Were you wondering what Microsoft has been up to these days, except preparing Windows 11 for the big release, later this year?
- G Data security analysts stumbled upon this major issue and brought it to public attention.Microsoft has admitted to having signed the Netfilter driver, which contains rootkit malware.The malicious Netfilter driver connects to, belonged to Ningbo Zhuo Zhi Innovation Network Technology Co.Microsoft has also refrained from attributing this incident to a specific nation or other third parties yet.
Well, this time the Redmond company really got careless, as they signed a malicious driver, that has been distributed within gaming environments.
These are not rumors anymore, as Microsoft already admitted to this monumental fiasco.
The Netfilter driver is Microsoft’s rootkit
The driver we are talking about, called Netfilter, is actually a rootkit that was monitored while communicating with Chinese command-and-control (C2) IPs.
Analysts from the security firm G Data first noticed this event last week and already started tracing and analyzing the malicious drivers that had Microsoft’s seal on them.
Needless to say that the incident in cause has once again exposed the threats to software supply-chain security, only this time it started from a weakness in Microsoft’s code-signing process.
G Data researchers spent quite some time thoroughly analyzing the driver and have concluded it to be malware. As specified in the blog post, the discoveries they made shook them to their very core.
☢️Network filter rootkit that connects to this IP in China:hxxp://110.42.4.180:2081/u
It does not look like Moriya (signature will be corrected asap)
File is signed by Microsoft.#rootkit #netfilterhttps://t.co/lhvmmgHn6w
— Karsten Hahn (@struppigel) June 17, 2021
Worth knowing is that the C2 IP 110.42.4.180 that the malicious Netfilter driver connects to, belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd.
Microsoft admitted to being guilty in this sensitive matter
According to the tech giant, the threat has been mainly targeting the gaming sector in China with these malicious drivers, but there are no signs of enterprise environments having been affected so far.
Microsoft has also refrained from attributing this incident to a specific nation just yet.
If you didn’t already know, falsely signed binaries can be continuously abused by sophisticated third parties in order to facilitate large scale software supply chain attacks.
We have suspended the account and reviewed their submissions for additional signs of malware.
The worst thing for Microsoft is that this incident has exposed weaknesses in a legitimate code-signing process, exploited by malicious third parties in order to acquire Microsoft-signed code without compromising any certificates.
We will keep an eye out for any developments in this story and keep you updated.
If the advices above haven’t solved your issue, your PC may experience deeper Windows problems. We recommend downloading this PC Repair tool (rated Great on TrustPilot.com) to easily address them. After installation, simply click the Start Scan button and then press on Repair All.
Still having issues? Fix them with this tool:
SPONSORED
- malwaremicrosoft
Email *
Commenting as . Not you?
Comment
