Microsoft disrupted a malware-signing service that abused Azure Artifact Signing to generate legitimate-looking certificates. The service supported ransomware operations by other threat actors rather than directly targeting victims. Fraudulent certificates helped malware and ransomware be distributed as trusted software, including impersonations of Microsoft Teams and AnyDesk, to evade Windows defenses and mislead users. The operation allegedly used stolen identities and short-lived certificates to bypass verification controls and reduce detection. It expanded into hosted malware-signing infrastructure where customers could upload malware and receive signed binaries. Microsoft warned that trusted digital signatures alone are no longer reliable indicators of software legitimacy. The activity was linked to multiple malware families and ransomware groups worldwide.
"Microsoft says it disrupted a malware-signing service that abused Azure Artifact Signing to create fraudulent certificates used in ransomware and malware attacks. The Fox Tempest operation allegedly helped cybercriminals distribute malware disguised as trusted software to evade Windows defenses and fool users. "Fox Tempest doesn't directly target victims but instead provides supporting services that enable ransomware operations by other threat actors," Microsoft said in its advisory."
"Microsoft disrupted the Fox Tempest malware-signing service that abused Azure Artifact Signing to create fraudulent code-signing certificates. The operation allegedly helped ransomware groups distribute malware disguised as trusted software, such as Microsoft Teams and AnyDesk. Microsoft said the group used stolen identities and short-lived certificates to bypass verification controls and evade detection."
"The service expanded into a hosted malware-signing infrastructure, allowing customers to upload malware and receive signed binaries directly. Microsoft warned that trusted digital signatures alone are no longer reliable indicators of software legitimacy. Inside the Fox Tempest malware operation, Microsoft said attackers abused its Azure Artifact Signing service to generate legitimate-looking certificates used to distribute malware through a large-scale malware-signing-as-a-service (MSaaS) operation known as Fox Tempest."
"The campaign was tied to malware families, including Oyster, Lumma Stealer, and Vidar, as well as ransomware groups such as Rhysida, Akira, INC, Qilin, and BlackByte. Threat actors associated with Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 reportedly used the signed malware in attacks targeting organizations worldwide."
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]