CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Network Security

Microsoft Certificate Was Used to Sign “Flame” Malware

Flame Used Microsoft Certificate

Microsoft: Techniques Used By Flame Could Be Used By Less Sophisticated Attackers to Launch Widespread Attacks

Flame Used Microsoft Certificate

Microsoft: Techniques Used By Flame Could Be Used By Less Sophisticated Attackers to Launch Widespread Attacks

On Sunday, Microsoft reached out to customers and notified the public that it had discovered unauthorized digital certificates that “chain up” to a Microsoft sub-certification authority issued under the Microsoft Root Authority.

Interestingly, there is a direct connection between this discovery and the recently discovered “Flame” malware (also known as Flamer and sKyWIper). While many have said the enterprise threat posed by “Flame” is minimal, Microsoft is now warning that some of the techniques used by components of Flame could be leveraged by less sophisticated attackers to conduct more widespread attacks, namely in malware using unauthorized certificates in order to appear to be legitimate software coming from Microsoft.

Microsoft certification authority signing certificates added to the Untrusted Certificate StoreWhile these security issues are not Flame-specific, and could be used in other forms of unrelated malware, Microsoft was able to identify components of the Flame malware that had been signed with a certificate that ultimately chained up to the Microsoft Root Authority.

“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,” Microsoft Security Response Center’s Jonathan Ness wrote in a blog post. “We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.”

In response to the discovery, Microsoft released an emergency security advisory on Sunday, detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers.

Related: What Flame Means to the Enterprise

“This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise,” Ness explained. “Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.”

Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed.

Advertisement. Scroll to continue reading.

The update revokes three intermediate certificate authorities, pushing the following certificates into the “Untrusted Certificates Store”:

Microsoft Enforced Licensing Intermediate PCA (2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70) – Issued by Microsoft Root Authority

Microsoft Enforced Licensing Intermediate PCA (3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08) – Issued by Microsoft Root Authority

Microsoft Enforced Licensing Registration Authority CA (SHA1) (fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97) – Issued by Microsoft Root Certificate Authority

“These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft,” Ness added.

While most of anti-virus software from major vendors will detect and remove Flame, and auto-updates should address these new concerns, Microsoft recommends that administrators and enterprise installations apply the patch, manually if needed. Information on applying the updates (KB2718704) can be found here

Microsoft did not say what algorithm was exploited in order to generate the rogue certificates, though SecurityWeek did reach out to Microsoft for comment and we will update the story if a response is received.

Related: What Flame Means to the Enterprise

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.