arstechnica.com
Open in
urlscan Pro
3.13.161.146
Public Scan
URL:
https://arstechnica.com/security/2023/08/facing-failure-after-failure-microsofts-driver-signing-program-fails-yet-again/
Submission: On September 06 via api from IN — Scanned from DE
Submission: On September 06 via api from IN — Scanned from DE
Form analysis
1 forms found in the DOMGET /search/
<form action="/search/" method="GET" id="search_form">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>
Text Content
Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe Close NAVIGATE * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints FILTER BY TOPIC * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums SETTINGS Front page layout Grid List Site theme light dark Sign in MORE SECURITY THEATER — MICROSOFT SIGNING KEYS KEEP GETTING HIJACKED, TO THE DELIGHT OF CHINESE THREAT ACTORS WHAT'S THE POINT OF LOCKS WHEN HACKERS CAN EASILY GET THE KEYS TO UNLOCK THEM? Dan Goodin - 8/25/2023, 3:17 PM Enlarge Getty Images READER COMMENTS 75 with In July, security researchers revealed a sobering discovery: hundreds of pieces of malware used by multiple hacker groups to infect Windows devices had been digitally signed and validated as safe by Microsoft itself. On Tuesday, a different set of researchers made a similarly solemn announcement: Microsoft’s digital keys had been hijacked to sign yet more malware for use by a previously unknown threat actor in a supply-chain attack that infected roughly 100 carefully selected victims. The malware, researchers from Symantec’s Threat Hunter Team reported, was digitally signed with a certificate for use in what is alternatively known as the Microsoft Windows Hardware Developer Program and the Microsoft Windows Hardware Compatibility Program. The program is used to certify that device drivers—the software that runs deep inside the Windows kernel—come from a known source and that they can be trusted to securely access the deepest and most sensitive recesses of the operating system. Without the certification, drivers are ineligible to run on Windows. HIJACKING KEYS TO THE KINGDOM Somehow, members of this hacking team—which Symantec calls Carderbee—managed to get Microsoft to digitally sign a type of malware known as a rootkit. Once installed, rootkits become what’s essentially an extension of the OS. To gain that level of access without tipping off end-point security systems and other defenses, the Carderbee hackers first needed its rootkit to receive the Microsoft seal of approval, which it got after Microsoft signed it. Advertisement With the rootkit signed, Carderbee went on to pull another audacious feat. Through means that aren’t yet clear, the group attacked the infrastructure of Esafenet, a China-based developer of software, known as the Cobra DocGuard Client, for encrypting and decrypting software so it can’t be tampered with. Then, Carderbee used its newfound control to push malicious updates to roughly 2,000 organizations that are Cobra DocGuard customers. Hacking group members then pushed the Microsoft-signed rootkit to roughly 100 of those organizations. Representatives with Esafenet and its parent company, NSFOCUS, didn't respond to an email asking for verification. “It seems clear that the attackers behind this activity are patient and skilled actors,” Symantec researchers wrote. “They leverage both a supply chain attack and signed malware to carry out their activity in an attempt to stay under the radar. The fact that they appear to only deploy their payload on a handful of the computers they gain access to also points to a certain amount of planning and reconnaissance on behalf of the attackers behind this activity.” Microsoft put the mandatory program in place with the launch of Windows 10. Attackers had long used drivers in post-exploit activities, meaning after hacking a system and gaining administrative access. While attackers could already install apps, steal passwords, and take other liberties, running code in the kernel allowed them to do things that would otherwise be impossible. For example, they could suppress warnings from endpoint detection and response systems and other defenses. Effective from then on, drivers that needed kernel access had to be digitally signed. Page: 1 2 3 Next → ARS VIDEO HOW THE CALLISTO PROTOCOL'S TEAM DESIGNED ITS TERRIFYING, IMMERSIVE AUDIO READER COMMENTS 75 with Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement PROMOTED COMMENTS jamesb2147 I'm just shocked (genuinely!) that Microsoft is so incompetent that they haven't: 1) Tracked down the likely common thread (read: bad actor) between all these events 2) Shutdown, at least temporarily, the ability of any known-compromised org to create newly signed drivers while an investigation and remediation actions are taken (and at some point, you need the "stick" of yanking it permanently to be available) 3) Started applying SAST/DAST and/or tweaking the existing code scanners to look for known IOC's from these breaches - are they even reviewing this code at all before signing? What exactly is the point of this signing if Microsoft is just going to willy-nilly approve everything and stick its head in the sand when anyone suggests they might have done something wrong?! ETA: Once again, I am shocked that CISO's generally haven't made a HUGE public stink about "accepting the risks" of using Microsoft software. This article is about C-suite level of concerns, but the Azure compromise from June? That shit was board level of concern. August 25, 2023 at 1:56 pm CHANNEL ARS TECHNICA UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to answer once and for all the lingering questions we have about his enduringly popular show. Was Dr. Sam Beckett really leaping between all those time periods and people or did he simply imagine it all? What do people in the waiting room do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years following the series finale, answers to these mysteries and more await. * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL? * SITREP: BOEING 707 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * THE F-35'S NEXT TECH UPGRADE * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM STUDIOS * US NAVY GETS AN ITALIAN ACCENT * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES * TEACH THE CONTROVERSY: FLAT EARTHERS * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND SPACEX GETS A CRUCIAL GREEN-LIGHT * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO * THE GREATEST LEAP, EPISODE 1: RISK * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES More videos ← Previous story Next story → RELATED STORIES TODAY ON ARS * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints NEWSLETTER SIGNUP Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up → CNMN Collection WIRED Media Group © 2023 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Manage Preferences The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices We and our partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data.More information about your privacy WE AND OUR PARTNERS PROCESS DATA TO PROVIDE: Use precise geolocation data. Actively scan device characteristics for identification. Store and/or access information on a device. Personalised ads and content, ad and content measurement, audience insights and product development. List of Partners (vendors) I Accept Show Purposes