“We saw the updates come down from the Live Update ASUS server. They were trojanized, or malicious updates, and they were signed by ASUS,” said Liam O’Murchu, director of development for the Security Technology and Response group at Symantec.
Assuming ASUS properly implemented their signature validation, it seems likely that hackers may have stolen ASUS’ signing keys in order to accomplish this. Signifying a lack in automation around code signing certificate protection.
In the last few years, we have seen a growing awareness around code signing, and an uptick in code signing and validation – which is great. However, if you lose control of the private keys, the whole system falls apart. And today very few organizations properly protect code signing certificates: they’re on developers’ workstations, build servers, etc. they should be carefully protected, and they’re usually not – because it’s hard to do.