What We’re Seeing with x.509 Certificates and Why You Should Worry

Improving Security for the Work from Home Era


Here at Team Cymru we have a lot of data, and we work hard to extract the insight from these various types of data and serve up the key parts to our clients and partners in a useful form. Many security vendors power their offerings in a significant way with our Pure Signal. We provide a cyber reconnaissance solution for our enterprise customers, giving them on demand access to a super majority of all activity on the internet. This allows our them to extend threat hunting beyond their perimeter. Finally, we provide data at no cost to our community partners worldwide, such as national CSIRT teams.


One of those data sets relates to x509 certificates, and the first part of this post is a summary of the 5.2 million x.509 certs and what we saw on day #2 of the new working year. In fact, we review anywhere from 2M to 8M of these certificates every single day. The second part of this post will tell you why you should care about what we are seeing.

On January 5th, the 5+ million certs breaks down as about half a million distinct certs by unique hash, and you can see that many of them have been around for years and not set to expire until they are in their teenage years. In fact, the number of unique certs varies with the volume processed, and ranges up to 1.3M in recent weeks.

Most common certificate expiry begin and end years:

Number of certs

Valid from

Valid to

518007

2020

2021

440775

2017

2027

175627

2018

2019

148734

2019

2029

105957

2020

2022

96026

2014

2024

86243

2018

2028

62291

2019

2021

62233

2006

2031

57036

2020

2030


Note the third line down on the chart above – at the time of observation on January 5, these were already expired certificates. (By the way, have you checked your infrastructure to see if your certs are expiring soon?)

Everyone’s perspective of what happens on the Internet is different, but we see the top 2 cert origins as USA and China.

Most common certificate countries:

Number of certs

Country code

777560

US

621140

CN

154789

BE

19964

GB

11700

AU

8304

TW

8143

PL

7867

DE

8143

IE

4705

XX

Most common certificate issuer organizations:

Number of certs

Organization

1215950

DigiCert Inc

264686

GlobalSign nv-sa

131601

TrustAsia Technologies

60242

Let’s Encrypt

54271

Digital Signature Trust Co.

44782

GlobalSign

31346

HW

28893

VeriSign

23396

The USERTRUST Network

21624

Huawei

The majority are using SHA256, but there are a few using old and insecure hashing tools.


Most common certificate signatures/hash values:

Number of certs

Algorithm

2068349

sha256WithRSAEncryption

240018

sha1WithRSAEncryption

36791

sha384WithRSAEncryption

17755

md5WithRSAEncryption

4440

ecdsa-with-SHA1

2998

sha512WithRSAEncryption

2089

ecdsa-with-SHA256

902

ecdsa-with-SHA384

185

dsaWithSHA1

64

sha1WithRSA

Most common certificate email domains:

Number of certs

Domain

9627

9221

bt.cn

6826

4644

3304

2867

1918


SO WHAT IS THE TAKE AWAY HERE? WHY DO WE CARE ABOUT THIS?


Forged, free and stolen certificates are used constantly to masquerade as machines. The most common uses are to get malware to run on machines and to further SSL man-in-the-middle attacks.

Useful certs are available for miscreants to purchase in the Underground Economy for about a thousand dollars. Most common browsers are designed to check for revoked certificates, if it is updated to a modern version and if it is set to proactively gather the updated list of ‘bad certs’.

If your staff are still working from home, you likely have far less visibility into the tools they are using. In fact, if they were breached using a forged or stolen x.509 certificate, would you even know?

The point is, now that corporations have all lost so much visibility into their networks, bad x.509 certificates are even more of a threat against TLS/SSL, which is the basis of HTTPS…but this is one that is easy to prevent:

  • Update and patch your browsers.

  • Teach your staff to pay attention if a browser flags a bad certificate, ignorance is not bliss!

  • Have a plan to respond if one of your certs is abused.

  • Do your own infrastructure check to see if your certs are expiring soon.

Our Commercial tool Pure Signal™ RECON (known by our legacy clients and partners as “Augury”) has, as one of its 50+ data types, x.509 certificates as a search option. In fact, it has become our second most popular search type, after global network flows because miscreants often re-use certs over and between campaigns.


If you want insights into millions of certificates every day, with information on when and where those certificates appear, within the context of your investigations and threat prevention, email sales@cymru.com.

0 comments

Recent Posts

See All