Microsoft’s digital certificates have once again been misused to sign malware

Microsoft has again been caught allowing its legitimate digital certificates to sign malware in the wild, a loophole that allows malicious files to pass stringent security checks designed to prevent them from running on the system.

Several threat actors have been implicated in the abuse of Microsoft’s digital imprimatur, which they used to give Windows and endpoint security applications the impression that malicious system drivers had been certified safe by Microsoft. This has led to speculation that there may be one or more rogue organizations selling malicious driver signing as a service. In total, researchers have identified at least nine separate developer entities that have misused certificates in recent months.

The exploit was discovered independently by four third-party security firms, who then reported it privately to Microsoft. On Tuesday, during Microsoft’s monthly Patch Tuesday, the company confirmed the findings, saying it determined the abuse originated from multiple developer accounts and that no network breach was detected.

The software maker has now suspended developer accounts and implemented blocking detections to prevent Windows from trusting certificates used to sign compromised certificates. “Microsoft recommends that all customers install the latest Windows updates and ensure that their antivirus and endpoint detection products are updated with the latest signatures and are enabled to prevent these attacks,” the authors wrote.

Introduction to code signing

Since most drivers have direct access to the kernel, the heart of Windows where the most sensitive parts of the operating system reside, Microsoft requires them to be digitally signed using an internal Windows process called attestation. Without this digital signature, Windows will not load the driver. Attestation has also become a de facto way for third-party security products to determine if a driver is trustworthy. Microsoft has a separate driver validation process known as the Microsoft Windows Hardware Compatibility Program, where drivers run various additional tests to ensure compatibility.

To obtain Microsoft-signed drivers, a hardware developer must first obtain an Extended Validation certificate, which requires the developer to prove their identity to a trusted Windows certificate authority and provides additional security guarantees. The developer then attaches the EV certificate to their Windows Hardware Developer Program account. Developers then submit their driver package to Microsoft for testing.

Researchers from SentinelOne, one of three security firms that discovered the misuse of the certificate and privately reported it to Microsoft, explained:

The main problem with this process is that most security solutions implicitly trust anything signed only by Microsoft, especially kernel mode drivers. Starting with Windows 10, Microsoft began requiring all kernel-mode drivers to be signed using the Windows Hardware Developer Center dashboard portal. Anything not signed through this process cannot be loaded in modern versions of Windows. While the intent of this new requirement was to have tighter control and visibility over drivers operating at the kernel level, threat actors realized that if they could game the process, they would have free rein to do whatever they want. The trick, however, is to develop a driver that doesn’t appear to be vulnerable to the security checks Microsoft implemented during the review process.

Mandiant, another security firm that disclosed the exploit, said that “several separate malware families, associated with separate threat actors, have been signed through the Windows Hardware Compatibility Program.” Company investigators identified at least nine names of organizations that abused the program. In addition to somehow gaining access to Microsoft certificates, threat actors have also managed to obtain EV certificates from third-party certificate authorities.

Leave a Comment