DigiCert Revokes Fraudulently Obtained Certificates Following Cyberattack
On April 2, digital certificate authority DigiCert fell victim to a cyberattack after a threat actor targeted its support team with malware disguised as a screenshot in a customer chat channel. The malicious payload infected two endpoints one detected on April 3 and another on April 14, with the delayed discovery of the second infection attributed to malfunctioning security tools.
The attackers exploited a limited-access function in DigiCert’s internal support portal, leveraging the ability of authenticated support analysts to proxy into customer accounts. This allowed them to obtain initialization codes for pending Extended Validation (EV) Code Signing certificate orders. With these codes and approved orders, the threat actor successfully issued fraudulent certificates across multiple customer accounts and certificate authorities (CAs).
By April 17, DigiCert identified and revoked 60 certificates tied to the incident, including 27 directly linked to the attacker. Of these, 11 were reported by the cybersecurity community and had been used to sign the Zhong Stealer malware. The company confirmed that no other internal systems were compromised beyond the unauthorized access to initialization codes.
In response, DigiCert revoked all potentially affected certificates, canceled pending orders to block further exploitation, and implemented stricter security measures. These include enforcing multi-factor authentication (MFA) for administrative workflows, restricting support users from accessing initialization codes, limiting file types in support chats and Salesforce case attachments, and enhancing logging capabilities.
Source: https://www.securityweek.com/digicert-revokes-certificates-after-support-portal-hack/
DigiCert cybersecurity rating report: https://www.rankiteo.com/company/digicert-inc-
"id": "DIG1777919462",
"linkid": "digicert-inc-",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Multiple (customers with '
'pending EV Code Signing '
'certificate orders)',
'industry': 'Cybersecurity/IT Services',
'name': 'DigiCert',
'type': 'Certificate Authority'}],
'attack_vector': 'Malware (disguised as a screenshot in customer chat)',
'data_breach': {'sensitivity_of_data': 'High (used to issue fraudulent '
'certificates)',
'type_of_data_compromised': 'Initialization codes for EV Code '
'Signing certificates'},
'date_detected': '2024-04-03',
'description': 'On April 2, digital certificate authority DigiCert fell '
'victim to a cyberattack after a threat actor targeted its '
'support team with malware disguised as a screenshot in a '
'customer chat channel. The attackers exploited a '
'limited-access function in DigiCert’s internal support portal '
'to obtain initialization codes for pending Extended '
'Validation (EV) Code Signing certificate orders, issuing '
'fraudulent certificates across multiple customer accounts and '
'certificate authorities (CAs).',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'fraudulent certificate issuance',
'data_compromised': 'Initialization codes for EV Code Signing '
'certificates',
'operational_impact': 'Revocation of fraudulent certificates, '
'cancellation of pending orders',
'systems_affected': 'Support portal, customer accounts'},
'initial_access_broker': {'entry_point': 'Customer chat channel (malware '
'disguised as screenshot)',
'high_value_targets': 'Support team, customer '
'accounts with pending EV '
'Code Signing orders'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Revoked fraudulent '
'certificates, enforced MFA, '
'restricted access to '
'initialization codes, '
'limited file types in '
'support channels, enhanced '
'logging',
'root_causes': 'Malware infection via customer '
'chat, exploitation of support '
'portal access controls, delayed '
'detection of second infection due '
'to malfunctioning security tools'},
'recommendations': 'Implement stricter access controls, enforce MFA for '
'administrative workflows, restrict file types in support '
'channels, enhance logging and monitoring',
'references': [{'source': 'Cybersecurity News Outlets'}],
'response': {'containment_measures': 'Revoked 60 fraudulent certificates, '
'canceled pending orders',
'enhanced_monitoring': 'Yes',
'remediation_measures': 'Enforced MFA for administrative '
'workflows, restricted support user '
'access to initialization codes, limited '
'file types in support chats and '
'Salesforce case attachments, enhanced '
'logging capabilities'},
'title': 'DigiCert Revokes Fraudulently Obtained Certificates Following '
'Cyberattack',
'type': 'Cyberattack',
'vulnerability_exploited': 'Limited-access function in internal support '
'portal (proxy access to customer accounts)'}