A low-angle view on a blue digital key made to resemble a circuit and placed on a surface with encrypted text.

Microsoft has once again been caught allowing its legitimate digital certificates to sign in the wild, a lapse that allows the malicious files to passStrict security checks designed to prevent them from running on the Windows operating system.

Threat actors were involved in the misuse of Microsoft's digital imprimatur, which they used to give Windows and endpoint security applications the impression malicious system drivers had been certified as safe by Microsoft There are rumors that there may be one or more malicious organizations that are selling driver-signing as a service. There are at least nine developer entities that have abused the certificates.

Four third party security companies discovered the abuse and reported it to Microsoft. On Tuesday, during Microsoft's monthly Patch Tuesday, the company confirmed the findings and said that no network breach has been detected.

The developer accounts have been suspended and blocking detections have been put in place to prevent Windows from trusting the certificates used to sign them. Microsoft recommends that all customers install the latest Windows updates and that their anti-viruses and endpoint detection products are up to date with the latest signatures.

Code-signing primer

The most sensitive parts of the OS reside in the core of Windows, which is why Microsoft requires drivers to be digitallysigned. Windows won't load the driver unless this digital signature is present. Attestation is used to determine if a driver is trustworthy. In order to ensure compatibility, Microsoft has a separate driver validation process called the Microsoft Windows Hardware Compatibility Program.


To get drivers signed by Microsoft, a hardware developer needs an extended validation certificate, which requires the developer to prove its identity to a Windows trusted certificate authority and provide additional security assurances. The EV certificate is attached to the developer's account. The driver package is submitted to Microsoft.

One of the security firms that discovered the misuse of the certificate reported it to Microsoft.

The main issue with this process is that most security solutions implicitly trust anything signed by only Microsoft, especially kernel mode drivers. Starting with Windows 10, Microsoft began requiring all kernel mode drivers to be signed using the Windows Hardware Developer Center Dashboard portal. Anything not signed through this process is not able to load in modern Windows versions. While the intent of this new requirement was to have stricter control and visibility over drivers operating at the kernel level, threat actors have realized if they can game the process they would have free rein to do what they want. The trick however, is to develop a driver that doesn’t appear to be malicious to the security checks implemented by Microsoft during the review process.

Several distinct malware families, associated with distinct threat actors, have been signed through the Windows Hardware Compatibility Program. There are at least nine organization names that are abusing the program. The threat actors were able to obtain EV certificates from third party certificate authorities.