fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Admits to Signing Rootkit Malware in Supply-chain Fiasco

Microsoft Admits to Signing Rootkit Malware in Supply-chain Fiasco

Microsoft has now confirmed signing a malicious driver being distributed within gaming environments.

This driver, called “Netfilter,” is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs.

G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft.

This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft’s code-signing process.

“Netfilter” driver is rootkit signed by Microsoft

Last week, G Data’s cybersecurity alert systems flagged what appeared to be a false positive, but was not—a Microsoft signed driver called “Netfilter.”

The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions.

This is when G Data’s malware analyst Karsten Hahn shared this publicly and simultaneously contacted Microsoft:

microsoft signs malicious netfilter driver
The malicious binary has been signed by Microsoft (VirusTotal)

“Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system.”

“Drivers without a Microsoft certificate cannot be installed by default,” states Hahn.

At the time, BleepingComputer began observing the behavior of C2 URLs and also contacted Microsoft for a statement.

The first C2 URL returns a set of more routes (URLs) separated by the pipe (“|”) symbol:

first c2 response
Navigating to the C2 URL presents more routes for different purposes
Source: BleepingComputer

Also Read: The DNC Singapore: Looking at 2 Sides Better

Each of these serves a purpose, according to Hahn:

  • The URL ending in “/p” is associated with proxy settings,
  • “/s” provides encoded redirection IPs,
  • “/h?” is for receiving CPU-ID,
  • “/c” provided a root certificate, and
  • “/v?” is related to the malware’s self-update functionality.

As seen by BleepingComputer, for example, the “/v?” path provided URL to the malicious Netfilter driver in question itself (living at “/d3”):

path to malware binary
Path to malicious Netfilter driver
Source: BleepingComputer

The G Data researcher spent some time sufficiently analyzing the driver and concluded it to be malware.

The researcher has analyzed the driver, its self-update functionality, and Indicators of Compromise (IOCs) in a detailed blog post.

“The sample has a self-update routine that sends its own MD5 hash to the server via hxxp://110.42.4.180:2081/v?v=6&m=,” says Hahn.

An example request would look like this:hxxp://110.42.4.180:2081/v?v=6&m=921fa8a5442e9bf3fe727e770cded4ab

“The server then responds with the URL for the latest sample, e.g. hxxp://110.42.4.180:2081/d6 or with ‘OK’ if the sample is up-to-date. The malware replaces its own file accordingly,” further explained the researcher.

self-update functionality
Malware’s self-update functionality analyzed by G Data

During the course of his analysis, Hahn was joined by other malware researchers including Johann AydinbasTakahiro Haruyama, and Florian Roth.

Roth was able to gather the list of samples in a spreadsheet and has provided YARA rules for detecting these in your network environments.

Notably, the C2 IP 110.42.4.180 that the malicious Netfilter driver connects to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, according to WHOIS records:

whois record for 110.42.4.180
WHOIS search for the IP address (BleepingComputer)

Another researcher @cowonaut alleged that the aforementioned company has previously been marked by the U.S. Department of Defense (DoD) as a “Communist Chinese military” company.

However, BleepingComputer did not see Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd. present on any of the DoD lists available, and has reached out to the G Data researcher for clarification.

Also Read: 4 Best Practices on How to Use SkillsFuture Credit

Microsoft admits to signing the malicious driver

Microsoft is actively investigating this incident, although thus far, there is no evidence that stolen code-signing certificates were used.

The mishap seems to have resulted from the threat actor following Microsoft’s process to submit the malicious Netfilter drivers, and managing to acquire the Microsoft-signed binary in a legitimate manner:

“Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments.”

“The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party.”

“We have suspended the account and reviewed their submissions for additional signs of malware,” said Microsoft yesterday.

According to Microsoft, the threat actor has mainly targeted the gaming sector specifically in China with these malicious drivers, and there is no indication of enterprise environments having been affected so far.

Microsoft has refrained from attributing this incident to nation-state actors just yet.

Falsely signed binaries can be abused by sophisticated threat actors to facilitate large-scale software supply-chain attacks.

The multifaceted Stuxnet attack that targeted Iran’s nuclear program marks a well-known incident in which code-signing certificates were stolen from Realtek and JMicron to facilitate the attack.

This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates.

Update 12:26 PM ET: Clarified that BleepingComputer did not see the DoD list explicitly mentioning the alleged Chinese company, contrary to the details in the researcher’s report. Also reached out to Hahn for clarification.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us