BlackTech Threat Group Steals D-Link Certificates To Spread Backdoor Malware

Security researchers have discovered a new malicious campaign that utilizes stolen D-Link certificates to sign malware. From a report: A lesser-known cyber-espionage group known as BlackTech was caught earlier this month using a stolen D-Link certificate to sign malware deployed in a recent campaign. "The exact same certificate had been used to sign [official] D-Link software; therefore, the certificate was likely stolen," says Anton Cherepanov, a security researcher for Slovak antivirus company ESET, and the one who discovered the stolen cert. Cherepanov says BlackTech operators used the stolen cert to sign two malware payloads -- the first is the PLEAD backdoor, while the second is a nondescript password stealer. According to a 2017 Trend Micro report, the BlackTech group has used the PLEAD malware in the past. Just like in previous attacks, the group's targets for these most recent attacks were again located in East Asia, particularly in Taiwan. The password stealer isn't anything special, being capable of extracting passwords from only four apps -- Internet Explorer, Google Chrome, Mozilla Firefox, and Microsoft Outlook.

Re:Who doesn't use a HSM these days?

[EndlessNameless]

Most cybersecurity professionals are half-witted hacks, so changing a "secure" process is often a difficult fight.

If the company already has a "secure" process for generating, storing, and using its signing keys then I would expect that process to endure for quite some time.

I'd agree that HSMs should be part of the process, but key ceremonies often involve several layers of management and oversight. As a result, changes need universal buy-in throughout the organization. Upper management won't understand the security implications and will look to their flock of subordinates before approving the change, so the organization can be beholden to its most stubborn employee---if his opinion is respected higher up.