Microsoft Defender flags false positives: Legitimate DigiCert certificates mistaken for malware
Microsoft Defender has recently detected false positives, identifying legitimate DigiCert root certificates as malware. This error caused widespread alarms and, in some cases, the removal of the certificates from Windows systems. The problem emerged after a Microsoft Defender signature update on April 30, as reported by cybersecurity expert Florian Roth.
Administrators worldwide have started reporting that DigiCert root certificate entries are being flagged as malware and, on affected systems, removed from the Windows trust repository. The certificates involved are identified by the hashes:
- 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
- DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
On affected systems, these certificates have been removed from the AuthRoot repository under this registry key: HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\.
The false positives have generated concern among Windows users, with some thinking their devices were infected and reinstalling the operating system as a precaution.
Security updates and solutions
Microsoft has identified the issue and released a fix in the security intelligence update version 1.449.430.0. Users can check for more recent updates, now available in version 1.449.431.0, by accessing Windows Security > Virus and threat protection > Protection updates and clicking on Check for updates.
Other reports on Reddit indicate that the fix also restores the previously removed certificates on affected systems.
Link with a recent DigiCert incident
The false positives emerged shortly after the disclosure of a DigiCert security incident that allowed threat actors to obtain valid code-signing certificates used to sign malware. According to DigiCert's incident report, a malware incident targeted a support team member.
"Our subsequent investigation revealed that the threat actor was able to obtain initialization codes for a limited number of code-signing certificates, some of which were then used to sign malware," explains DigiCert's incident report.
The identified certificates were revoked within 24 hours of discovery, and the revocation date was set to their issuance date. As a precautionary measure, pending orders in the period of interest were canceled.
Zhong Stealer malware campaign
This incident aligns with previous reports from security researchers who observed newly issued DigiCert EV certificates used in malware campaigns. Researchers, including Squiblydoo, MalwareHunterTeam, and g0njxa, reported that certificates issued to well-known names such as Lenovo, Kingston, Shuttle Inc, and Palit Microsystems were used to sign malware.
"What do Lenovo, Kingston, Shuttle Inc, and Palit Microsystems have in common?", Squiblydoo posted on X. "EV certificates from these companies were issued and used by a Chinese criminal group, #GoldenEyeDog (#APT-Q-27)!"
The malware in this campaign is called "Zhong Stealer," although analysis indicates it might be more similar to a remote access trojan (RAT) than an infostealer.
The researcher states that the malware was distributed through the following attacks:
- Phishing emails delivering a fake image or screenshot
- A first-stage executable that displays a decoy image
- Retrieval of a second-stage payload from cloud storage such as AWS
- Use of signed binaries and loaders, including components related to legitimate providers
After DigiCert disclosed the incident, researchers stated that the incident report explains how the certificates used in these malware campaigns were obtained.
The certificates reported by Microsoft Defender are root certificates in the Windows trust repository and do not match the revoked DigiCert code-signing certificates used to sign malware.
Impact and Resolution of False Positives
The Microsoft Defender error had a significant impact on business and home users. Many organizations had to deal with service disruptions, as the removed certificates were essential for authentication and communication security. Some users reported problems with critical applications, including industrial control software and payment systems, which rely on digital certificates to function correctly.
Microsoft released an official statement to reassure users, stating that the false positives were caused by a system detection update that had mistakenly identified legitimate certificates as malware. The company emphasized that users should not take further action beyond updating to version 1.449.430.0 or later of the security intelligence.
However, some system administrators reported that, despite the update, some systems continued to experience compatibility issues with specific applications. This has led to requests for further clarification from Microsoft regarding possible exceptions or temporary solutions for critical systems.
Analysis of the DigiCert Breach
The security incident that affected DigiCert highlighted critical vulnerabilities in technical support processes. Hackers exploited a "sensor gap" in endpoint protections, allowing them to bypass security controls for a significant period. This enabled attackers to access sensitive information, including initialization codes for code-signing certificates.
DigiCert revealed that the malware used in the initial attack was a ZIP file disguised as a screenshot. This delivery method is common in advanced phishing campaigns and underscores the importance of continuous staff training in recognizing cyber threats.
A concerning aspect of the incident was the time it took to detect the compromise. Although the first attack attempt was blocked, the second succeeded, allowing hackers to gain access to two internal systems. This delay allowed attackers to exploit vulnerabilities before they could be mitigated.
Implications for Certificate Security
The use of DigiCert-issued code-signing certificates in the Zhong Stealer malware campaign demonstrates that even Extended Validation (EV) certificates can be compromised.
Security experts have emphasized the need for continuous monitoring and improvement of certificate issuance processes. DigiCert has announced that it is implementing additional measures to prevent future incidents, including the adoption of multi-factor authentication for support staff and the integration of behavioral analysis tools to detect suspicious activity.
DigiCert's incident report also highlighted collaboration with the cybersecurity community. External experts played a crucial role in detecting and reporting compromised certificates, demonstrating the importance of joint efforts between companies and independent security experts.
Future Perspectives
Recent incidents have pushed certification companies to re-examine their security protocols. The industry is expected to adopt more rigorous measures, such as using blockchain to track certificate issuance and usage, and integrating artificial intelligence to detect anomalous behaviors.
For end users, it is essential to keep systems updated and carefully monitor the certificates used by critical applications. Organizations should consider implementing layered security solutions that combine digital certificates with other authentication technologies to reduce risks.
While incidents like those involving DigiCert and Microsoft Defender are concerning, they also offer the opportunity to improve cybersecurity through learning and the adoption of new technologies and practices.
Editorial Note and Disclaimer
The guides and content published on GoYou are the result of independent research and analysis activities, for informational, educational, and in-depth purposes.
GoYou does not constitute a journalistic publication or an editorial product pursuant to Law No. 62/2001 and does not engage in real-time information activities.
The GoYou project does not provide professional, technical, legal, or financial advice and disclaims any liability for the improper use of the information published.
In the Crypto sector, every investment involves risks: readers are invited to always inform themselves autonomously before making any decision.