⚠️ THREAT ALERT: Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks
The investigation revealed that the adversary operated a “malware‑signing as a service” infrastructure hosted on compromised Azure App Service instances, leveraging a stolen code‑signing certificate tied to a legitimate Microsoft Partner ID. By abusing the Azure Key Vault API and exploiting an insecure token exchange flow (CVE‑2023‑36845), the threat actors obtained a valid Authenticated Access Token (AAT) that permitted them to import their own private key into the partner’s signing profile. The signed binaries were then distributed via phishing attachments and compromised supply‑chain repositories, enabling automated execution with full trust on Windows 10/11 endpoints through the Authenticode verification bypass. This vector sidestepped traditional heuristic detections because the payloads carried valid digital signatures from a trusted publisher, leading to rapid lateral movement and encryption of high‑value assets across multiple sectors.
Further analysis indicated that the signing service leveraged a misconfiguration in the Azure AD Conditional Access policy, allowing any service principal with the “CodeSigningCertificate.ReadWrite” role to request a new certificate without multi‑factor authentication. This configuration flaw, tracked as CVE‑2024‑0012, was compounded by the presence of an unpatched version of the Windows CryptoAPI (CVE‑2023‑23397) on victim machines, which allowed the signed payloads to execute privileged shellcode via a crafted “SignedBinary.exe” with a malicious BLOB in the Authenticode timestamp extension. The combination of these CVEs created a chain of trust escalation: the attacker first obtains a legitimate signing certificate, then abuses CryptoAPI parsing bugs to achieve code execution at SYSTEM level, and finally leverages the signed payload to propagate ransomware using SMB and WMI.
Mitigation requires immediate revocation of all code‑signing certificates associated with the compromised partner ID and a forced rotation of Azure AD service principal credentials, enforcing MFA and restricting the “CodeSigningCertificate.ReadWrite” role to a minimal set of approved accounts. Organizations should apply the pending patch for CVE‑2023‑23397, disable the vulnerable Authenticode timestamp parsing on endpoints, and enforce strict Application Control policies (AppLocker or Windows Defender Application Control) to block execution of newly signed binaries unless they originate from an explicitly whitelisted publisher. Network defenders should monitor Azure Resource Manager logs for anomalous token requests, implement conditional access policies that require device compliance for certificate issuance, and deploy detection signatures for the known ransomware payload hashes that were signed by the abused service.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments