Microsoft Admits to Mistakenly Signing a Malicious Malware Rootkit

Saturday June 26, 2021. 11:34 PM , from Slashdot

Bleeping Computer reports:

Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called 'Netfilter,' is in fact a rootkit that was observed communicating with Chinese command-and-control IPs.

G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec community in tracing and analyzing the malicious drivers bearing the seal of Microsoft... This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process.

G Data writes:
We forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation. At the time of writing it is still unknown how the driver could pass the signing process.

In a Friday blog post, Microsoft said it was contacting other antivirus software vendors 'so they can proactively deploy detections,' but also emphasized the attack's limited scope:

The actor's activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time. The actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.

It's important to understand that the techniques used in this attack occur post exploitation, meaning an attacker must either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf.

We will be sharing an update on how we are refining our partner access policies, validation and the signing process to further enhance our protections. There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint.

Read more of this story at Slashdot.