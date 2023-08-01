What's the point of locks when hackers can easily get the keys to unlock them?
In July, security researchers revealed a sobering discovery: hundreds of pieces of malware used by multiple hacker groups to infect Windows devices had been digitally signed and validated as safe by Microsoft itself. On Tuesday, a different set of researchers made a similarly solemn announcement: Microsoft's digital keys had been hijacked to sign yet more malware for use by a previously unknown threat actor in a supply-chain attack that infected roughly 100 carefully selected victims.
The malware, researchers from Symantec's Threat Hunter Team reported, was digitally signed with a certificate for use in what is alternatively known as the Microsoft Windows Hardware Developer Program and the Microsoft Windows Hardware Compatibility Program. The program is used to certify that device drivers—the software that runs deep inside the Windows kernel—come from a known source and that they can be trusted to securely access the deepest and most sensitive recesses of the operating system. Without the certification, drivers are ineligible to run on Windows.
Somehow, members of this hacking team—which Symantec is calling Carderbee—managed to get Microsoft to digitally sign a type of malware known as a rootkit. Once installed, rootkits become what's essentially an extension of the OS itself. To gain that level of access without tipping off end-point security systems and other defenses, the Carderbee hackers first needed its rootkit to receive the Microsoft seal of approval, which it got after Microsoft signed it.
With the rootkit signed, Carderbee went on to pull another audacious feat. Through means that aren't yet clear, the group attacked the infrastructure of Esafenet, a China-based developer of software, known as the Cobra DocGuard Client, for encrypting and decrypting software so it can't be tampered with. Then, Carderbee used its newfound control to push malicious updates to roughly 2,000 organizations that are Cobra DocGuard customers. Hacking group members then pushed the Microsoft-signed rootkit to roughly 100 of those organizations. Representatives with Esafenet and its parent company, NSFOCUS, didn't respond to an email asking for verification.
[...] In recent months, Microsoft has come under blistering criticism for security practices that led to the breach of dozens of accounts belonging to customers using the company's Azure and Exchange cloud offerings. What's arguably worse has been the company's opaque notifications of those events and the role Microsoft played in their origins. The CEO and chairman of security firm Tenable, Amit Yoran, recently said the company's security was mired in "grossly irresponsible" practices and a "culture of toxic obfuscation."
Those same dynamics are at play in Microsoft's recent failures in policing the processes it put in place for digitally certifying trustworthy Windows drivers. The near-verbatim advisories mentioned earlier—one from last December and the other from last month—illustrate that whatever the company has been doing to lock down the program isn't working. They also show how the company relies on vague and ambiguous notifications that aim to conceal as much as inform.
Microsoft's driver-signing requirement is founded on a concept known as security in depth. The idea is to have multiple layers of security so that if one fails, another will prevent a breach or at least contain the damage. In this case, certificates are a hedge designed to lessen the harm that comes when an adversary gains administrative system rights to a compromised device.
Virtually all of the key-hijacking incidents reported in recent years have been attributed to Chinese hackers, usually for espionage purposes. Microsoft's string of failures in locking down its certification program, and its reticence when disclosing them, are undermining the entire concept of security, much to the delight of these adversaries.