When the sophisticated state-sponsored espionage tool known as Flame was exposed last year, there was probably no one more concerned about the discovery than Microsoft, after realizing that the tool was signed with an unauthorized Microsoft certificate to verify its trustworthiness to victim machines. The attackers also hijacked a part of Windows Update to deliver it to targeted machines.
After examining the nature of the certificate attack and everything the malicious actors needed to know to pull it off, Microsoft engineers estimated that they had about twelve days to fix the weaknesses it exploited before other, less sophisticated actors would be able to repeat the attack on Windows machines.
But then Microsoft conducted some tests to recreate the steps that copycat attackers would have to follow and discovered that it would take just three days in fact to repeat the Windows Update and certificate portion of the attack in order to deliver other signed malware to victim machines.
“So that’s when we switched to Plan B,” says Mike Reavey, senior director of the Microsoft Security Response Center, speaking at the RSA Security Conference on Thursday.
Reavey relayed the actions his team took after Kaspersky Lab discovered Flame last year, and highlighted how little time response teams have these days to fix dangerous threats before copycat attackers can learn and repeat them.
Flame was a massive and highly sophisticated spy kit that was found infecting systems in Iran and elsewhere and was believed to be part of a well-coordinated ongoing, state-run cyberespionage operation.
It was created by the same group that made Stuxnet, believed to be Israel and the U.S., and targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years before being discovered.
One of the most disturbing aspects of Flame, however, was its devious subversion of the Windows Update client on targeted machines to spread the malware within a company or an organization’s network.
After Kaspersky released samples of the malware on May 28, 2012, Microsoft discovered that Flame used a man-in-the-middle attack that subverted the Windows Update client to spread.
The Windows Update attack didn’t involve a breach of Microsoft’s network and never affected the Windows Update service that delivers security patches and other updates to customer machines. Instead it focused on compromising the process for updating the Windows Update client itself that sits on a customer machine.
The Windows Update client regularly checks for a new version of the client to download and update itself, using a series of files from Microsoft servers that are signed with a Microsoft certificate. But in this case when the Windows Update client on machines sent out a beacon, it got intercepted in a man-in-the-middle attack by a compromised machine on the victim’s network that the attackers already controlled, which then redirected any machines beaconing out to Microsoft for a client update to download a malicious file masquerading as a Windows Update client file. The file was signed with a rogue Microsoft certificate that the attackers obtained after conducting an MD5 collision on the hash.
To generate their fake certificate, the attackers exploited a vulnerability in the cryptography algorithm that Microsoft used for enterprise customers to set up Remote Desktop service on machines. The Terminal Server Licensing Service provides certificates with the ability to sign code, which is what allowed the Flame file to be signed as if it came from Microsoft.
The attackers needed to conduct the collision attack in order to have a certificate that would get Flame onto systems that were using the Windows Vista operating system or later. To recreate these specific steps would take copycat attackers a lot of time and resources.
But Microsoft realized that other attackers wouldn’t need to do all of this work; they could simply use a less-modified version of a rogue certificate that would still be acceptable to Windows XP machines. Microsoft found it would take only three days for hackers to figure out how the certificates were structured in order to obtain one and how to then subvert the Windows Update client using a man-in-the-middle attack to get a malicious file signed with it onto systems.
On June 3, Microsoft announced that it had discovered the Windows Update attack in Flame and rolled out a series of fixes that included revoking three unauthorized certificates. The company also hardened the certificate channel.
“We didn’t just revoke the malicious certificates used by Flame,” Reavey said. “We revoked the [certificate authority]. So any certificate that might have been ever issued were no longer trusted by any version of Windows…. The main thing we did there was we pin the code-signing check to a specific and unique CA that’s only used by the Windows Update client.”
Microsoft also created an update for the Windows Update client to prevent a man-in-the-middle attack from occurring and added a system for easily revoking unauthorized certificates in the future through a trusted list.
“We didn’t want to have to ship a patch to Windows machines to have Windows not trust certificates anymore,” he said. “We took a feature that was included in Windows 8 and we back-ported it all the way down to Windows Vista. Where now every 24 hours a trust list will be checked on the system and if there is anything we put in the untrusted store, it will be updated relatively immediately.”