Microsoft Admits to Mistakenly Signing a Malicious Malware Rootkit (gdatasoftware.com) 43
Bleeping Computer reports:
Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control IPs.
G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec community in tracing and analyzing the malicious drivers bearing the seal of Microsoft... This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process.
G Data writes: We forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation. At the time of writing it is still unknown how the driver could pass the signing process.
In a Friday blog post, Microsoft said it was contacting other antivirus software vendors "so they can proactively deploy detections," but also emphasized the attack's limited scope: The actor's activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time. The actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.
It's important to understand that the techniques used in this attack occur post exploitation, meaning an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf.
We will be sharing an update on how we are refining our partner access policies, validation and the signing process to further enhance our protections. There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint.
G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec community in tracing and analyzing the malicious drivers bearing the seal of Microsoft... This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process.
G Data writes: We forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation. At the time of writing it is still unknown how the driver could pass the signing process.
In a Friday blog post, Microsoft said it was contacting other antivirus software vendors "so they can proactively deploy detections," but also emphasized the attack's limited scope: The actor's activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time. The actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.
It's important to understand that the techniques used in this attack occur post exploitation, meaning an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf.
We will be sharing an update on how we are refining our partner access policies, validation and the signing process to further enhance our protections. There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint.
"Netfilter" (Score:3, Funny)
They misspelled "Windows". :-)
Re: (Score:2)
esports teams cheating in this way? (Score:2)
esports teams cheating in this way?
Re: (Score:2)
No. Other sites are saying it clearly has military links. M$ just isn't prepared to say so yet.
The presumption is the targets of the state have been using gaming cafes to avoid scrutiny.
Re: (Score:3)
It gets worse. Dell has opened the door to bios infecting malware through its bios updating utility,
https://arstechnica.com/inform... [arstechnica.com]
Re: (Score:2)
Thankfully I don't have to worry about this. @BIOS for my Gigabyte motherboard just gets a 500 error when contacting the server :D
Might as well uninstall it, there's not going to be any more BIOS updates anyway... *clickclickclick*
Re: (Score:2)
You'll likely have to flip some switches in the BIOS (you seem like the kind of genius that turns off Secure Boot and TPM)
Otherwise, you tick all the boxes.
There are new minimum hardware requirements for Windows 11. In order to run Windows 11, devices must meet the following specifications. Devices that do not meet the hard floor cannot be upgraded to Windows 11, and devices that meet the soft floor will receive a notification that upgrade is not advised
You are well, well above the hard floor.
Really smooths the whole anti-virus (Score:2)
Was wondering after reading this (Score:2)
Re: (Score:2)
Re: (Score:2)
"activity is limited to the gaming sector specifically in China" does Microsoft sign all the "authorized" Windows programs in China for the CCP. If so seems Microsoft and the CCP are joined at the hip.
Microsoft signs anything they normally deem not to be malware (though clearly that isn't perfect). Having China at a customer does not mean they are "joined at the hip" especially since that "joined at the hip" customer is one that is actively trying to replace Microsoft.
I'd prefer MS deal with the CCP than have some private entity act as a morality police.
Well, it is Microsoft (Score:1, Troll)
You know, those responsible for most of the current security mess...
Re: (Score:2)
What current security mess? You do reaslise that the overwhelming majority of attacks on systems do not target OS level vulnerabilities and instead target users right? Wait... it's gweihir. Of course you don't. Keep believing security is all about picking a vendor, just do us a favour and don't ever work on anything important.
Re: Well, it is Microsoft (Score:1)
Re: (Score:2)
Wait, youâ(TM)re wrong. There are epic numbers of holes in OS code, orders of magnitude greater in Microsoft wares than other OS.
Unfortunately, yes. Also, MS is setting a bad example, lowering standards overall.
Re: (Score:2)
Just to name a few problems MS caused: Outlook, bad browser security, OS patches so unreliable they get installed with a long delay causing security problems, AD insecurities for lateral movement, laughable protection against local privilege escalation, the more than occasional remote exploit, etc.
Incidentally, I am am IT security auditor, IT security consultant and IT security lecturer. If I really screw up, it may well make the international press. (Not with my name attached, of course, so I may well be l
Re: (Score:2)
Just to name a few problems MS caused
Thanks for your competent use of past tense. But there's one that I need to mock you over:
OS patches so unreliable they get installed with a long delay causing security problems
Bahahahahahahahaha. Yeah MS, the company known for forcefully pushing critical updates with no recourse and little warning, for pushing updates at such a high cadence that the entire industry asked them to slow down, the company often mocked and complained about because Slashdot users themselves don't want to reboot to apply updates, that MS is pushing patches with long delay. hahahah. Man your comedy routine is golden
Re: (Score:2)
OS patches so unreliable they get installed with a long delay causing security problems
Bahahahahahahahaha. Yeah MS, the company known for forcefully pushing critical updates with no recourse and little warning, for pushing updates at such a high cadence that the entire industry asked them to slow down, the company often mocked and complained about because Slashdot users themselves don't want to reboot to apply updates, that MS is pushing patches with long delay.
Your argument completely fails to support the idea that the patches are not delayed before they are forced on users.
Microsoft has done all of the following: Releasing patches early and having to re-patch; releasing patches in a timely fashion; releasing patches after very, very long delays.
That they force patches on users once released is completely and totally irrelevant to the argument at hand.
Re: (Score:2)
Actually I was mostly thinking about the enterprise version, were MS cannot force anything. Well, they could force themselves out of the enterprise market...
I have seen delays of security critical patches in enterprises for several weeks just because in-house certification took so long. If MS had reliable patches that do not change functionality beyond the absolute necessary, critical patches would get installed a lot faster, making things a lot more reliable. Contrast that with, for example, Debian Linux.
Re: (Score:2)
Bahahahahahahahaha. Yeah MS, the company known for forcefully pushing critical updates with no recourse and little warning, for pushing updates at such a high cadence that the entire industry asked them to slow down, the company often mocked and complained about because Slashdot users themselves don't want to reboot to apply updates, that MS is pushing patches with long delay. hahahah. Man your comedy routine is golden. 10/10 Everyone should see your stand up show.
I see you are functionally illiterate and clueless. Obviously I am talking about users delaying patch installation, most notably in the enterprise version. Incidentally, if you had 2 brain cells to rub together, it would have been obvious even to you that not MS is delaying patch installation because of unreliable patches, but users and enterprises that have gotten bitten by that unreliability before.
Not only the most hacked (Score:1, Troll)
WHQL isn't a security certificate (Score:2)
They test for compatibility for a range of configurations. They can't reasonably check all third party drivers for explicit backdoors, let alone for obfuscated ones.
Re: (Score:3)
Indeed WHQL is not. I'm just curious why you bring up this completely irrelevant concept which has nothing to do with Microsoft's code-signing process which exists for a completely different purpose.
Hint: All drivers need to be code-signed. Not all drivers are WHQL.
Re: (Score:2)
There seem to be a lot of people in this discussion who really have no idea what the fuck they're talking about.
It perplexes me. If you don't know shit about a topic, why opine as if you do?
Re: Malicious Malware? (Score:1)
So, where do YOU set the dial? (Score:5, Insightful)
Re: (Score:1)
Yeah, it'll be so great when I upgrade to a new computer with a TPM module and current-gen CPU. Then I can run Windows 11 and still get malware, because Microsoft accidentally signed it. Oops.
Re: (Score:2)
Re: (Score:2)
Yeah, it'll be so great when I upgrade to a new computer with a TPM module and current-gen CPU.
If you have a machine that doesn't have a TPM1.2 at least, you should probably not install Windows 11. Or 10.
I own 3 pre-skylake machines. All have TPM1.2s.
I think what's more likely is you're just making noise to make noise.
Re: (Score:1)
This is just a public example of their fuckups. Microsoft was compromised a long time ago. Why do you think Navy still uses Windows 95?
Re: (Score:2)
Why do you think Navy still uses Windows 95?
Because of closed source software and drivers. Also, it's not Windows 95, it's Windows XP.
Re: (Score:1)
No because they've fully audited it and can easily remove risky services.
Re: (Score:2)
Do you want a six week approval process involving face to face visits, scanning of passports and other identity documents, blood samples and three-factor authentication?
Yes. If it's that much trouble then they might actually put some effort into eliminating all the bugs the first time around.
Re: (Score:3)
Why sign code that you aren't going to check? Might as well drop the theater altogether.
Re:So, where do YOU set the dial? (Score:5, Insightful)