Microsoft admits certifying a driver loaded with rootkit malware, says 'small number' of customers compromised by Nobelium hackers

Bogus driver connected to command-and-control servers based in China. Nobelium stole data via support agent's machine

Software giant Microsoft has acknowledged that it mistakenly signed a malicious driver for Windows, which was loaded with rootkit malware.

The driver, named Netfilter, was observed to be communicating with Chinese command-and-control (C2) servers, according to media reports.

"Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments," the firm said in an online post published on Friday.

The company disclosed that the drivers were built by a third party and were submitted for certification through the Windows Hardware Compatibility Program.

The account that was used by the malicious actor has been suspended, and the company says it is reviewing their submissions for additional signs of malware.

There is no evidence to suggest that the malicious actors stole certificates, and Microsoft did not attribute the incident to state-sponsored actors.

The company said that the threat actor has used the malicious drivers to mainly target the gaming sector specifically in China, and no impact has been observed on enterprise environments so far.

"The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers," Microsoft added.

The malicious driver was first spotted last week by G Data security researcher Karsten Hahn.

In a blog post, Hahn said that G Data's cybersecurity alert system notified them of a possible false positive - the "Netfilter" driver that was signed by Microsoft.

The Netfilter driver was observed to be communicating with C&C servers based in China, while providing no genuine functionality.

It raised suspicions among G Data researchers who forwarded the findings to Microsoft.

"Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system," Hahn said.

"Drivers without a Microsoft certificate cannot be installed by default. The sample has a self-update routine that sends its own MD5 hash to the server via hxxp://110.42.4.180:2081/v?v=6&m=".

The drivers were created by Ningbo Zhuo Zhi Innovation Network Technology, which was working with Microsoft to study known security vulnerabilities in the company's software.

Microsoft said in its online post that a rootkit works only 'post exploitation', meaning the Netfilter driver shouldn't pose a threat unless users go out of their way to load it.

In any case, the incident has exposed weaknesses in the company's legitimate code-signing process, which could be exploited by threat actors to acquire Microsoft-signed code without compromising any certificates.

Microsoft said it would refine the signing process, validation and partner access policies to prevent such incident from reoccurring in the future.

In other news, Microsoft says some customers were compromised by Russian hacking group Nobelium, which is accused of being behind the SolarWinds hack.

In a post on its website, Microsoft said on Friday it had detected "information-stealing malware" on a computer belonging to a support agent.

"As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers," says Microsoft.

"The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign. We responded quickly, removed the access and secured the device."

Microsoft says the attempt, targeted at customers in IT, government, non-governmental organisations and think tanks and financial services was "mostly unsuccessful" although it knows of three instances where organisations were compromised.

It advises customers to use zero-trust technologies and multi-factor authentication to protect themselves.

In May, Researchers at the Microsoft Threat Intelligence Center (MSTIC) reported a wave of cyber attacks by Nobelium, including the United States Agency For International Development (USAID).

Update: a previous headline to this story may have implied that Nobelium used a SolarWinds vulnerability to hack the Microsoft support agent, which was not the case. A SolarWinds spokesperson requested we publish the following clarification: "The latest cyberattack reported by Microsoft does not involve our company or our customers in any way."