Chinese in origin, or so it appears. Microsoft admits to signing rootkit malware in supply-chain fiasco
Last week, G Data's cybersecurity alert systems flagged what appeared to be a false positive, but was not—a Microsoft signed driver called "Netfilter."
The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions.
The details are esoteric, but it would seem that the Microsoft procedures around signing of drivers needs a little work.
The mishap seems to have resulted from the threat actor following Microsoft's process to submit the malicious Netfilter drivers, and managing to acquire the Microsoft-signed binary in a legitimate manner:
"Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments."
"The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party."
"We have suspended the account and reviewed their submissions for additional signs of malware," said Microsoft yesterday.
Someone needs to review the whole procedure.
And while it happened once, people are now on the lookout for similar badly-behaving drivers.
A day may come when companies take security seriously, but today is not that day.
No comments:
Post a Comment
Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.
Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.