Best Top Reviews Online

Ransomware Attackers Gain Access to Systems Using Microsoft-Signed Drivers

Microsoft disclosed on Tuesday that it has implemented blocking protections and suspended accounts used to publish malicious Windows Hardware Developer Program-certified drivers.

According to the tech giant’s investigation, the activity was limited to a small number of developer program accounts, and no additional compromises were detected.

Cryptographically signing malware is worrisome not only because it undermines a crucial security mechanism, but also because it enables threat actors to subvert traditional detection methods and infiltrate target networks to perform highly privileged operations.

On October 19, 2022, cybersecurity firms Mandiant, SentinelOne, and Sophos notified Redmond that rogue drivers were being used in post-exploitation efforts, including the deployment of ransomware. This prompted Redmond to launch an investigation.

One notable aspect of these attacks was that the adversary had already obtained administrative privileges on compromised systems before using the drivers.

Microsoft explained that several developers account for the Microsoft Partner Center submitted malicious drivers to obtain a Microsoft signature. “A new attempt to submit a malicious driver for signing on September 29, 2022, resulted in the sellers’ accounts being suspended in early October.”

According to an analysis by Sophos, threat actors associated with the Cuba ransomware (aka COLDDRAW) planted a malicious signed driver in a failed attempt to disable endpoint detection tools via a novel malware loader dubbed BURNTCIGAR, which Mandiant first disclosed in February 2022.

The company also identified three variants of the driver signed by code signing certificates that belong to two Chinese companies, Zhuhai Liancheng Technology and Beijing JoinHope Image Technology.

Using signed drivers allows threat actors to circumvent critical security measures that require kernel-mode drivers to be signed before Windows will load the package. In addition, the technique takes advantage of the implicit trust that security tools place in Microsoft-certified drivers.

“Threat actors are moving up the trust pyramid, attempting to digitally sign their drivers with increasingly trusted cryptographic keys,” said Sophos researchers Andreas Klopsch and Andrew Brandt. “Signatures from a large, reputable software publisher increase the likelihood that the driver will load without incident in Windows.”

In a coordinated disclosure, Google-owned Mandiant reported observing a financially-motivated threat group known as UNC3944 using a loader called STONESTOP to install a malicious driver called POORTRY that is designed to terminate processes associated with security software and delete files.

Stating that it has “continually observed threat actors use compromised, stolen, and illicitly purchased code-signing certificates to sign malware,” the threat intelligence and incident response firm noted that “several distinct malware families, associated with distinct threat actors, have been signed with this process.”

This raises the possibility that these hacking groups are utilizing a criminal service for code signing (i.e., malicious driver signing as a service), in which the provider gets the malware artifacts signed through Microsoft’s attestation process on the actors’ behalf.

UNC3944 is believed to have used STONESTOP and POORTRY in attacks against the telecommunications, BPO, MSSP, financial services, cryptocurrency, entertainment, and transportation sectors, according to SentinelOne. A different threat actor used a similar signed driver to deploy Hive ransomware.

The intrusion set identified by SentinelOne likely overlaps with a “persistent” campaign orchestrated by a threat actor tracked by CrowdStrike as Scattered Spider since June 2022, with some of the attacks penetrating mobile carrier networks to provide SIM swapping services.

SentinelOne told The Hacker News that “similar targets, TTPs, and malware suggest the possibility of a link with this activity,” but emphasized that it cannot confirm the research and has no “further details” to share.

As part of its December 2022 Patch Tuesday update, Microsoft has since revoked the certificates for the affected files and suspended the partners’ seller accounts in response to the threats.

Digital certificates have been abused to sign malicious software before. A Microsoft-approved Netfilter driver was discovered to be a malicious Windows rootkit that communicated with Chinese command-and-control (C2) servers last year.

Google revealed this month that compromised platform certificates managed by Android device manufacturers including Samsung and LG had been used to sign malicious apps distributed through unofficial channels. This is not a Windows-only phenomenon.

In recent months, there has been widespread abuse of signed drivers to compromise security software. Bring Your Vulnerable Driver (BYOVD) is an attack that exploits legitimate drivers with known vulnerabilities to escalate privileges and execute post-compromise actions.

Microsoft announced in late October that it’s enabling the vulnerable driver blocklist (stored in the “DriverSiPolicy.p7b” file) by default for all devices with the Windows 11 2022 update, as well as validating that it’s the same across different operating system versions, in response to an Ars Technica report highlighting inconsistencies in updating the blocklist for Windows 10 devices.

SentinelOne stated that code-signing mechanisms are an essential component of modern operating systems. “For years, the introduction of driver signing enforcement was essential to stem the tide of rootkits. The diminishing effectiveness of code signing poses a threat to OS-level security and verification mechanisms.”

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info

Deals

Reviews

Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer

BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.

 

Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.