Τον Ιούλιο, ερευνητές ασφαλείας αποκάλυψαν κάτι απογοητευτικό: εκατοντάδες malware που χρησιμοποιήθηκαν από πολλές hacking ομάδες για να μολύνουν συσκευές με Windows είχαν υπογραφεί ψηφιακά και επικυρώθηκαν σαν ασφαλή από την ίδια τη Microsoft.
On Tuesday, different researchers did one similar official announcement: Microsoft digital keys were stolen to sign even more malware for use by an unknown attacker in a supply chain attack that infected around 100 carefully selected victims.
Το κακόβουλο λογισμικό, ανέφεραν ερευνητές από την ομάδα Threat Hunter της Symantec, υπογράφηκε ψηφιακά με πιστοποιητικό που εfiberi known as Microsoft Windows Hardware Developer Program and the Microsoft Windows Hardware Compatibility Program. This program is used to certify that device drivers – the software that runs deep within the core of Windows – usually come from a known and trusted source to safely access the most sensitive areas of the operating system. Without the certification, the drivers are not suitable to run on Windows.
Somehow, members of this hacking group – which Symantec calls Carderbee – managed to get Microsoft to digitally sign a type of malware known as a rootkit. Once installed, rootkits become an extension of the operating system itself.
To gain this level of access without being blocked by end-point security systems and other defenses, the Carderbee hackers first needed to obtain rootkit certification and Microsoft's seal of approval, which they did.
With the rootkit signed, Carderbee went “a little” further. By means that are not yet clear, the group attacked the infrastructure of Esafenet, a China-based software developer. The company develops the Cobra DocGuard Client, for encrypting and decrypting software so it can't be hacked.
The Carderbee team then pushed malicious updates to around 2.000 organizations that were the company's customers. After that the members of the hacking group started distributing the Microsoft-signed rootkit to about 100 of these organizations.
"It seems clear that the attackers behind this activity were patient and very skilled," Symantec researchers said.
"The fact that they only distribute the rootkit to a few computers suggests planning and target recognition by the attackers behind this activity."