Microsoft disclosed on Tuesday that it has implemented blocking protections and suspended accounts used to publish malicious Windows Hardware Developer Program-certified drivers.
According to the tech giant’s investigation, the activity was limited to a small number of developer program accounts, and no additional compromises were detected.
Cryptographically signing malware is worrisome not only because it undermines a crucial security mechanism, but also because it enables threat actors to subvert traditional detection methods and infiltrate target networks to perform highly privileged operations.
On October 19, 2022, cybersecurity firms Mandiant, SentinelOne, and Sophos notified Redmond that rogue drivers were being used in post-exploitation efforts, including the deployment of ransomware. This prompted Redmond to launch an investigation.
One notable aspect of these attacks was that the adversary had already obtained administrative privileges on compromised systems before using the drivers.
Microsoft explained that several developers account for the Microsoft Partner Center submitted malicious drivers to obtain a Microsoft signature. “A new attempt to submit a malicious driver for signing on September 29, 2022, resulted in the sellers’ accounts being suspended in early October.”
According to an analysis by Sophos, threat actors associated with the Cuba ransomware (aka COLDDRAW) planted a malicious signed driver in a failed attempt to disable endpoint detection tools via a novel malware loader dubbed BURNTCIGAR, which Mandiant first disclosed in February 2022.
The company also identified three variants of the driver signed by code signing certificates that belong to two Chinese companies, Zhuhai Liancheng Technology and Beijing JoinHope Image Technology.
Using signed drivers allows threat actors to circumvent critical security measures that require kernel-mode drivers to be signed before Windows will load the package. In addition, the technique takes advantage of the implicit trust that security tools place in Microsoft-certified drivers.
“Threat actors are moving up the trust pyramid, attempting to digitally sign their drivers with increasingly trusted cryptographic keys,” said Sophos researchers Andreas Klopsch and Andrew Brandt. “Signatures from a large, reputable software publisher increase the likelihood that the driver will load without incident in Windows.”
In a coordinated disclosure, Google-owned Mandiant reported observing a financially-motivated threat group known as UNC3944 using a loader called STONESTOP to install a malicious driver called POORTRY that is designed to terminate processes associated with security software and delete files.
Stating that it has “continually observed threat actors use compromised, stolen, and illicitly purchased code-signing certificates to sign malware,” the threat intelligence and incident response firm noted that “several distinct malware families, associated with distinct threat actors, have been signed with this process.”
This raises the possibility that these hacking groups are utilizing a criminal service for code signing (i.e., malicious driver signing as a service), in which the provider gets the malware artifacts signed through Microsoft’s attestation process on the actors’ behalf.
UNC3944 is believed to have used STONESTOP and POORTRY in attacks against the telecommunications, BPO, MSSP, financial services, cryptocurrency, entertainment, and transportation sectors, according to SentinelOne. A different threat actor used a similar signed driver to deploy Hive ransomware.
The intrusion set identified by SentinelOne likely overlaps with a “persistent” campaign orchestrated by a threat actor tracked by CrowdStrike as Scattered Spider since June 2022, with some of the attacks penetrating mobile carrier networks to provide SIM swapping services.
SentinelOne told The Hacker News that “similar targets, TTPs, and malware suggest the possibility of a link with this activity,” but emphasized that it cannot confirm the research and has no “further details” to share.
As part of its December 2022 Patch Tuesday update, Microsoft has since revoked the certificates for the affected files and suspended the partners’ seller accounts in response to the threats.
Digital certificates have been abused to sign malicious software before. A Microsoft-approved Netfilter driver was discovered to be a malicious Windows rootkit that communicated with Chinese command-and-control (C2) servers last year.
Google revealed this month that compromised platform certificates managed by Android device manufacturers including Samsung and LG had been used to sign malicious apps distributed through unofficial channels. This is not a Windows-only phenomenon.
In recent months, there has been widespread abuse of signed drivers to compromise security software. Bring Your Vulnerable Driver (BYOVD) is an attack that exploits legitimate drivers with known vulnerabilities to escalate privileges and execute post-compromise actions.
Microsoft announced in late October that it’s enabling the vulnerable driver blocklist (stored in the “DriverSiPolicy.p7b” file) by default for all devices with the Windows 11 2022 update, as well as validating that it’s the same across different operating system versions, in response to an Ars Technica report highlighting inconsistencies in updating the blocklist for Windows 10 devices.
SentinelOne stated that code-signing mechanisms are an essential component of modern operating systems. “For years, the introduction of driver signing enforcement was essential to stem the tide of rootkits. The diminishing effectiveness of code signing poses a threat to OS-level security and verification mechanisms.”
