home.social

#digicert — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #digicert, aggregated by home.social.

  1. Just about the entire internet uses certificate authorities to establish trust. Here, a simple old-school social engineering trick broke this trust and allowed hackers to get signed certificates from DigiCert for their malware.

    There is a better way to establish certificate trust that doesn't rely on a 3rd party, and it's free too. It's called DANE, which binds the trust directly to the Domain Name System by using DNSSEC. DANE is ideal for code signing certificates (and other uses), but is overlooked.

    This attack is virtually impossible under DANE. A vulnerable support person is of no use. Hackers would need to directly compromise the target's DNS infrastructure, the registrar, and the top-level domain authority. All three. Nearly impossible compared to just finding some dupe at the CA in a public chat room.

    hackread.com/hackers-digicert-

    #DANE #CertificateAuthorities #DigiCert

  2. Just about the entire internet uses certificate authorities to establish trust. Here, a simple old-school social engineering trick broke this trust and allowed hackers to get signed certificates from DigiCert for their malware.

    There is a better way to establish certificate trust that doesn't rely on a 3rd party, and it's free too. It's called DANE, which binds the trust directly to the Domain Name System by using DNSSEC. DANE is ideal for code signing certificates (and other uses), but is overlooked.

    This attack is virtually impossible under DANE. A vulnerable support person is of no use. Hackers would need to directly compromise the target's DNS infrastructure, the registrar, and the top-level domain authority. All three. Nearly impossible compared to just finding some dupe at the CA in a public chat room.

    hackread.com/hackers-digicert-

    #DANE #CertificateAuthorities #DigiCert

  3. Just about the entire internet uses certificate authorities to establish trust. Here, a simple old-school social engineering trick broke this trust and allowed hackers to get signed certificates from DigiCert for their malware.

    There is a better way to establish certificate trust that doesn't rely on a 3rd party, and it's free too. It's called DANE, which binds the trust directly to the Domain Name System by using DNSSEC. DANE is ideal for code signing certificates (and other uses), but is overlooked.

    This attack is virtually impossible under DANE. A vulnerable support person is of no use. Hackers would need to directly compromise the target's DNS infrastructure, the registrar, and the top-level domain authority. All three. Nearly impossible compared to just finding some dupe at the CA in a public chat room.

    hackread.com/hackers-digicert-

    #DANE #CertificateAuthorities #DigiCert

  4. Just about the entire internet uses certificate authorities to establish trust. Here, a simple old-school social engineering trick broke this trust and allowed hackers to get signed certificates from DigiCert for their malware.

    There is a better way to establish certificate trust that doesn't rely on a 3rd party, and it's free too. It's called DANE, which binds the trust directly to the Domain Name System by using DNSSEC. DANE is ideal for code signing certificates (and other uses), but is overlooked.

    This attack is virtually impossible under DANE. A vulnerable support person is of no use. Hackers would need to directly compromise the target's DNS infrastructure, the registrar, and the top-level domain authority. All three. Nearly impossible compared to just finding some dupe at the CA in a public chat room.

    hackread.com/hackers-digicert-

    #DANE #CertificateAuthorities #DigiCert

  5. Just about the entire internet uses certificate authorities to establish trust. Here, a simple old-school social engineering trick broke this trust and allowed hackers to get signed certificates from DigiCert for their malware.

    There is a better way to establish certificate trust that doesn't rely on a 3rd party, and it's free too. It's called DANE, which binds the trust directly to the Domain Name System by using DNSSEC. DANE is ideal for code signing certificates (and other uses), but is overlooked.

    This attack is virtually impossible under DANE. A vulnerable support person is of no use. Hackers would need to directly compromise the target's DNS infrastructure, the registrar, and the top-level domain authority. All three. Nearly impossible compared to just finding some dupe at the CA in a public chat room.

    hackread.com/hackers-digicert-

    #DANE #CertificateAuthorities #DigiCert

  6. #DigiCert und die Sicherheit. 🙁

    Kriminelle sind kreativ wie man sehen kann:

    "On 2 April 2026, DigiCert’s support team became the target of a carefully planned attack, which allowed hackers to steal EV Code Signing certificates by simply pretending to be a customer in a help chat."

    Und wie ging es weiter:

    "While the company thought the situation was under control by 3 April, a second machine, ENDPOINT2, was also compromised on 4 April. This machine had a malfunctioning CrowdStrike sensor, which created a gap in their Endpoint Detection and Response (EDR), due to which no telemetry data reached the security team to warn them of the breach."

    Und was bedeutet das nun:

    "DigiCert revokes 60 code signing certificates after hackers used a malicious support chat attachment to sign the Zhong Stealer malware."

    Da ist also nicht ganz so sicher wie man es gerne hätte. Wünsche den Admins viel Erfolg bei den Updates. 🙂

    hackread.com/hackers-digicert-

  7. 📢⚠️ Hackers tricked #DigiCert support staff into executing a malicious file, allowing attackers to obtain code-signing certificates later used to sign malware. DigiCert revoked 60 certificates after the breach was reported.

    Read: hackread.com/hackers-digicert-

    #CyberSecurity #Malware #InfoSec #CyberAttack #DataBreach

  8. 📢⚠️ Hackers tricked support staff into executing a malicious file, allowing attackers to obtain code-signing certificates later used to sign malware. DigiCert revoked 60 certificates after the breach was reported.

    Read: hackread.com/hackers-digicert-

  9. 📢⚠️ Hackers tricked #DigiCert support staff into executing a malicious file, allowing attackers to obtain code-signing certificates later used to sign malware. DigiCert revoked 60 certificates after the breach was reported.

    Read: hackread.com/hackers-digicert-

    #CyberSecurity #Malware #InfoSec #CyberAttack #DataBreach

  10. 📢⚠️ Hackers tricked #DigiCert support staff into executing a malicious file, allowing attackers to obtain code-signing certificates later used to sign malware. DigiCert revoked 60 certificates after the breach was reported.

    Read: hackread.com/hackers-digicert-

    #CyberSecurity #Malware #InfoSec #CyberAttack #DataBreach

  11. 📢⚠️ Hackers tricked #DigiCert support staff into executing a malicious file, allowing attackers to obtain code-signing certificates later used to sign malware. DigiCert revoked 60 certificates after the breach was reported.

    Read: hackread.com/hackers-digicert-

    #CyberSecurity #Malware #InfoSec #CyberAttack #DataBreach

  12. #LetsEncrypt has suspended issuing certificates after it identified security issues in one of its roots (!)[^1]

    We temporarily disabled certificate issuance, deployed a configuration change to prevent future issuance from the cross-signed Gen Y hierarchy, and then re-enabled issuance. Certificate revocation and CRL generation remains functional for Gen Y certificates.

    A few days ago #DigiCert was hacked with a Windows (!) screensaver (!)[^2]

    I cannot but remind that both organisations are part of the #WebTrust cartel who had last year unrolled a massive “grassroots” smear campaign against EU #QWAC certificates, presenting them as “security and privacy threat”, whereas from both legal and technical point of view QWAC is much more secure:

    https://krvtz.net/en/posts/the-real-story-behind-eu-qwac.html

    [^1]: https://community.letsencrypt.org/t/2026-05-08-gen-y-cross-certified-subordinate-cas-missing-serverauth-eku/247105

    [^2]: https://cybersecuritynews.com/digicert-hacked-screensaver/

  13. #LetsEncrypt has suspended issuing certificates after it identified security issues in one of its roots (!)[^1]

    We temporarily disabled certificate issuance, deployed a configuration change to prevent future issuance from the cross-signed Gen Y hierarchy, and then re-enabled issuance. Certificate revocation and CRL generation remains functional for Gen Y certificates.

    A few days ago #DigiCert was hacked with a Windows (!) screensaver (!)[^2]

    I cannot but remind that both organisations are part of the #WebTrust cartel who had last year unrolled a massive “grassroots” smear campaign against EU #QWAC certificates, presenting them as “security and privacy threat”, whereas from both legal and technical point of view QWAC is much more secure:

    https://krvtz.net/en/posts/the-real-story-behind-eu-qwac.html

    [^1]: https://community.letsencrypt.org/t/2026-05-08-gen-y-cross-certified-subordinate-cas-missing-serverauth-eku/247105

    [^2]: https://cybersecuritynews.com/digicert-hacked-screensaver/

  14. #LetsEncrypt has suspended issuing certificates after it identified security issues in one of its roots (!)[^1]

    We temporarily disabled certificate issuance, deployed a configuration change to prevent future issuance from the cross-signed Gen Y hierarchy, and then re-enabled issuance. Certificate revocation and CRL generation remains functional for Gen Y certificates.

    A few days ago #DigiCert was hacked with a Windows (!) screensaver (!)[^2]

    I cannot but remind that both organisations are part of the #WebTrust cartel who had last year unrolled a massive “grassroots” smear campaign against EU #QWAC certificates, presenting them as “security and privacy threat”, whereas from both legal and technical point of view QWAC is much more secure:

    https://krvtz.net/en/posts/the-real-story-behind-eu-qwac.html

    [^1]: https://community.letsencrypt.org/t/2026-05-08-gen-y-cross-certified-subordinate-cas-missing-serverauth-eku/247105

    [^2]: https://cybersecuritynews.com/digicert-hacked-screensaver/

  15. #LetsEncrypt has suspended issuing certificates after it identified security issues in one of its roots (!)[^1]

    We temporarily disabled certificate issuance, deployed a configuration change to prevent future issuance from the cross-signed Gen Y hierarchy, and then re-enabled issuance. Certificate revocation and CRL generation remains functional for Gen Y certificates.

    A few days ago #DigiCert was hacked with a Windows (!) screensaver (!)[^2]

    I cannot but remind that both organisations are part of the #WebTrust cartel who had last year unrolled a massive “grassroots” smear campaign against EU #QWAC certificates, presenting them as “security and privacy threat”, whereas from both legal and technical point of view QWAC is much more secure:

    https://krvtz.net/en/posts/the-real-story-behind-eu-qwac.html

    [^1]: https://community.letsencrypt.org/t/2026-05-08-gen-y-cross-certified-subordinate-cas-missing-serverauth-eku/247105

    [^2]: https://cybersecuritynews.com/digicert-hacked-screensaver/

  16. #LetsEncrypt has suspended issuing certificates after it identified security issues in one of its roots (!)[^1]

    We temporarily disabled certificate issuance, deployed a configuration change to prevent future issuance from the cross-signed Gen Y hierarchy, and then re-enabled issuance. Certificate revocation and CRL generation remains functional for Gen Y certificates.

    A few days ago #DigiCert was hacked with a Windows (!) screensaver (!)[^2]

    I cannot but remind that both organisations are part of the #WebTrust cartel who had last year unrolled a massive “grassroots” smear campaign against EU #QWAC certificates, presenting them as “security and privacy threat”, whereas from both legal and technical point of view QWAC is much more secure:

    https://krvtz.net/en/posts/the-real-story-behind-eu-qwac.html

    [^1]: https://community.letsencrypt.org/t/2026-05-08-gen-y-cross-certified-subordinate-cas-missing-serverauth-eku/247105

    [^2]: https://cybersecuritynews.com/digicert-hacked-screensaver/

  17. Genau bei der Zertifizierung von solcher Software hat nun aber die Zertifizierungsstelle #DigiCert sich übertölpeln lassen. Und zwar in der teuersten und damit angeblich sichersten Kategorie «Extended Validation» (EV). So wurden mindestens 27 Code-Signing-Zertifikate im Namen von reputablen Firmen ausgestellt, aber für Cyberkriminelle. Digicert ist dem erst nachgegangen, als über 8 Tage hinweg 7 missbräuchliche Zertifikate durch Dritte gemeldet wurden.
    mastodon.social/@hrbrmstr/1165

  18. Genau bei der Zertifizierung von solcher Software hat nun aber die Zertifizierungsstelle #DigiCert sich übertölpeln lassen. Und zwar in der teuersten und damit angeblich sichersten Kategorie «Extended Validation» (EV). So wurden mindestens 27 Code-Signing-Zertifikate im Namen von reputablen Firmen ausgestellt, aber für Cyberkriminelle. Digicert ist dem erst nachgegangen, als über 8 Tage hinweg 7 missbräuchliche Zertifikate durch Dritte gemeldet wurden.
    mastodon.social/@hrbrmstr/1165

  19. Genau bei der Zertifizierung von solcher Software hat nun aber die Zertifizierungsstelle #DigiCert sich übertölpeln lassen. Und zwar in der teuersten und damit angeblich sichersten Kategorie «Extended Validation» (EV). So wurden mindestens 27 Code-Signing-Zertifikate im Namen von reputablen Firmen ausgestellt, aber für Cyberkriminelle. Digicert ist dem erst nachgegangen, als über 8 Tage hinweg 7 missbräuchliche Zertifikate durch Dritte gemeldet wurden.
    mastodon.social/@hrbrmstr/1165

  20. Genau bei der Zertifizierung von solcher Software hat nun aber die Zertifizierungsstelle #DigiCert sich übertölpeln lassen. Und zwar in der teuersten und damit angeblich sichersten Kategorie «Extended Validation» (EV). So wurden mindestens 27 Code-Signing-Zertifikate im Namen von reputablen Firmen ausgestellt, aber für Cyberkriminelle. Digicert ist dem erst nachgegangen, als über 8 Tage hinweg 7 missbräuchliche Zertifikate durch Dritte gemeldet wurden.
    mastodon.social/@hrbrmstr/1165

  21. Genau bei der Zertifizierung von solcher Software hat nun aber die Zertifizierungsstelle #DigiCert sich übertölpeln lassen. Und zwar in der teuersten und damit angeblich sichersten Kategorie «Extended Validation» (EV). So wurden mindestens 27 Code-Signing-Zertifikate im Namen von reputablen Firmen ausgestellt, aber für Cyberkriminelle. Digicert ist dem erst nachgegangen, als über 8 Tage hinweg 7 missbräuchliche Zertifikate durch Dritte gemeldet wurden.
    mastodon.social/@hrbrmstr/1165

  22. Kriminelle infizierten Kundendienstmitarbeiter bei #DigiCert und stahlen über 20 Codesigning-Zertifikate, um Malware zu signieren und Windows-SmartScreen zu umgehen. DigiCert zog alle betroffenen Zertifikate zügig zurück und untersuchte die Ursachen wie mangelnden Schutz auf Mitarbeiterrechnern. heise.de/news/Nach-Malware-Ang

  23. Kriminelle infizierten Kundendienstmitarbeiter bei #DigiCert und stahlen über 20 Codesigning-Zertifikate, um Malware zu signieren und Windows-SmartScreen zu umgehen. DigiCert zog alle betroffenen Zertifikate zügig zurück und untersuchte die Ursachen wie mangelnden Schutz auf Mitarbeiterrechnern. heise.de/news/Nach-Malware-Ang

  24. Kriminelle infizierten Kundendienstmitarbeiter bei #DigiCert und stahlen über 20 Codesigning-Zertifikate, um Malware zu signieren und Windows-SmartScreen zu umgehen. DigiCert zog alle betroffenen Zertifikate zügig zurück und untersuchte die Ursachen wie mangelnden Schutz auf Mitarbeiterrechnern. heise.de/news/Nach-Malware-Ang

  25. Kriminelle infizierten Kundendienstmitarbeiter bei #DigiCert und stahlen über 20 Codesigning-Zertifikate, um Malware zu signieren und Windows-SmartScreen zu umgehen. DigiCert zog alle betroffenen Zertifikate zügig zurück und untersuchte die Ursachen wie mangelnden Schutz auf Mitarbeiterrechnern. heise.de/news/Nach-Malware-Ang

  26. Kriminelle infizierten Kundendienstmitarbeiter bei #DigiCert und stahlen über 20 Codesigning-Zertifikate, um Malware zu signieren und Windows-SmartScreen zu umgehen. DigiCert zog alle betroffenen Zertifikate zügig zurück und untersuchte die Ursachen wie mangelnden Schutz auf Mitarbeiterrechnern. heise.de/news/Nach-Malware-Ang

  27. 📢 DigiCert : émission frauduleuse de certificats EV Code Signing via compromission d'endpoints support
    📝 ## 🔍 Contexte

    Rapport d'incident publié sur Bugzilla Mozilla (bug #2033170) par DigiCert, daté du 2026-04-02 au 2026-04-17.
    📖 cyberveille : cyberveille.ch/posts/2026-05-0
    🌐 source : bugzilla.mozilla.org/show_bug.
    #DigiCert #IOC #Cyberveille