Cyber Incident Victim: Valid Certificadora Digital
Date:
Apr 2023
Location:
Brazil
Summary
The Brazilian digital certificate issuer Valid Certificadora Digital was compromised by the CrossLock ransomware group. The attackers encrypted the victim's network, including virtual machines, and exfiltrated sensitive data such as SSL certificates, server databases, and documents. The company restored its digital certificate services gradually following the attack but did not publicly acknowledge ransomware. CrossLock subsequently leaked a portion of the stolen data and threatened to sell valid certificates that could be used to sign malware.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On or around April 16, 2023, the ransomware group CrossLock added the Brazilian firm Valid Certificadora Digital to its data leak site, claiming responsibility for a cyber attack. Valid Certificadora is a company that issues digital certificates used by both businesses and public entities. CrossLock’s claim stated they had successfully encrypted the entire network of the company, including its virtual machines, and had exfiltrated all of their sensitive data. The threat actor specified that their attack had focused on particular types of files, which they categorized as SSL certificates, servers’ databases, and documents and images.
Following the attack, Valid Certificadora experienced a period of service instability affecting its digital certificate offerings. The company did not post a notice of the incident on its primary website, validcertificadora.com.br. However, an announcement was made on the company’s official Facebook page. This communication, posted after the attack, informed the public that services for the Digital Certificates unit had been restored. The company apologized for the temporary instability of its digital certificates and stated that some services were being recovered gradually. The announcement conveyed that the company was working to normalize the situation as quickly as possible. The Facebook post did not mention any ransomware infection, a data breach, or any ransom demands made by threat actors.
Efforts to contact Valid Certificadora for confirmation or additional details regarding the incident were unsuccessful. Email inquiries sent to the company were returned undelivered. A specific attempt made on April 30, 2023, resulted in a 550 5.4.1 error message stating “Recipient address rejected: Access denied,” indicating a potential problem with the company’s email infrastructure or security settings post-incident.
In contrast, communication was established with the CrossLock group. A spokesperson for the ransomware group confirmed they were not a new entity and disclosed that their operation utilized the ChaCha20 stream cipher and Elliptic-Curve Cryptography (ECC) for their encryption processes. When questioned, the spokesperson stated that Valid Certificadora had attempted to engage in negotiations with them following the attack, but the two parties did not reach an agreement.
Subsequent to the failed negotiations, CrossLock proceeded with its threat to publish stolen data. The group leaked approximately 1.5 gigabytes of files allegedly taken from Valid Certificadora. Accompanying this data leak was a note advertising the sale of the company's digital certificates. The note stated, “For those who are interested in buying legit valid certificates, we are selling valid certificates that can be used to sign your malwares or anything. contact us on tox.” This offer highlighted a significant secondary risk stemming from the theft of digital certificates, as they could be weaponized by other threat actors to sign malicious software, making it appear legitimate and trusted by security systems.
CrossLock’s spokesperson also claimed to have directly informed Valid Certificadora of their intent to sell the certificates. They stated a message was sent to the company indicating that they had already received attractive offers from other criminal groups who wished to purchase the certificates to sign their malware tools. The spokesperson framed this potential sale as a point of leverage, stating the certificates would not be sold only if the company paid the ransom demand. The grammatical errors in the quoted message, such as “I’d like to metion” and “unless Valid company didn’t pay,” were consistent with the original communication.
The confirmed impacts of the incident included a temporary disruption to Valid Certificadora’s core service of issuing and managing digital certificates. The company’s public response was limited to acknowledging service instability and reporting a gradual restoration of operations without providing a root cause. The theft of digital certificates introduced a severe threat to the broader cybersecurity ecosystem, as the legitimate certificates could be misused to undermine trust in digitally signed software and communications. The exfiltration of other data types, including servers’ databases and documents, also created a risk of further data exposure and potential misuse, though the specific contents and sensitivity of these databases were not detailed in the available evidence. The company’s inability to receive external emails, as evidenced by the bounced messages, indicated a potential ongoing impact on its external communications infrastructure as part of the incident response or recovery process.