BrianKrebsJul 11, 2023

Whoa. Sophos researchers just announced that they’ve uncovered 133 malicious drivers signed with legitimate digital certificates, and found 100 of of those 133 drivers were signed by Microsoft.

https://news.sophos.com/en-us/2023/07/11/microsoft-revokes-malicious-drivers-in-patch-tuesday-culling/

From the post:

"Today, Microsoft issued Security Advisory ADV230001 as part of their July Windows Update that addresses Sophos’ discovery of more than 100 malicious drivers that had been digitally signed by Microsoft and others, dating as far back as April 2021."

"They also released Knowledge Base article 5029033, which includes new, more detailed information on the technical measures Microsoft has taken to protect against these malicious signed drivers."

https://msrc.microsoft.com/update-guide/vulnerability/ADV230001

https://support.microsoft.com/help/5029033

Today's post about patches from Microsoft and Apple to quash zero-day bugs:

https://krebsonsecurity.com/2023/07/apple-microsoft-patch-tuesday-july-2023-edition/

I wrote recently about one of the bigger names in signing malware as a service:

https://krebsonsecurity.com/2023/06/ask-fitis-the-bear-real-crooks-sign-their-malware/

Microsoft Revokes Malicious Drivers in Patch Tuesday Culling

In December 2022, Microsoft published their monthly Windows Update packages that included an advisory about malicious drivers, signed by Microsoft and other code-signing authorities, that Sophos X-…

Sophos News
Show threadHagen Patzke

@briankrebs IIRC, Peter Gutmann states in his 'Engineering Security' book draft from April 2014 that we can expect malicious actors to buy and use (code-signing) certificates.

They have the money (often stolen from other people), and most certificate issuers don't really check the buyer's identity for a certificate (=providing an infrastructure of certificate vending machines).

Jul 31, 2023 at 10:32amWeb