Microsoft says it has banned several third-party developer accounts who submitted malicious Windows drivers for the IT giant to digitally sign so the code could be used in cyberattacks.
Along with the launch on Patch Tuesday this week, the tech giant also revoked certificates used to sign the bad drivers and vowed to take action to prevent organizations from loading the malicious code.
The moves come after eggheads at Mandiant, SentinelOne, and Sophos, which are owned by Google, told Microsoft in October that several cybercrime gangs were using malicious, third-party, Microsoft-signed, kernel-mode hardware drivers to help spread ransomware.
Essentially, these teams created developer accounts at Microsoft to submit malicious drivers to the software Goliath’s Windows Hardware Developer Program. Once Microsoft was tricked into digitally signing the drivers and signaling that the code was legitimate, the operating system would trust the software.
At that point, once the rogues compromised a victim’s Windows PC and gained administrator access, they could load the drivers and use them to do privileged things like: B. disabling antivirus and security tools, and completely compromising the device and possibly the entire network.
Per Microsoft’s recommendation this week about the whole mess, the mega-biz has been informed by the cybersecurity firms that Redmond-approved drivers have been used by various rogues to hit organizations with ransomware.
“In these attacks, the attacker had already gained administrative privileges on compromised systems prior to using the drivers,” Microsoft wrote, adding that its “investigation found that multiple Microsoft Partner Center developer accounts were involved in submitting malicious drivers to a Microsoft signature.”
The IT giant stressed that there had been no compromise of its own network and systems; This was a case of rogue developers submitting bad drivers, waiting for Microsoft to mistakenly approve them, and then using the code in the wild against victims, we’re told.
Now those developer accounts have been frozen and steps have been taken to prevent the drivers from being deployed to other targets, according to Microsoft.
A rogue Windows kernel-mode hardware driver with the seal of approval from Microsoft is not prevented from doing all sorts of things once running on a system such as: Since Windows 10, Microsoft has required kernel-mode drivers to be signed via the Windows Hardware Developer Program.
The signature signals trust, according to Sophos researchers Andreas Klopsch and Andrew Brandt. Use of trusted third-party device drivers to kill security tools in 2022 has increased.
Referred to as the Bring Your Own Vulnerable Driver (BYOVD) approach, a malefactor with sufficient privileges on a system loads a legitimate, non-malicious signed Windows driver that is known to contain vulnerabilities that can be exploited to turn off features and completely lock the PC endanger.
Alternatively, the rogue can load a signed driver designed specifically for evil. The end results are largely the same.
BlackByte ransomware took the first approach, using a driver from a legitimate publisher, the Sophos team wrote in a report.
“Threat actors are moving up the trust pyramid, trying to use more and more trusted cryptographic keys to digitally sign their drivers,” write Klopsch and Brandt.
They said criminals likely linked to the Cuba ransomware used a loading tool called BURNTCIGAR — first discovered by Mandiant in February — to attempt to run a malicious third-party driver called POORTRY that silently disabled endpoint protection on targeted systems kills before ransomware is injected. It is said that POORTRY was specifically designed for this use case and signed by Microsoft through its hardware developer program.
Attempts to load the driver failed, it said, leaving behind files for researchers to analyze.
Sophos said it found two malicious Windows driver samples signed on behalf of Zhuhai Liancheng Technology and another for Beijing JoinHope Image Technology, both Chinese companies.
Meanwhile, Mandiant researchers wrote this week about UNC3944, a financially motivated team that has been active since at least May and uses Microsoft-signed malware and its hardware driver program.
Researchers said UNC3944 used a malware loader called STONESTOP to run POORTRY to kill all unwanted security processes. POORTRY dates from June and was released with various code certificates. The UNC3944 gang typically gain initial access to a network using stolen credentials and SMS phishing.
SentinelOne’s SentinelLabs unit said it found malware containing STONESTOP used to load and install POORTRY. The analysts discovered three versions of this malicious code stack, with two versions of POORTRY being signed by Microsoft.
The analysts said the toolkit was used against a range of targets in areas including telecoms, business process outsourcing (BPO), managed security service providers (MSSPs) and financial services. It was also used by the Hive ransomware group against a healthcare company.
Researchers from Mandiant and SentinelLabs said several teams have used POORTRY, indicating the malware may be available to criminals and the process of signing the drivers may be offered as a service.
“Other evidence supporting the ‘supplier’ theory comes from the similar functionality and design of the drivers,” the SentinelLabs team wrote. “Although they were used by two different threat actors, they functioned very similarly. This indicates that they may have been developed by the same person and subsequently sold for someone else’s use.”
Additionally, Mandiant analysts have seen cybercriminals and services claiming to offer code-signing certificates or to sign malware for buyers in languages such as English, Russian, and Chinese.
Microsoft said in October that it is countering this trend of using vulnerable drivers in attacks by making the vulnerable driver blocklist a default feature rather than an option for devices running the Windows 11 2022 Update. In addition, the block list is updated regularly and is consistent across Windows 10 and other OS versions.
It would also be cool not to give malicious drivers consent in the first place. ®
https://www.theregister.com/2022/12/14/microsoft_drivers_ransomware_attacks/ Malicious drivers signed by Microsoft used in cyber attacks • The Register