Attackers have for many years tried to find ways to get malicious code inside a victim’s network; Some new research by fidelis security has uncovered another, novel way to achieve those aims which your security systems might not pick up. The original research in pdf format can be found at the following link (http://vixra.org/pdf/1801.0016v1.pdf)
The attack exploits the fact that X.509 certificates have a number of fields which can contain arbitrary values. In their research, Fidelis proved that data can be transferred within the SubjectKeyIdentifier field of the X.509 certificate and is not limited to any size constraints other than the extents of device memory.
The SubjectKeyIdentifier field is supposed to hold a hash value that identifies the public key being certified. This value enables distinct keys used by the same subject to be differentiated.
In an attack using this approach this field can be used to pass through any form of data, including executable code.
In many cases, the SubjectKeyIdentifier value is not validated by either firewalls or IDS as they typically are set to look for data being transmitted in a protocol payload such as a TCP, UDP or SMTP packet.
In the case of the X.509 certificate the code is passed as a part of the handshake process, and as such no data payload is being transmitted.
Fidelis produced a proof of concept attack and included a Mimikatz payload in the X.509 certificate and transferred it to an already compromised device via the TLS negotiation phase.
There are ways to check to see if a certificate is being used in these ways. For example, the common hashes used in the SubjectKeyIdentifier field are MD5, SHA-1, SHA-256, SHA-384, or SHA-512. As such, if SHA-512 is used that would create the longest hash value at 128 characters long. Rules can be established (normally with the use of a Regex query) to look for values in this filed which are longer than 128 characters and flag them if they are.
But how many of you reading this have such rules?
How many of you reading this even contemplated someone using X.509 to attack your organisation?
How many of you are about to go check and update your firewall rules?
Cyber Security training from QA
At QA we offer a wealth of courses covering all aspects of security, in this case we would recommend our Network Security Foundation course, just one of our many Cyber Security courses.
We have uniquely positioned ourselves to help solve the Cyber skills gap, from our CyberFirst and Cyber Apprenticeship programmes and Cyber Academies to Cyber Challenges, Training and Certifications and Consultancy for Cyber Security.
They offer end-to-end Cyber training and certifications from Cyber Awareness to deep dive Cyber Programmes and solutions; from Cyber Investigations, Cyber Crisis Management, Proactive Security to Offensive Defence. QA only employ world-leading Cyber trainers who have the expertise to deliver bespoke Cyber solutions, GCHQ accredited courses and proudly the CyberFirst programme. This is all to support tackling the UK's National Cyber Security skills shortage.
QA also have state-of-the-art CyberLabs, where companies can simulate real-life Cyber-attacks on their infrastructure, helping them to prevent & combat breaches without risking their own network.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

Mark Amory
After leaving a career as a mechanical and electrical engineer in 1998, Mark started out with a fresh career as an IT trainer. Spending the first few years as an applications trainer, Mark excelled in delivering Microsoft Office and Adobe products. In line with his background as an engineer, Mark soon shifted focus to more technical deliveries, including hardware and networking topics, a field he has remained in ever since.
As a natural progression of his career, Mark started to explore the security aspect of his existing competencies and since 2005 has specialised in the cyber security domain. Mark has been the author of a number of QA cyber security courses and was the design authority and author of the 2017 NCSC Cyber First Academy. Mark is a C|EH, a Certified EC-Council Instructor, and a CISSP.
More articles by Mark
Massive cyber attack on US government and companies underway
Mark Amory, Cyber Security Technical Learning Consultant at QA, reports on a major cyber incident unfolding this weekend agai…
14 December 2020Pi-Hole: The DIY ad-blocker & malware defender all in one box
Mark Amory explains the Pi-Hole DNS proxy that provides a nearly ad-free web surfing experience.
09 December 2020What is ethical hacking?
Mark Amory explains what ethical hacking is and why it's important that every company uses pentesting to safeguard their IT s…
06 October 2020Mac attack! Apple malware on the rise
QA Cyber Training Delivery Manager, Mark Amory, explains that while Mac users used to be relatively safe from viruses and mal…
19 February 2020How random is random?
How random something is relies on more than just thinking of a number, it relies on a multitude of tiny, imperceptible variab…
15 November 2017Weaponising GDPR
QA Cyber Training Delivery Manager, Mark Amory, discusses how GDPR regulations can make data breaches a valuable weapon to da…
19 September 2018Who you gonna call?
QA Cyber Training Delivery Manager, Mark Amory, looks at the behind-the-scenes organisations working tirelessly to help stop…
20 November 2018Denial of Service attack for iOS devices
QA Cyber Training Delivery Manager, Mark Amory, looks at a new raft of Denial of Service attacks that use little more than a…
27 November 2018Christmas Phishing
QA Cyber Training Delivery Manager, Mark Amory, looks at why phishing attacks are particularly effective over the festive per…
09 January 2019Safer Internet Day 2019
QA Cyber Training Delivery Manager, Mark Amory, discusses Safer Internet Day and its goal to promote the safe and positive us…
05 February 2019