Microsoft Defender has recently been at the center of a significant issue, erroneously flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha. This misidentification has led to a wave of false-positive alerts, causing the removal of these certificates from Windows systems globally.
Cybersecurity expert Florian Roth noted that the problem emerged following a Defender signature update on April 30th. Since then, administrators around the world have reported that certain DigiCert root certificate entries were incorrectly identified as malware, resulting in their removal from the Windows trust store.
Among the certificates affected are:
- 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
- DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
On impacted systems, these certificates were removed from the AuthRoot store, specifically under the following Registry key:
HKLMSOFTWAREMicrosoftSystemCertificatesAuthRootCertificatesThe false positives have understandably raised alarm among Windows users, with some mistakenly believing their devices were compromised and opting to reinstall their operating systems for safety.
Source: Reddit
In response to the situation, Microsoft has reportedly addressed the issue in Security Intelligence update version 1.449.430.0, with the latest update now at version 1.449.431.0. Users have noted that this fix also restores the previously removed certificates on affected systems.
Windows users can expect the new Microsoft Defender updates to install automatically. However, they can also manually initiate an update by navigating to Windows Security > Virus and threat protection > Protection updates and selecting Check for Updates.
Following the publication of this article, Microsoft confirmed that the false positives were linked to detections related to compromised certificates from a recent DigiCert breach. “Following reports of compromised certificates, Microsoft Defender immediately added detections for malware in our Defender Antivirus Software to help keep customers protected. Earlier today, we determined false positive alerts were mistakenly triggered and updated the alert logic,” the company stated to BleepingComputer.
Microsoft further clarified, “Microsoft Defender suppressed and cleaned up the alerts for customer environments. Customers should update to Security Intelligence version 1.449.430.0 or later, but do not need to take additional action for these alerts. We have notified affected organizations and recommend administrators look for more details in the service health dashboard (SHD) within the M365 admin center.”
Linked to recent DigiCert breach
The timing of these false positives coincides with a recently disclosed security incident at DigiCert, where threat actors managed to obtain valid code-signing certificates used for signing malware. According to DigiCert’s incident report, “A malware incident targeted a customer support team member. Upon detection, the threat vector was contained.”
The investigation revealed that the threat actor procured initialization codes for a limited number of code-signing certificates, some of which were subsequently used to sign malware. “The identified certificates were revoked within 24 hours of discovery, and the revocation date was set to their date of issuance. As a precautionary measure, pending orders within the window of interest were cancelled,” DigiCert explained, promising to provide additional details in their full incident report.
According to the report, attackers targeted the company’s support staff in early April by sending support messages that contained a malicious ZIP file disguised as a screenshot. After several blocked attempts, one support analyst’s device was compromised, followed by a second system that remained undetected due to an endpoint protection “sensor gap.”
Using access to the breached support environment, the hacker exploited a feature in DigiCert’s internal support portal that allowed support staff to view customer accounts from the customer’s perspective. Although the breach was limited in scope, it exposed “initialization codes” for previously approved, but undelivered, EV code-signing certificate orders.
DigiCert emphasized that possession of an initialization code, combined with an approved order, is sufficient to obtain the resulting certificate. “Since the threat actor was able to obtain these two pieces of information for a finite set of approved orders, they were able to obtain EV Code Signing certificates across a set of customer accounts and CAs,” the report detailed.
In total, DigiCert revoked 60 code-signing certificates, including 27 linked to a “Zhong Stealer” malware campaign. “11 were identified in certificate problem reports provided to DigiCert by community members linking the certificates to malware, and 16 were identified during our own investigation,” they added.
Zhong Stealer malware campaign
This incident aligns with earlier reports from security researchers who observed newly issued DigiCert EV certificates being utilized in malware campaigns. Researchers such as Squiblydoo, MalwareHunterTeam, and g0njxa reported that certificates issued to notable companies like Lenovo, Kingston, Shuttle Inc, and Palit Microsystems were being used to sign malware.
As noted by Squiblydoo on X, “What do Lenovo, Kingston, Shuttle Inc, and Palit Microsystems have in common? EV Certificates from these companies were issued and used by a Chinese crime group, #GoldenEyeDog (#APT-Q-27)!”
The malware associated with this campaign, dubbed “Zhong Stealer,” appears to function more like a remote access trojan (RAT) than a traditional infostealer. Researchers have detailed the distribution methods of this malware, which include:
- Phishing emails delivering a fake image or screenshot
- A first-stage executable that displays a decoy image
- Retrieval of a second-stage payload from cloud storage such as AWS
- Utilization of signed binaries and loaders, including components tied to legitimate vendors
Following DigiCert’s disclosure of the incident, researchers reiterated how the certificates used in these malware campaigns were obtained. It is important to note that the certificates flagged by Microsoft Defender are root certificates in the Windows trust store and do not correspond to the revoked DigiCert code-signing certificates used for malware signing.
