arstechnica.com Open in urlscan Pro
3.13.161.146  Public Scan

Form analysis
1 forms found in the DOM

GET /search/

<form action="/search/" method="GET" id="search_form">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>

Text Content

Skip to main content
 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums

Subscribe

Close


NAVIGATE

 * Store
 * Subscribe
 * Videos
 * Features
 * Reviews

 * RSS Feeds
 * Mobile Site

 * About Ars
 * Staff Directory
 * Contact Us

 * Advertise with Ars
 * Reprints


FILTER BY TOPIC

 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums


SETTINGS

Front page layout


Grid


List


Site theme

light

dark

Sign in

MORE SECURITY THEATER —


MICROSOFT SIGNING KEYS KEEP GETTING HIJACKED, TO THE DELIGHT OF CHINESE THREAT
ACTORS


WHAT'S THE POINT OF LOCKS WHEN HACKERS CAN EASILY GET THE KEYS TO UNLOCK THEM?

Dan Goodin - 8/25/2023, 3:17 PM

Enlarge
Getty Images

READER COMMENTS

75 with

In July, security researchers revealed a sobering discovery: hundreds of pieces
of malware used by multiple hacker groups to infect Windows devices had been
digitally signed and validated as safe by Microsoft itself. On Tuesday, a
different set of researchers made a similarly solemn announcement: Microsoft’s
digital keys had been hijacked to sign yet more malware for use by a previously
unknown threat actor in a supply-chain attack that infected roughly 100
carefully selected victims.

The malware, researchers from Symantec’s Threat Hunter Team reported, was
digitally signed with a certificate for use in what is alternatively known as
the Microsoft Windows Hardware Developer Program and the Microsoft Windows
Hardware Compatibility Program. The program is used to certify that device
drivers—the software that runs deep inside the Windows kernel—come from a known
source and that they can be trusted to securely access the deepest and most
sensitive recesses of the operating system. Without the certification, drivers
are ineligible to run on Windows.


HIJACKING KEYS TO THE KINGDOM

Somehow, members of this hacking team—which Symantec calls Carderbee—managed to
get Microsoft to digitally sign a type of malware known as a rootkit. Once
installed, rootkits become what’s essentially an extension of the OS. To gain
that level of access without tipping off end-point security systems and other
defenses, the Carderbee hackers first needed its rootkit to receive the
Microsoft seal of approval, which it got after Microsoft signed it.

Advertisement


With the rootkit signed, Carderbee went on to pull another audacious feat.
Through means that aren’t yet clear, the group attacked the infrastructure of
Esafenet, a China-based developer of software, known as the Cobra DocGuard
Client, for encrypting and decrypting software so it can’t be tampered with.
Then, Carderbee used its newfound control to push malicious updates to roughly
2,000 organizations that are Cobra DocGuard customers. Hacking group members
then pushed the Microsoft-signed rootkit to roughly 100 of those organizations.
Representatives with Esafenet and its parent company, NSFOCUS, didn't respond to
an email asking for verification.

“It seems clear that the attackers behind this activity are patient and skilled
actors,” Symantec researchers wrote. “They leverage both a supply chain attack
and signed malware to carry out their activity in an attempt to stay under the
radar. The fact that they appear to only deploy their payload on a handful of
the computers they gain access to also points to a certain amount of planning
and reconnaissance on behalf of the attackers behind this activity.”

Microsoft put the mandatory program in place with the launch of Windows 10.
Attackers had long used drivers in post-exploit activities, meaning after
hacking a system and gaining administrative access. While attackers could
already install apps, steal passwords, and take other liberties, running code in
the kernel allowed them to do things that would otherwise be impossible. For
example, they could suppress warnings from endpoint detection and response
systems and other defenses. Effective from then on, drivers that needed kernel
access had to be digitally signed.

Page: 1 2 3 Next →


ARS VIDEO


HOW THE CALLISTO PROTOCOL'S TEAM DESIGNED ITS TERRIFYING, IMMERSIVE AUDIO





READER COMMENTS

75 with
Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he
oversees coverage of malware, computer espionage, botnets, hardware hacking,
encryption, and passwords. In his spare time, he enjoys gardening, cooking, and
following the independent music scene.

Advertisement



PROMOTED COMMENTS

jamesb2147
I'm just shocked (genuinely!) that Microsoft is so incompetent that they
haven't:

1) Tracked down the likely common thread (read: bad actor) between all these
events
2) Shutdown, at least temporarily, the ability of any known-compromised org to
create newly signed drivers while an investigation and remediation actions are
taken (and at some point, you need the "stick" of yanking it permanently to be
available)
3) Started applying SAST/DAST and/or tweaking the existing code scanners to look
for known IOC's from these breaches - are they even reviewing this code at all
before signing?

What exactly is the point of this signing if Microsoft is just going to
willy-nilly approve everything and stick its head in the sand when anyone
suggests they might have done something wrong?!

ETA: Once again, I am shocked that CISO's generally haven't made a HUGE public
stink about "accepting the risks" of using Microsoft software. This article is
about C-suite level of concerns, but the Azure compromise from June? That shit
was board level of concern.
August 25, 2023 at 1:56 pm



CHANNEL ARS TECHNICA

UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to
answer once and for all the lingering questions we have about his enduringly
popular show. Was Dr. Sam Beckett really leaping between all those time periods
and people or did he simply imagine it all? What do people in the waiting room
do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years
following the series finale, answers to these mysteries and more await.

 * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

 * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT

 * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL?

 * SITREP: BOEING 707

 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE

 * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE

 * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985

 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT

 * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * THE F-35'S NEXT TECH UPGRADE

 * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER

 * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM
   STUDIOS

 * US NAVY GETS AN ITALIAN ACCENT

 * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS

 * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT

 * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK

 * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT

 * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS

 * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION

 * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES

 * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE

 * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE

 * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES

 * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM

 * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS

 * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES

 * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES

 * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES

 * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES

 * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES

 * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES

 * TEACH THE CONTROVERSY: FLAT EARTHERS

 * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND
   SPACEX GETS A CRUCIAL GREEN-LIGHT

 * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO

 * THE GREATEST LEAP, EPISODE 1: RISK

 * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES

More videos
← Previous story Next story →


RELATED STORIES




TODAY ON ARS

 * Store
 * Subscribe
 * About Us
 * RSS Feeds
 * View Mobile Site

 * Contact Us
 * Staff
 * Advertise with us
 * Reprints


NEWSLETTER SIGNUP

Join the Ars Orbital Transmission mailing list to get weekly updates delivered
to your inbox. Sign me up →



CNMN Collection
WIRED Media Group
© 2023 Condé Nast. All rights reserved. Use of and/or registration on any
portion of this site constitutes acceptance of our User Agreement (updated
1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars
Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from
links on this site. Read our affiliate link policy.
Your California Privacy Rights | Manage Preferences
The material on this site may not be reproduced, distributed, transmitted,
cached or otherwise used, except with the prior written permission of Condé
Nast.
Ad Choices



We and our partners store and/or access information on a device, such as unique
IDs in cookies to process personal data. You may accept or manage your choices
by clicking below or at any time in the privacy policy page. These choices will
be signaled to our partners and will not affect browsing data.More information
about your privacy


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Use precise geolocation data. Actively scan device characteristics for
identification. Store and/or access information on a device. Personalised ads
and content, ad and content measurement, audience insights and product
development. List of Partners (vendors)

I Accept
Show Purposes