DigiCert reported that on April 2 a threat actor delivered a malicious payload disguised as a screenshot via its customer chat, infecting support endpoints and using proxied analyst access and initialization codes to obtain EV Code Signing certificates. By April 17 DigiCert revoked 60 certificates — 27 linked to the actor and 11 used to sign the Zhong Stealer family — canceled pending orders and implemented MFA, access restrictions, attachment filtering, and improved logging to close the gap. #DigiCert #ZhongStealer
Keypoints
- Attackers delivered malware via a customer chat message disguised as a screenshot.
- Two support endpoints were infected, discovered on April 3 and April 14.
- Threat actor used proxied support access and initialization codes to obtain EV Code Signing certificates.
- DigiCert revoked 60 certificates by April 17, with 27 tied to the actor and 11 used to sign Zhong Stealer.
- DigiCert enforced MFA, restricted initialization code access for proxied users, limited attachment types, and improved logging.
Read More: https://www.securityweek.com/digicert-revokes-certificates-after-support-portal-hack/