In an ongoing security disaster, Microsoft signing keys were recently hijacked twice, reportedly to the delight of Chinese threat actors. Signing keys are used to authenticate software, ensuring only trusted developers can create legitimate copies of a program. Without them, malicious actors can masquerade as trusted developers, potentially creating vast new channels for attacking vulnerable users.
This isn’t the first time Microsoft signing keys have been compromised. It’s the fourth instance since 2017, showing how weak some of the world’s most prominent software makers can be to malicious attacks. In an extremely worrying turn, it appears that the hackers specifically targeted Microsoft’s signing keys, which Chinese threat actors are reportedly exploiting. Although this attack was discovered swiftly, it highlights the need for greater security measures when it comes to protecting trusted digital signing keys from malicious actors.
Microsoft is one of the world’s leading software producers, so an attack on its signing keys could have serious repercussions. If hackers gain access to Microsoft’s signing keys, they can sign malicious code as if it were created by a legitimate developer, allowing them to spread malware through Microsoft’s various products and services. This could allow them to gain access to sensitive information, install ransomware, or even control entire networks. It’s a big risk to Microsoft, but also to users of their products.
Microsoft isn’t the only software company whose signing keys are vulnerable. Other popular software creators like Adobe, Google, Apple and Oracle have all experienced attacks on their signing keys in recent years. All of these companies face the same risk – if malicious actors gain access to their signing keys, they can create and distribute malicious programs and take over networks.
Fortunately, the recent attack on Microsoft’s signing keys was discovered and thwarted quickly, and it’s likely that the company has now taken steps to improve its security and prevent any further attacks. However, it’s a sound reminder to all software companies of just how vulnerable their signing keys are, and how important it is to have robust security measures in place in order to protect them. Otherwise, it might just be a matter of time before the next attack is successful – to the delight of Chinese threat actors.
