Trust Corrupted: How a Microsoft Defender Flaw Erased DigiCert Root Certificates and Paralyzed Windows Systems
Do Son 
Windows users globally were unexpectedly besieged by alarming notifications as the integrated security infrastructure began misidentifying pivotal digital certificates—upon which the seamless operation of myriad services relies—as malicious. Under the apprehension of a definitive system compromise, several individuals resorted to the drastic measure of reformatting their operating systems.
The anomaly originated within Microsoft Defender, which commenced categorizing legitimate DigiCert root certificates as the threat designated Trojan:Win32/Cerdigent.A!dha. This erratic behavior manifested following a security intelligence update on April 30. Within twenty-four hours, administrators observed that certificate entries were being flagged as deleterious and summarily excised from the Windows Trusted Root Certification Authorities store.
The excision occurred directly within the system registry, targeting the specific hive where root certificates reside. Consequently, various applications and services faltered as the operating system revoked its trust in their signed components.
Reports of these false positives proliferated across technical forums, where users shared the fingerprints of the maligned certificates and disseminated visual evidence of the warnings. On a subset of devices, the antivirus not only triggered alerts but unilaterally deleted the certificates without prior notification.
Microsoft subsequently disseminated a remediation via signature database version 1.449.430.0. Following the installation of this update, the erroneous detections ceased, and early reports indicate that previously deleted certificates are being autonomously reinstated.
The corporation elucidated that the security measures were implemented in response to reports of compromised credentials stemming from an incident at DigiCert. However, the detection logic proved overly expansive, inadvertently encompassing secure root certificates. Upon verification, the heuristics were refined, and the erroneous warnings were retracted.
The crisis was precipitated by an incursion at DigiCert itself. In early April, adversaries targeted a support representative by transmitting a malicious ZIP archive masquerading as a diagnostic screenshot. Although several initial attempts were thwarted, a single workstation was eventually compromised. The assailants subsequently gained ingress to a secondary system where security telemetry had been temporarily disabled.
Leveraging their access to the internal support portal, the actors were able to impersonate clients and view account details. In several instances, they procured initialization codes for pre-approved but unissued code-signing certificates, which sufficed to generate valid credentials.
DigiCert revoked sixty such certificates, twenty-seven of which were linked to the Zhong Stealer campaign. Despite its nomenclature, the malware functions primarily as a remote access trojan rather than a conventional infostealer. The infection vector involved phishing emails with image-based lures, which facilitated the retrieval of a primary module from cloud storage and the execution of signed components.
Researchers, including Squiblydoo, MalwareHunterTeam, and g0njxa, revealed that the certificates utilized to authenticate the malware were issued to reputable entities such as Lenovo, Kingston, Shuttle Inc, and Palit Microsystems.
Significantly, the certificates purged by Microsoft Defender did not correspond to the specific credentials utilized by the malware or those officially revoked by DigiCert. The error exclusively impacted the root certificates within the Windows trust hierarchy, an oversight that precipitated widespread systemic disruptions and public consternation.
Hieu Phan Trong 
Donate