DigiCert Revokes 60 Code-Signing Certificates After Support Portal Breach

DigiCert revoked 60 code-signing certificates after a threat actor compromised support endpoints through a ZIP file disguised as a customer screenshot, according to a DigiCert incident report filed in Mozilla Bugzilla. DigiCert said the attacker used a customer-support portal function to access initialization codes for approved but undelivered EV code-signing certificate orders, and outside reporting said abused certificates were used to sign Zhong Stealer malware.

The Details

DigiCert said the incident began on April 2, when a threat actor contacted its support team through customer chat and sent a ZIP archive presented as a customer screenshot, according to the Mozilla Bugzilla incident report. The archive contained a malicious .scr payload, a screensaver file type that executed on a support endpoint after multiple earlier delivery attempts failed.

Four delivery attempts were blocked, but a fifth attempt compromised one DigiCert support endpoint on April 2, according to the DigiCert account in the Mozilla Bugzilla filing. DigiCert later found that a second support endpoint had also been compromised on April 4.

The company said the attacker then used a limited customer-support portal function available to authenticated DigiCert support analysts. "The threat actor used a limited function within the customer-support portal which allows authenticated DigiCert support analysts to access customer accounts from the customer's perspective," the DigiCert incident report said.

Through that function, the attacker accessed initialization codes for approved but undelivered EV code-signing certificate orders, according to the Mozilla Bugzilla report. DigiCert said those initialization codes were sufficient to retrieve the certificates, giving the attacker access to certificates that could be abused outside the company’s own systems.

DigiCert revoked 60 code-signing certificates in total, including 27 that were explicitly tied to the attacker, according to the Mozilla Bugzilla incident report. DigiCert and Heise both linked the abused certificates to Zhong Stealer malware, while Heise reported that the certificates helped the malware bypass Windows SmartScreen.

DigiCert said all identified certificates were revoked within 24 hours of discovery, according to the Mozilla Bugzilla filing. The company also canceled pending orders to cut off further abuse of certificate orders affected by the accessed initialization codes.

The incident report also identified endpoint security gaps during the compromise. "The CrowdStrike prevention setting on ENDPOINT1 was below the intended organizational standard at the time of the initial compromise, allowing the malicious payload to execute before blocking engaged," DigiCert said in the report quoted by Help Net Security.

Context

DigiCert is a major certificate authority, and Help Net Security reported that code-signing certificates allow software publishers to prove binaries are trusted by Windows and other platforms. That makes misuse of those certificates a security issue beyond the support portal compromise itself, because signed malware can appear more trusted to users and operating-system defenses.

Heise reported that the abused DigiCert certificates helped Zhong Stealer malware bypass Windows SmartScreen. That report ties the practical impact of the incident to the way certificate trust is evaluated by Windows protections when software is downloaded or run.

The Mozilla Bugzilla incident report said the second compromised endpoint went undetected for days because DigiCert found its CrowdStrike sensor was absent, degraded, or non-reporting on that machine. Help Net Security separately quoted DigiCert’s finding that the first endpoint’s CrowdStrike prevention setting was below the company’s intended organizational standard when the malicious payload executed.

What's Next

DigiCert said it revoked the identified certificates within 24 hours of discovery and canceled pending orders connected to the affected process, according to the Mozilla Bugzilla incident report. Those actions were the specific containment steps described in the sourced record.

The available brief does not list scheduled hearings, regulatory deadlines, or additional procedural steps. Based on the sourced record, the next concrete items are DigiCert’s completed revocations, canceled pending orders, and the public incident reporting through Mozilla Bugzilla and outside security coverage.