Cow-orker @mle shared this ~2-week-old DigCert incident report today (i blame my Q1 $WORK chaos for me missing it): https://bugzilla.mozilla.org/show_bug.cgi?id=2033170… (1/5)
-
Cow-orker @mle shared this ~2-week-old DigCert incident report today (i blame my Q1 $WORK chaos for me missing it): https://bugzilla.mozilla.org/show_bug.cgi?id=2033170… (1/5)
-
Cow-orker @mle shared this ~2-week-old DigCert incident report today (i blame my Q1 $WORK chaos for me missing it): https://bugzilla.mozilla.org/show_bug.cgi?id=2033170… (1/5)
DigiCert — a certificate authority, the entity you're trusting to anchor your entire chain of trust — got compromised because a support analyst opened a .scr file from a chat session. In 2026. CrowdStrike was misconfigured on one endpoint and completely absent on another. Nobody noticed the second compromise for 10 days. The attacker grabbed EV code signing initialization codes and walked out with 60 certificates. Zhong Stealer, signed and shipped. (2/5)
-
DigiCert — a certificate authority, the entity you're trusting to anchor your entire chain of trust — got compromised because a support analyst opened a .scr file from a chat session. In 2026. CrowdStrike was misconfigured on one endpoint and completely absent on another. Nobody noticed the second compromise for 10 days. The attacker grabbed EV code signing initialization codes and walked out with 60 certificates. Zhong Stealer, signed and shipped. (2/5)
The root cause chain is damning. No file type restrictions on inbound support chat attachments. No automated EDR coverage reconciliation against the identity provider. Okta FastPass let the compromised device satisfy MFA on its own. The initialization codes — functionally equivalent to the certificates themselves — were visible in every proxied support session because the support portal was never threat-modeled as an attack surface. "Privileged access" stopped at the HSM boundary. (3/5)
-
The root cause chain is damning. No file type restrictions on inbound support chat attachments. No automated EDR coverage reconciliation against the identity provider. Okta FastPass let the compromised device satisfy MFA on its own. The initialization codes — functionally equivalent to the certificates themselves — were visible in every proxied support session because the support portal was never threat-modeled as an attack surface. "Privileged access" stopped at the HSM boundary. (3/5)
Certificate authorities exist for one reason: to be the trust anchor everyone else depends on. They should have the most rigorous endpoint security, the tightest access controls, the most paranoid threat modeling of any organization in the ecosystem. Instead, DigiCert got burned by the same failures you'd find in a mid-market company that just bought its first SIEM. (4/5)
-
Certificate authorities exist for one reason: to be the trust anchor everyone else depends on. They should have the most rigorous endpoint security, the tightest access controls, the most paranoid threat modeling of any organization in the ecosystem. Instead, DigiCert got burned by the same failures you'd find in a mid-market company that just bought its first SIEM. (4/5)
The overpriced EDR stack failed, the attacker just kept trying, and a community researcher caught it before DigiCert did. That's the state of the PKI trust model in 2026. (5/5)
-
DigiCert — a certificate authority, the entity you're trusting to anchor your entire chain of trust — got compromised because a support analyst opened a .scr file from a chat session. In 2026. CrowdStrike was misconfigured on one endpoint and completely absent on another. Nobody noticed the second compromise for 10 days. The attacker grabbed EV code signing initialization codes and walked out with 60 certificates. Zhong Stealer, signed and shipped. (2/5)
got compromised because a support analyst opened a .scr file from a chat session
The fact that CAs hand-wave this aura of "we should be trusted" when they're no more secure than the gas station down the street is laughable.
-
The overpriced EDR stack failed, the attacker just kept trying, and a community researcher caught it before DigiCert did. That's the state of the PKI trust model in 2026. (5/5)
@hrbrmstr Oof, fully agreed.
Of all places, I would have expected to see ubiquitous use of physical security keys at global CAs in 2026. It's not fool-proof, but holy shit is it better than letting a compromised machine satisfy MFA.
Knowing how much effort went into securing our CA at Google, this is just straight-up embarrassing.
-
DigiCert — a certificate authority, the entity you're trusting to anchor your entire chain of trust — got compromised because a support analyst opened a .scr file from a chat session. In 2026. CrowdStrike was misconfigured on one endpoint and completely absent on another. Nobody noticed the second compromise for 10 days. The attacker grabbed EV code signing initialization codes and walked out with 60 certificates. Zhong Stealer, signed and shipped. (2/5)
@hrbrmstr the bugzilla id shows as invalid here, has it been hidden?
-
@hrbrmstr the bugzilla id shows as invalid here, has it been hidden?
@busterb I’ll check in a minute
