The cybersecurity world felt the ramifications of an incident involving the compromise of DigiCert systems. Attackers used an unusual and sophisticated method to bypass security controls—essentially creating a weaponized screensaver file. This incident has caused cybersecurity practitioners to begin discussing how attackers are increasingly able to use overlooked attack vectors such as these to break into organizations that are known for having high levels of security.
For years now, the focus of most cybersecurity defenses has been email phishing, ransomware, zero-day vulnerabilities, and credential theft. However, this situation at DigiCert shows that the evolution of cyber warfare continues, and that attackers will become more creative with the tactics they employ in order to camouflage harmful payloads inside of files that may appear harmless when viewed in isolation, as well as being legitimate components of the system.
The use of malicious screensavers creates an additional layer of alarm because screensavers are normally not thought of as high-threat items by everyday users and/or security teams. Creating a weaponized version of a file format that is always trusted and routinely ignored allows attackers to circumvent traditional security assumptions and successfully run malicious code in enterprise networks.
While investigations are ongoing into this attack, the lessons learned have already begun to demonstrate the ongoing evolution of threat actors’ tactics, the weaknesses of endpoint security, the array of social engineering techniques being utilized, and potential new approaches to protecting against cyber threats in the future.
DigiCert’s Importance and the Incident
DigiCert is the world’s top digital trust and certificate management company, impacting the Internet security infrastructure by producing TLS/SSL certificates, securing websites, enabling secure communications through encrypted connections, and supporting identity verification for global businesses.
When a compromise occurs with DigiCert, that incident naturally draws significant interest from security researchers and enterprise companies because of the company’s importance as part of the overall cybersecurity ecosystem.
The reports surrounding this incident provide insight into how attackers accessed DigiCert; specifically, the attackers used a malicious screensaver file that was disguised as a legitimate executable. The malicious file had malware within it that allowed for persistence, communication back to command-and-control infrastructure, and more, as well as to steal credentials and deploy further payloads.
Many users do not realize that the screensaver files on Windows machines have the extension .scr. Even though most users consider the screensaver files to be harmless visual cosmetic tools, .scr files are executable programs, which in this respect makes .scr files a highly dangerous and effective weapon for the attacker to use.
Cybersecurity experts believe that the attackers created the .scr file to convincingly appear to be a real product, and they likely used social engineering methods to persuade users to run the file.
This incident emphasizes an important reality for all cybersecurity: trusted file extensions (e.g., .scr) can be used as very powerful weapons as long as companies do not perform proper inspections.
Screensaver’s Threats Are Suggestive of Data Breaches
Screensaver’s appearance of being “harmless”, both in regards to being software that will not do harm to the system and to human users perceptions that a screensaver does not contain code that can be executed, represent two ways in which this assets lack of scrutiny increases the chances that a user will open these asset without suspicion, as well as the fact that screensavers are treated by operating systems like Windows as a form of executable code – i.e. screensavers may execute arbitrary code with the same user privileges as the user executing the screensaver.
In fact, over time, attackers have exploited the ability to create an executable file that will execute malicious code on a computer, thereby creating persistent mechanisms and/or establishing remote access to infected computers.
Additionally, many organizations have not classified .scr files as part of a security filtering policy, which creates a significant security vulnerability for an organization’s infrastructure. In fact, most of the traditional email “gateway” security systems and endpoint detection systems have a much greater focus on detecting macro files, JavaScript payloads, MS Office files, and compressed archives than they do on screensaver files.
As such, cybercriminals view screensaver files as low-risk or delivery mechanisms for bypassing standard security detection systems. The recent DigiCert attack is a key example of how cybercriminals are continually seeking new and different methods of delivery to exploit the gaps in enterprise security systems.
How Cybercriminals Execute Screensaver Attack
At this time, there are no known Symfony threat actors, nor are there currently any known details of how this attack was executed. However, it is believed that the attack was delivered by sending an email containing an infected .scr file to the designated recipient.
First Delivery:
- The attack was probably started by means of phishing or social engineering.
- Victims may have received emails containing the malicious screensaver attached as either an update to be installed and run on their computer (i.e., a software update), as a presentation file, as a compliance document, or as an internal utility.
- Alternatively, the attacker could have sent the screen saver to their victims via compromised websites, messaging platforms, or cloud sharing services.
- The primary objective of the attack during the initial delivery was to convince the victim to run the .scr (screensaver) file.
Payload Execution:
- Once opened, the screensaver executed malicious code in the background while possibly showing normal screensaver-like behavior to avoid detection.
- The malware may have gained persistence by modifying the registry, creating scheduled tasks, adding entries to the startup folder, or installing itself as a service.
- The dual-purpose approach is commonly used by advanced malware campaigns to prevent immediate detection by the victim.
Command-and-Control Communication:
- The malware likely communicated with remote command-and-control (C2) servers operated by the attacker upon execution of the malicious screensaver, as this encrypted connection allowed the attacker to send commands to the malware, deploy additional malware, or exfiltrate data from the victim’s system.
- Modern malware typically uses encrypted and/or HTTPS communications, cloud services, and/or domain generation algorithms to help avoid detection.
Credential Theft & Lateral Movement:
- Following the establishment of initial access, attackers typically attempt to obtain the credentials of users.
- Attackers may obtain credentials by targeting browser-stored passwords, session cookies, VPN credentials, and/or authentication tokens.
After gaining access to valid credentials, malicious actors can gain access to sensitive systems and move throughout the network by using legitimate user privileges. Researchers believe that the attacking group behind this campaign has access to advanced technical capabilities and also relies on proven social engineering tactics that are commonly associated with APT (advanced persistent threat) groups or highly organized criminal enterprises.
Role of Social Engineering
Social engineering attacks play a significant role in the overall success of cyber attacks. While it is true that attackers will design their campaigns with a focus on exploiting technical vulnerabilities, they now design their attacks with a focus on human behavior and decision-making. All employed individuals have a capacity to be vulnerable to an attack if they can convince them based on a reasonable narrative or use urgency, trust, curiosity, or authority to exploit an individual.
The use of a screensaver as a delivery mechanism for malware may not be that unusual; however, the attackers exploited their choice of file type because users are generally less suspicious of certain file formats than others.
Cybersecurity experts are indicating that the common method of exploiting software vulnerabilities is going away and that attackers are increasingly reliant on exploiting assumptions, psychological blind spots, and the use of social engineering to bypass even sophisticated security systems by having the user unknowingly approve malicious activity.
This trend becomes more troubling when you consider that any methods utilized in social engineering can potentially be effective against endpoint protection solutions.
Weaknesses of Signature-Based Detection
Most antivirus software is based on known patterns of malware, but it is possible for advanced attackers to avoid detection by altering their payloads, using encryption, or changing their file types to ones that are not typically used in malware.
Trusted Files Are Assumed to Be Low Risk
Security systems assign a low risk score to certain file types as legitimate or low-risk files (such as photos or text documents). However, attackers can use the trust that these files have been given to execute their attacks.
The Attack Surface Is Growing
Enterprise business environments today include anywhere from remote workers to cloud services; a myriad of different and unmanaged devices; and the use of various third-party applications. The added complexity of these environments creates more chances for attacks against any security controls in place.
Malware Uses Encryption in Communication to Control Command & Control
More and more malware uses encrypted (or secure) communication channels to communicate with command & control servers, which creates difficulty in being able to inspect network traffic from a security perspective.
User Privilege Issues
Many organizations provide employees with excessive user permissions; therefore, if a malicious executable is launched, it can perform malicious actions without any restriction on user permissions. The DigiCert incident shows us that endpoint security has to evolve with the constantly evolving way that attacks are being attempted.
Lessons for the Enterprise
The DigiCert incident provides a number of lessons for all industries, including:
Monitor File Types More Broadly
Security teams should consider monitoring the more obscure executable file types, such as .scr, .lnk, and .iso, and any other file type that has the potential to be utilized as a delivery mechanism for a malicious attack.
Increase User Awareness
Employees must understand that many of the files that may appear harmless may actually contain executable code; therefore, as the way attackers work continues to evolve, so too must the way that employees are educated through awareness training.
Behavior Detection By Using a Behavioral Detection System
Behavioral endpoint detection and response (EDR) technologies can provide more formidable defenses against unidentified threats when compared with traditional virus-protection mechanisms (e.g., signature-based antivirus tools).
Restricting Application Execution By Implementing Application Allowlisting
By using application allowlisting and establishing stringent execution policies, organizations can minimize the likelihood that unauthorized executable files will be allowed to execute on their computers.
Readiness for Incident Response
All organizations should maintain demonstrated readiness plans (i.e., plans that have been tested) to facilitate a quick response to malware incidents, compromised credentials, or lateral movement of malware.
Prioritize Threat Assessing
By proactively engaging in threat assessment activities, organizations can identify suspicious behaviors well before attacks escalate into widespread compromises.
Broader Implications for Cybersecurity
The DigiCert compromise reflects a more extensive transformation impacting the entire landscape of cybersecurity. Today, attackers emphasize stealth, deception, and persistence over noisy or immediate disruption. These attackers demonstrate much greater levels of patience, strategic thought, and technical sophistication than ever before.
This incident also illustrates that focusing solely on preventing known threats is insufficient for establishing adequate defenses against cybercriminals. Organizations must plan to deal with dynamic adversaries who can exploit unsuspected methods of gaining unauthorized access and who can manipulate human assumptions.
There is little doubt that, as artificial intelligence, automation, and the development of advanced malware continue to evolve, future malicious attacks will become progressively more challenging to identify. Cybersecurity professionals caution that organizations need to adopt a cyber-defense model that prioritizes resiliency over total prevention. Attacks occur daily within modern enterprises. The critical metric in determining the effectiveness of an organization’s defenses will be its ability to detect, contain, and recover from a malicious incident.