Microsoft has once again been caught allowing its legitimate digital certificates to sign malware in the wild, a lapse that allows the malicious files to pass strict security checks designed to prevent them from running on the Windows operating system.
Multiple threat actors were involved in the misuse of Microsoft’s digital imprimatur, which they used to give Windows and endpoint security applications the impression malicious system drivers had been certified as safe by Microsoft. That has led to speculation that there may be one or more malicious organizations selling malicious driver-signing as a service. In all, researchers have identified at least nine separate developer entities that abused the certificates in recent months.
The abuse was independently discovered by four third-party security companies, which then privately reported it to Microsoft. On Tuesday, during Microsoft’s monthly Patch Tuesday, the company confirmed the findings and said it has determined the abuse came from several developer accounts and that no network breach has been detected.
The software maker has now suspended the developer accounts and implemented blocking detections to prevent Windows from trusting the certificates used to sign the compromised certificates. “Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks,” company officials wrote.
Because most drivers have direct access to the kernel—the core of Windows where the most sensitive parts of the OS reside—Microsoft requires them to be digitally signed using a company internal process known as attestation. Without this digital signature, Windows won’t load the driver. Attestation has also become a de facto means for third-party security products to decide if a driver is trustworthy. Microsoft has a separate driver validation process known as the Microsoft Windows Hardware Compatibility Program, in which the drivers run various additional tests to ensure compatibility.
To get drivers signed by Microsoft, a hardware developer first must obtain an extended validation certificate, which requires the developer to prove its identity to a Windows trusted certificate authority and provide additional security assurances. The developer then attaches the EV certificate to their Windows Hardware Developer Program account. Developers then submit their driver package to Microsoft for testing.
Researchers from SentinelOne, one of three security firms that discovered the certificate misuse and privately reported it to Microsoft, explained:
The main issue with this process is that most security solutions implicitly trust anything signed by only Microsoft, especially kernel mode drivers. Starting with Windows 10, Microsoft began requiring all kernel mode drivers to be signed using the Windows Hardware Developer Center Dashboard portal. Anything not signed through this process is not able to load in modern Windows versions. While the intent of this new requirement was to have stricter control and visibility over drivers operating at the kernel level, threat actors have realized if they can game the process they would have free rein to do what they want. The trick however, is to develop a driver that doesn’t appear to be malicious to the security checks implemented by Microsoft during the review process.
Mandiant, another security firm to discover the abuse, said that “several distinct malware families, associated with distinct threat actors, have been signed through the Windows Hardware Compatibility Program.” Company researchers identified at least nine organization names abusing the program. Besides somehow gaining access to Microsoft certificates, the threat actors also managed to obtain EV certificates from third-party certificate authorities.