Malware‑Signing‑as‑a‑Service Operated by Fox Tempest Enables Ransomware Distribution for Multiple Criminal Groups
What Happened – Fox Tempest, a financially motivated threat actor, runs a malware‑signing‑as‑a‑service (MSaaS) that provides valid code‑signing certificates to other cybercriminal groups such as Vanilla Tempest and Storm. The service allows these actors to bypass many endpoint and anti‑malware controls, accelerating the spread of ransomware and other malicious payloads.
Why It Matters for TPRM –
- Third‑party code‑signing services can become a hidden supply‑chain risk for any organization that trusts signed binaries.
- Vendors that rely on external signing providers may inadvertently inherit the attacker’s reputation and be blocked by security tools.
- Awareness of MSaaS ecosystems helps risk managers demand stricter provenance checks on software and updates.
Who Is Affected – Technology & SaaS vendors, software supply‑chain partners, enterprises that accept signed executables from third‑party developers, and any organization using Windows code‑signing certificates.
Recommended Actions –
- Verify that all code‑signing certificates used in your software supply chain are issued by trusted, audited CAs.
- Implement strict verification of binary signatures and enforce reproducible builds where possible.
- Add the Fox Tempest MSaaS indicator set to your threat‑intel feeds and block associated signing certificates.
- Conduct a supply‑chain risk assessment focusing on any third‑party signing services your vendors may use.
Technical Notes – The operation leverages compromised or illicitly obtained code‑signing certificates (often via stolen credentials or CA compromise) to sign ransomware, trojans, and droppers. No specific CVE is cited; the primary vector is the malicious signing service itself, a classic supply‑chain attack. Source: Microsoft Security Blog