Key Takeaways
- A cyberattack on DigiCert’s support team began on April 2 via a malicious payload delivered through a customer chat channel disguised as a screenshot.
- The malware infected two endpoints; the second infection was not detected until April 14 due to malfunctioning security controls.
- Threat actors pivoted from the infected system to DigiCert’s internal support portal, exploiting a limited‑access function that allows support analysts to proxy into customer accounts and retrieve initialization codes for pending EV Code Signing certificate orders.
- Possession of an initialization code combined with an approved order enabled the attackers to fraudulently obtain EV Code Signing certificates for a finite set of customer accounts.
- By April 17, DigiCert identified and revoked 60 certificates linked to the incident (27 explicitly tied to the threat actor), including 11 used to sign the Zhong Stealer malware family.
- No evidence was found of misuse of other internal systems beyond the initialization‑code channel.
- DigiCert revoked all potentially compromised certificates, canceled pending orders, and strengthened security controls, including mandatory MFA for admin workflows, restriction of file types in support chat, and improved logging.
- The incident underscores the risks inherent in privileged support functions and the importance of layered defenses, timely detection, and strict access segregation.
Overview of the Attack
On April 2, 2024, a threat actor launched a targeted assault against DigiCert’s support team. The attacker delivered a malicious payload through a customer‑facing chat channel, presenting it as an innocuous screenshot. This social‑engineering tactic allowed the malware to bypass initial perimeter defenses and gain a foothold on internal endpoints. The attack was confined to the support environment, but its consequences rippled through DigiCert’s certificate issuance processes.
Initial Infection Vector
The malicious file executed on two separate workstations within the support infrastructure. The first endpoint was identified and quarantined on April 3, prompting an immediate investigation. However, the second endpoint remained undetected until April 14, a delay DigiCert attributed to a malfunctioning security solution that failed to raise alerts on that system. This lapse gave the attackers additional time to explore the network and elevate their privileges.
Malware Spread and Detection
After compromising the endpoints, the malware established persistence and began reconnaissance activities. It harvested credentials and gathered information about internal applications, notably the support portal used by analysts to assist customers. The delayed detection of the second infection hindered containment efforts, allowing the threat actor to maintain a low‑profile presence while preparing the next stage of the attack.
Exploitation of the Support Portal
Using the compromised credentials, the attackers pivoted from the infected workstations to DigiCert’s internal support portal. The portal includes a limited‑access feature that enables authenticated support analysts to proxy into customer accounts for troubleshooting purposes. This function, while legitimate, inadvertently provided a pathway to sensitive operational data, including initialization codes required to finalize pending Code Signing certificate requests.
Obtaining EV Code Signing Certificates
DigiCert’s support analysts possess the ability to retrieve initialization codes for EV Code Signing orders that have already been approved by the customer. The threat actor leveraged this capability: by combining the stolen initialization code with the corresponding approved order (visible within the proxied account), they could generate the final EV Code Signing certificate. Because the attackers only had access to a finite set of accounts and orders, they were able to fraudulently obtain certificates for those specific customers and associated certificate authorities (CAs).
Certificate Revocation and Response
By April 17, DigiCert’s incident response team had identified 60 certificates linked to the breach. Of these, 27 were directly attributed to the threat actor’s actions, while the remaining 33 were deemed potentially associated due to proximity in time or account overlap. Notably, 11 of the revoked certificates had been reported by the security community and were found to be used in signing the Zhong Stealer malware family. DigiCert promptly revoked all implicated certificates and canceled the pending orders that had facilitated the unauthorized issuance, thereby closing the attackers’ avenue to obtain further certificates.
Community Findings and Malware Usage
External researchers noted the presence of the compromised certificates in the wild, specifically tied to samples of the Zhong Stealer malware. This information helped DigiCert confirm the scope of misuse and prioritize revocation efforts. The fact that the certificates were used to sign malware underscores the high impact of EV Code Signing abuse: such certificates lend legitimacy to malicious binaries, enabling them to bypass trust checks in operating systems and security products.
Enhanced Security Measures
In response to the incident, DigiCert instituted a series of technical and procedural upgrades. Multi‑factor authentication (MFA) is now enforced for all administrative workflows within the support portal. The ability for proxied support users to access initialization codes has been disabled, eliminating the specific abuse vector. File‑type restrictions were added to the chat and Salesforce attachment mechanisms to prevent future delivery of executable payloads via screenshots or other disguised files. Additionally, logging and monitoring capabilities were improved to accelerate detection of anomalous activity across endpoints and internal applications.
Broader Implications and Related Incidents
The DigiCert breach highlights the risks inherent in privileged support functions that grant indirect access to critical issuance processes. It serves as a reminder that even well‑guarded certificate authorities can be compromised through seemingly low‑risk channels such as customer chat. The incident arrives amid a wave of similar supply‑chain threats, including the recent cPanel exploitation campaign affecting over 40,000 servers, Instructure’s data breach disclosure, and warnings from the FBI about hacker‑enabled cargo theft. These events collectively emphasize the need for defense‑in‑depth strategies, regular validation of access controls, and rapid incident response to protect the trust ecosystem that underpins code signing and TLS certificates.
Word count: approximately 1,040 words.