Facing Failure After Failure, Microsoft’s Driver-signing Program Fails Yet Again
upstart writes:
What's the point of locks when hackers can easily get the keys to unlock them?
In July, security researchers revealed a sobering discovery: hundreds of pieces of malware used by multiple hacker groups to infect Windows devices had been digitally signed and validated as safe by Microsoft itself. On Tuesday, a different set of researchers made a similarly solemn announcement: Microsoft's digital keys had been hijacked to sign yet more malware for use by a previously unknown threat actor in a supply-chain attack that infected roughly 100 carefully selected victims.
The malware, researchers from Symantec's Threat Hunter Team reported, was digitally signed with a certificate for use in what is alternatively known as the Microsoft Windows Hardware Developer Program and the Microsoft Windows Hardware Compatibility Program. The program is used to certify that device drivers-the software that runs deep inside the Windows kernel-come from a known source and that they can be trusted to securely access the deepest and most sensitive recesses of the operating system. Without the certification, drivers are ineligible to run on Windows.
Somehow, members of this hacking team-which Symantec is calling Carderbee-managed to get Microsoft to digitally sign a type of malware known as a rootkit. Once installed, rootkits become what's essentially an extension of the OS itself. To gain that level of access without tipping off end-point security systems and other defenses, the Carderbee hackers first needed its rootkit to receive the Microsoft seal of approval, which it got after Microsoft signed it.
With the rootkit signed, Carderbee went on to pull another audacious feat. Through means that aren't yet clear, the group attacked the infrastructure of Esafenet, a China-based developer of software, known as the Cobra DocGuard Client, for encrypting and decrypting software so it can't be tampered with. Then, Carderbee used its newfound control to push malicious updates to roughly 2,000 organizations that are Cobra DocGuard customers. Hacking group members then pushed the Microsoft-signed rootkit to roughly 100 of those organizations. Representatives with Esafenet and its parent company, NSFOCUS, didn't respond to an email asking for verification.
Read more of this story at SoylentNews.