Microsoft is revoking fraudulent certificates used by the authors of the Flame malware exploit toolkit to trick victims into believing software originated from the software giant. It issued a patch affecting all versions of Windows.
Our investigation has discovered some techniques used by this malware that could also be leveraged by less-sophisticated attackers to launch more widespread attacks.
Mike Reavey, senior director, Microsoft Security Response Center
The attackers behind the Flame malware toolkit, believed to be used in a nation-state sponsored cyberespionage campaign, had the ability to spoof content and perform phishing and man-in-the-middle attacks by using the fraudulent certificates issued by Microsoft.
The fraudulent certificates were discovered during an investigation into the vulnerabilities being exploited to enable Flame to spread, said Mike Reavey, senior director of the Microsoft Security Response Center. Flame infected less than 200 Windows systems in Iran and even fewer machines in other countries in the Middle East and Northern Africa.
“Our investigation has discovered some techniques used by this malware that could also be leveraged by less-sophisticated attackers to launch more widespread attacks,” Reavey wrote in a blog post about the Microsoft Flame malware advisory. “We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft.”
Microsoft: A third CA issued certificates with weak ciphers
Microsoft addressed the fraudulent digital certificates issued by its certificate authority (CA) in an advisory issued Sunday. The fraudulent certificates are being used in active attacks, according to the advisory. Microsoft engineers also determined that “a third certificate authority has been found to have issued certificates with weak ciphers,” Microsoft said in its advisory.
The Microsoft update affects all supported versions of Microsoft Windows. It revokes the following certificates: Two Microsoft Enforced Licensing Intermediate PCAs and a Microsoft Enforced Licensing Registration Authority CA. The fraudulent certificates also puts users of Windows mobile devices at risk, but the patches issued Sunday does not include an update for smartphones.
The issue stemmed from Microsoft’s Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise. Reavey said the service used an older encryption algorithm and provided certificates with the ability to sign code.
In an update posted Monday, Reavis said the attackers appeared to use a cryptographic collision attack to against the weakened encryption algorithm. An encryption collission was demonstrated by researchers in 2005 against an MD5 algorithm. SHA-1 and MD5 are considered vulnerable to the attack technique. They are being replaced by the SHA-2 hash functions in most applications.
Once applied, the patches will block software signed by the unauthorized certificates. In addition, Reavey said Microsoft no longer issues certificates that allow code to be signed.as part of its Terminal Server Licensing Service.
The Flame malware toolkit surfaced last month when Kaspersky Lab went public with its analysis of the threat. The Russia-based antivirus vendor said Flame “might be the most sophisticated cyberweapon yet unleashed.” Other security experts have disagreed with that claim saying the malware, which is large – 20 megabytes in size – contained a collection of attack tools commonly used by other Trojans.