323c118e1bf7b8b65254e2e2100dd6029037f096 |
E = premium-server@thawte.com CN = Thawte Premium Server CA OU = Certification Services Division O = Thawte Consulting cc L = Cape Town S = Western Cape C = ZA |
31-Jul-96 | 31-Dec-20 | md5RSA | 627f8d7827656399d27d7f9044c9feb3f33efa9a |
OU = Class 3 Public Primary Certification Authority O = VeriSign, Inc. C = US |
28-Jan-96 | 01-Aug-28 | md2RSA | 742c3192e607e424eb4549542be1bbc53e6174e2 |
OU = Equifax Secure Certificate Authority O = Equifax C = US |
22-Aug-98 | 22-Aug-18 | sha1RSA | d23209ad23d314232174e40d7f9d62139786633a |
Key Problems with these Certificates
- SHA1, MD5 and MD2 signing algorithms are all deprecated and can easily be forged with today’s consumer grade computing power
- Key entities listed (Thawte, Symantec/Verisign, & Equifax) have had historical data integrity compromises that have been widely reported
- There is absolutely no reason why these certificates that are not on Microsoft’s approved list of root certificate trust signing authorities need or should be on any corporate computers
- Usage of these certificates by any organization would allow for antivirus and other security software to be rendered in effective and a compromise not easily detected by the end users
Following these discoveries, multiple attempts were made to remove the certificates out of the root of trust on many of the subject computers. After disabling or deleting these certificates, after a short period of time, less than an hour typically, the Windows System Protection service would engage and restore the rogue certificates back into the root of trust on the subject computers, effectively reenabling the weak and non-white listed certificates to be able to vouch for software authenticity on the subject computers. My computer forensics analysis of one of the subject computer’s system event logs revealed that Microsoft System Protection services were restoring these rogue certificates, which is consistent with how an APT would function.
I have reached out to Microsoft and other government cyber contacts and have been encouraged to publish and share my findings to help bring out needed attention to this problem impacting U.S. Cybersecurity.
Check to see if you are vulnerable to Equimelt
If you use the Chrome browser, you can easily check your computer for the existence of these apparently rogue certificates by doing the following:
- Click the triple dot menu dropdown in the top right of the chrome browser and select Settings.
- Scroll down to the bottom and select Advanced.
- Scroll down and select Manage certificates.
- Click on the Trusted Root Certification Authorities and look for each of the four certificates I identified previously.
- If you see the Equifax certificate listed (I figured out how to remove it!), you can click on it to see more details.
- Click the Details tab to view the SHA1 Digital Thumbprint Hash.
If you see the hash value d23209ad23d314232174e40d7f9d62139786633a, your computer may be compromised by an APT.
Repeat this process for any of the other three certificate hash values identified in my analysis including:
- 323c118e1bf7b8b65254e2e2100dd6029037f096
- 627f8d7827656399d27d7f9044c9feb3f33efa9a
- 742c3192e607e424eb4549542be1bbc53e6174e2
A search for 627F8D7827656399D27D7F9044C9FEB3F33EFA9A hash value led me to identify that this certificate was used to sign Crypto-Lock v2.02 software that has fingerprints suggesting North Korea may be an actor involved with exploiting this attack. See https://www.virustotal.com/en/file/3a084ce8dfa24a1cc635974da7538baa551ea1bb075451094d1620a45e6cf228/analysis/1312010851/ and search the page for 627F8D7827656399D27D7F9044C9FEB3F33EFA9A. That particular crypto malware is targeting the Intel processor platform. ExifTool file metadata indicates the Korean language code suggesting North Korea is exploiting these weak certificates to conduct attacks on U.S. businesses.
While these certificates do not show up as malware on virustotal.com, they do appear to lack sufficiently strong cryptographic signature algorithms to prevent impersonation and therefore should not be used. If someone needs to install a very old legacy program, they can choose to override security protections in the exceptional instance, but enabling any weak certificates in the root trust store of a computer is not recommended as a standard practice. Because one of these certificates was used to sign crypto locker malware having fingerprints suggesting North Korean involvement, everyone should be concerned.
Each of the four certificates I have analyzed and believe to be rogue may be working in tandem to help compromise and exploit Windows OS computers. One of these four certificates had been trusted by Intel to sign Management Engine firmware, but was subsequently abandoned in 2010. Around that time, the U.S. government warned the public about weaknesses in deprecated signing algorithms having cryptographic strength less than SHA256. The discovery of the Equifax certificate and its apparent widespread distribution across U.S. businesses suggests the Equifax meltdown continues to unravel and will continue to grow into an even bigger mess.
I am awaiting a response from Microsoft regarding these certificates and why they are appearing across many organization’s Windows 10 deployed endpoints. These certificates are not on Microsoft’s own whitelist which leads me to believe the source of the certificates may originate from a Nation State cyber attacker. I am officially designating this vulnerability as Equimelt! Comments from other cyber security professionals are welcome! Lneubecker 1972 at gmail dot com.
Read the follow on article explaining things in more detail!
It appears that Google Chrome is following my recommendation to revoke trust in Equifax!
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html
Read the update to this original post at http://glforensics.wpengine.com/equimelt-explained/
Also, Google will begin blocking Equifax certificates next week! https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html