Microsoft disrupts service selling fake certificates to ransomware gangs
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
Microsoft's digital crime investigators took down online infrastructure supporting a cybercriminal service that sold fraudulent code-signing certificates to ransomware gangs, the company said today.
Why it matters: The operation highlights how quickly cybercriminals are scaling the business of selling trusted-looking digital certificates, which make it easier for hackers to distribute malware that can evade security defenses.
- "They've made this operational and scalable by providing a mass service to cybercriminals and ransomware operators to essentially go out, get their code signed quickly... then deploy whatever operations they want," Maurice Mason, principal cybercrime investigator at Microsoft's Digital Crimes Unit, told reporters.
Driving the news: Microsoft obtained a court order earlier this month allowing the company to seize websites, domain names and other infrastructure tied to Fox Tempest.
- The group abused Microsoft's Artifact Signing service, a platform designed to help legitimate developers sign software, to generate certificates that made malware appear trustworthy to security systems, according to Microsoft.
- Microsoft said malware signed through Fox Tempest's service was used by ransomware groups and cybercriminal operations including Rhysida, Akira, INC and Vanilla Tempest.
- The certificates allowed attackers to disguise malicious software as legitimate applications, helping malware bypass security filters and increasing the likelihood victims would run infected files.
- The group targeted organizations in the U.S., France, India, China, Brazil, Germany, Japan, the U.K., Italy and Spain, according to Microsoft.
- Microsoft coordinated the takedown with the FBI, Europol and industry partners whose brands and services were being impersonated.
By the numbers: Microsoft estimates that Fox Tempest has generated more than 1,000 certificates and operated hundreds of Azure tenants and subscriptions supporting the service.
Zoom in: Microsoft investigators engaged directly with a longtime seller of Fox Tempest's code-signing certificates over Telegram during the investigation, Mason said.
- During those conversations, the seller offered code-signing services for between $5,000 and $7,500 and directed prospective buyers to complete a Google Form detailing what service tier they wanted and how frequently they planned to use certificates.
- Microsoft investigators attempted to purchase another certificate after the court order was issued, but the seller responded that the service was no longer working properly and suggested they were shifting operations elsewhere.
Yes, but: Microsoft cautioned that disrupting one operation is unlikely to permanently stop cybercriminals from abusing code-signing services or adapting their tactics.
- "When you take that capability away, you're making it harder and more expensive for these criminals to operate," Steven Masada, global head of Microsoft's digital crimes unit, told reporters. "But this isn't one and done. These actors will adapt."
