Microsoft Digital Certificates Can Be Used to Sign Malware Again,

Microsoft was once again caught allowing legitimate digital certificates to sign malware in nature. This lapse allows malicious files to bypass security checks that are designed to stop them from running on Windows operating systems.

Multiple threat actors were involved in the misuse of Microsoft’s digital imprimatur. This was used to give Windows and other security applications the impression that malicious system drivers had been approved by Microsoft. This has led to speculation about malicious organizations offering malicious driver-signing services. Researchers have found at least nine distinct developer entities that misused certificates in recent months.

ADVERTISEMENT

Four third-party security firms independently found the abuse and reported it to Microsoft privately. The company confirmed these findings Tuesday during Microsoft’s monthly Patch Tuesday. It said that it had determined the abuse was from multiple developer accounts and that there has been no network breach.

Microsoft has taken down the accounts of developers and put in place blocking detections to stop Windows from trusting certificates that were used to sign the compromised certificates. Officials from Microsoft wrote that they recommend all customers install the latest Windows Updates. They also advise that endpoint detection and anti-virus products be up to date and enable them to protect against attacks.

Code-signing primer

Most drivers have direct access to the kernel, which is where the most sensitive parts are located in Windows. Microsoft requires that they be digitally signed using an internal company process called attestation. Windows will not load the driver if there is no digital signature. Third-party security products can now use attestation to determine a driver’s authenticity. Microsoft offers a separate validation process for drivers called the Microsoft Windows Hardware Compatibility program. This allows drivers to pass additional tests in order to verify compatibility.

A hardware developer must first obtain an extended validation certificate to be able to sign drivers for Microsoft. This certificate requires the developer’s identity to be verified by a Windows trusted certification authority and additional security assurances. The EV certificate is then attached to the developer’s Windows Hardware Developer Program account. The developer then submits their driver package for testing to Microsoft.

SentinelOne security firm was one of three that found the certificate misuse. They privately reported it to Microsoft. explained.

This process has a major problem: security solutions, particularly kernel mode drivers, implicitly trust any signed document by Microsoft. Beginning with Windows 10, Microsoft required all kernel mode drivers to be signed via the Windows Hardware Developer Center Portal portal. This process ensures that all kernel mode drivers are signed and can be loaded in the latest Windows versions. Although the intention of the new requirement was to provide greater control over kernel-level drivers, threat actors realized that they could game the process to their advantage. However, the trick is to create a driver that does not appear malicious to the security checks applied by Microsoft during the review.