Microsoft Takedown of SignSpaceCloud and Secure Messaging Concerns

Microsoft has taken action against SignSpaceCloud, a Russian cybercrime service operating from the domain signspace[.]cloud. This service was selling code signing certificates which were then used by malware and ransomware gangs to sign their malicious payloads, thus increasing the likelihood of bypassing security controls. The takedown involved legal action and seizure of domains and server infrastructure. This action aims to disrupt the cybercrime ecosystem by removing a key service that facilitates malware distribution.

European governments are increasingly concerned about the security and sovereignty of communications conducted via popular encrypted messaging apps like Signal and WhatsApp. There is a growing concern that politicians are using these apps for sensitive communications, making them a target for state-backed hackers, particularly through sophisticated phishing attacks that exploit the device-linking feature. Germany, France, Belgium, and Poland are developing sovereign solutions based on the Matrix protocol to address these concerns. The previous Fast16 malware targeted LS-DYNA and AUTODYN, two software applications that simulate real-world events.

Attack Chain

1. Malware developers acquire code signing certificates from SignSpaceCloud.
2. Malware and ransomware payloads are signed with the acquired certificates.
3. Signed malware is distributed through various means (e.g., compromised websites, malicious attachments).
4. Victims unknowingly download and execute the signed malware.
5. The malware bypasses initial security checks due to the valid code signature.
6. Malware establishes persistence and begins malicious activities (e.g., data encryption, exfiltration).
7. Ransomware demands are issued to victims for decryption keys.
8. Exfiltrated data may be sold or used for further extortion.

Impact

The availability of code signing certificates from services like SignSpaceCloud significantly increases the success rate of malware and ransomware attacks. Signed malware is more likely to bypass security controls and infect systems, leading to data breaches, financial losses, and reputational damage. The disruption of SignSpaceCloud should reduce the effectiveness of malware campaigns relying on these certificates. The Fast16 malware targeting of Iran’s nuclear program aimed to waste time, resources, and lower the overall morale of the program.

Recommendation

• Block the domain signspace[.]cloud at the network perimeter to prevent access to the SignSpaceCloud service based on IOCs.
• Implement stricter controls on code signing certificate usage and validation to prevent the execution of malware signed with compromised certificates.
• Monitor process execution for binaries signed with untrusted or revoked certificates using endpoint detection and response (EDR) solutions.
• Deploy network monitoring to detect suspicious activity based on the detection rules to identify malware leveraging code signing certificates.