Microsoft's Key Catastrophe: Hackers Hijack Digital Signatures
Posted: 2023-08-28
By: dwirch
Viewed: 78
No attachments for this post
July brought unsettling news: malware used to infiltrate Windows devices received Microsoft's own digital endorsement. Now, another revelation: a novel threat actor has exploited Microsoft's certification to wage a strategic supply-chain assault on about 100 targets.
Researchers from Symantec discovered malware bearing a certificate typically reserved for the Microsoft Windows Hardware programs. These programs ensure the credibility and security of device drivers. Without their certification, drivers can't operate on Windows.
The hackers, dubbed "Carderbee" by Symantec, convinced Microsoft to digitally sign a malware type known as a rootkit. With this signature, the malware seamlessly integrates with the operating system. To achieve this, the malware needed Microsoft's approval, which was shockingly granted.
Carderbee's audacity didn't end there. The hackers attacked Esafenet, a Chinese software developer, using their infiltration to push malicious updates to 2,000 organizations. Among these, approximately 100 received the Microsoft-approved rootkit. Esafenet has yet to comment.
Symantec’s team highlighted the attacker’s strategy and precision, emphasizing their calculated deployment of malicious payloads.
While Microsoft initiated its certification program with Windows 10's launch, it's clear the system isn't foolproof. Carderbee isn’t the first to misuse Microsoft’s certificates. In July, 133 malicious drivers were discovered by Sophos; 100 bore Microsoft’s signature.
Both Trend and Microsoft recognized the increasing trend of compromised signatures. Microsoft admitted that developer accounts were abused to attain malicious signatures, but assured they were suspended upon discovery. However, this response echoed a statement made last year when they faced a similar issue.
Security firms SentinelOne, Mandiant, and Sophos have constantly raised concerns about Microsoft's digital endorsements. Mandiant highlighted that malware often exploited compromised or stolen certificates, tricking security controls. The process for gaining these signatures, termed 'attestation', mandates a verifiable identity. Despite this, hackers keep succeeding.
SentinelOne postulated two theories: either a provider offers a malicious signing service to willing buyers, or multiple hackers have compromised legitimate driver developers, using their credentials to sign and submit harmful drivers.
Recent episodes, like the "Netfilter" incident in June 2021, further underline Microsoft’s signature woes. With mounting criticism regarding Microsoft’s security lapses, the company’s attempts at damage control seem insufficient. Their ambiguous notifications seemingly obscure more than they reveal.
Ultimately, Microsoft’s certification program, built on multi-layered security, has proven fallible. Most breaches have been linked to Chinese hackers, typically with espionage motives. Microsoft's ongoing challenges and communication approach are weakening global trust in digital security.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.