After Microsoft-Signed Drivers through their profiles were utilized in cyberattacks, including ransomware incidents, Microsoft revoked numerous of its hardware developer accounts. The announcement was made in collaboration between Microsoft and several cybersecurity companies.

Microsoft-Signed Drivers Used By Threat Actors

Threat actors are using malicious kernel-mode hardware drivers whose trust has been validated using Authenticode signatures from Microsoft’s Windows Hardware Developer Program. Microsoft was notified that Windows Hardware Developer Program-certified drivers were maliciously being used in post-exploitation activities. According to an advisory, prior to using the drivers in the cyberattacks, the threat operators gained administrative privileges on compromised systems. On October 19, 2022, three cybersecurity companies notified Microsoft of the activity and investigated it. The investigation discovered that numerous Microsoft Partner Center developer accounts were involved in uploading malicious drivers to acquire Microsoft signatures. A new attempt to submit a malicious driver for signing on September 29, 2022, resulted in the sellers’ accounts being suspended in early October. The kernel-mode hardware drivers gain the highest privilege level on the operating system when loaded in Windows. The privileges can potentially enable a driver to conduct various malicious operations that are not permitted for user-mode applications. Security software is terminated, protected data are deleted, and rootkits are used to mask other processes. Microsoft has required kernel-mode hardware drivers to be signed through Microsoft’s Windows Hardware Developer Program since Windows 10. Numerous security platforms automatically trust code signed by Microsoft through the program since developers must obtain an extended validation (EV) certificate, go through an identification process, and submit drivers validated by Microsoft. Microsoft’s ability to sign a kernel-mode driver and utilize it in malicious campaigns is a valuable commodity. Threat intelligence describes the discovery of a new toolkit containing two components termed STONESTOP (loader) and POORTRY (kernel-mode driver) being used in “bring your own vulnerable driver (BYOVD) attacks. STONESTOP is a user-mode application that’s attempting to terminate endpoint security software processes on devices according to two cybersecurity companies. Another variant can overwrite and delete files. STONESTOP launches the POORTRY kernel-mode driver signed by Microsoft to terminate the associated protected processes or Windows services since security software processes are often shielded from tampering by regular applications. STONESTOP serves as both a loader/installer for POORTRY and an orchestrator instructing the driver on actions to take. According to the three cybersecurity companies, the Microsoft-signed drivers’ toolset has been employed by various threat actors. A rapid response team stopped an attack before threat operators could spread the final payload. One cybersecurity company has connected the attack to the Cuba ransomware group, which previously utilized a similar malware variant. Threat actors were linked to Cuba ransomware utilizing the BURNTCIGAR loader program to install a malicious driver signed using Microsoft’s certificate. Additionally, the Microsoft-signed drivers’ toolkit has been used in cyberattacks against telecommunication, BPO, MSSP, and financial services companies. The Hive Ransomware group utilized the Microsoft-signed drivers’ toolkit against a medical company. A separate threat actor was using similar Microsoft-signed drivers, resulting in the development of Hive ransomware against a company in the healthcare industry, which indicated that the technique was being used by various actors with access to similar tooling. A threat actor known as UNC3944 was using the toolkit in SIM switching attacks in early August 2022. UNC3944 was spotted using malware that had been signed using the attestation signing method. UNC3944 is a financially driven threat group that has been operating since May 2022 and often acquires initial network access using SMS phishing operations. With numerous threat clusters employing the signed drivers, it’s unclear how they got access to similar Microsoft-signed drivers’ toolkits for use in attacks. The Microsoft-signed drivers’ toolkit, or the code signing, likely came from a supplier or a service that other threat actors pay to access. Other evidence supporting the “supplier” theory comes from the Microsoft-signed drivers’ identical functionality and design. Even though they were utilized by two separate threat actors, the performance was remarkably similar. Threat analysts already observed scenarios in which groups are suspected of using a common criminal service for code signing. It’s not a new phenomenon because in 2017 the University of Maryland documented it in their Certified Malware project. It’s believed to be happening with the suspiciously signed attestation drivers and related EV-signed samples. Microsoft has already suspended the accounts used to submit the drivers for signing and released security updates revoking certificates used by malicious files. Additionally, new Microsoft Defender signatures (1.377.987.0) have been issued to detect legitimately signed drivers in post-exploitation attacks. Microsoft is collaborating with its Active Protections Programs (MAPP) partners to assist in building further detections and better protect their customers. Microsoft Partner Center is working on long-term solutions to address deceptive behaviors and prevent future customer harm. Microsoft has not revealed how the malicious drivers got past the review process. With ransomware groups developing new methods and tactics, including using Microsoft-signed drivers to access network systems, it’s important for global companies to always remain alert on the latest threat landscape and regularly update network security systems to prevent future ransomware attacks. At SpearTip, our certified engineers are continuously working at our 24/7/365 Security Operations Center monitoring companies’ networks for potential ransomware. With our pre-breach advisory services, our engineers will examine companies’ security postures to improve weak points in their networks. Our team engages with companies’ people, processes, and technology to measure the maturity of the technical environment. Our experts will provide a technical roadmap for any vulnerability we uncover and ensure their companies have the awareness and support to optimize their overall cybersecurity posture. Our ShadowSpear platform, an integrable managed detection and response tool, detects sophisticated unknown and advanced ransomware threats using comprehensive insights through unparalleled data normalization and visualizations. If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.