Microsoft digital certificates have once again been misused to sign malware

Microsoft has been caught again letting its legitimate digital certificates sign malware in the wild, a bug that allows malicious files to pass stringent security checks designed to prevent them from running on Windows.

Several threat actors have been implicated in the abuse of Microsoft’s digital pass, which they have used to give Windows and endpoint security applications the impression that malicious system drivers have been certified safe by Microsoft. This has led to speculation that there may be one or more malicious organizations selling malicious driver signatures as a service. Overall, the researchers identified at least nine separate developer entities that have abused certificates in recent months.

The breach was discovered independently by four third-party security companies, who then privately reported it to Microsoft. On Tuesday, during Microsoft’s Monthly Update Tuesday, the company confirmed the findings and said it had determined that the abuse came from multiple developer accounts and that no network intrusion was detected.

The software maker has now suspended developer accounts and implemented blocking detections to prevent Windows from trusting certificates used to sign compromised certificates. “Microsoft recommends that all customers install the latest Windows updates and ensure that antivirus products and discovery endpoints are updated with the latest signatures and enabled to prevent these attacks,” company officials wrote.

Primer signing code

Because most drivers have direct access to the kernel — the core of Windows where the most sensitive parts of the operating system are located — Microsoft requires that they be digitally signed using an internal company process known as certification. Without this digital signature, Windows will not load the driver. Authentication has also become a de facto way for third-party security products to decide whether a driver is trustworthy. Microsoft has a separate driver validation process known as the Microsoft Windows Hardware Compatibility Program, in which drivers run various additional tests to ensure compatibility.

For drivers to be signed by Microsoft, a hardware developer must first obtain an Extended Validation certificate, which requires the developer to prove their identity to a trusted Certificate Authority in Windows and provides additional security safeguards. The developer then associates the EV Certificate with their Windows Hardware Developer Program account. Developers then submit their driver package to Microsoft for testing.

Researchers from SentinelOne, one of the three security companies that detected certificate abuse and reported it privately to Microsoft, explained:

The main problem with this process is that most security solutions only implicitly trust anything signed by Microsoft, especially kernel-mode drivers. Starting with Windows 10, Microsoft started requiring all kernel-mode drivers to be signed using the Windows Hardware Developer Center dashboard portal. Anything not signed through this process cannot be loaded in recent versions of Windows. While the intent of this new requirement was to gain tighter control and visibility over drivers operating at the kernel level, threat actors realized that if they could manipulate the process, they would be free to do whatever they wanted. However, the trick is to develop a driver that does not appear to be malicious for the security checks that Microsoft performs during the review process.

Mandiant, another abuse detection security firm, said that “several distinct malware families, associated with distinct threat actors, are signed through the Windows Device Compatibility Program.” The company’s researchers have identified at least nine organizations abusing the software. Besides somehow gaining access to Microsoft certificates, the threat actors were also able to obtain EV certificates from third-party certificate authorities.