Microsoft announced on Tuesday that it has suspended several developer program accounts that were able to obtain drivers certified by the Windows Hardware Developer Program that likely deployed ransomware to telecommunications, outsourcing companies, MSSPs and financial services.
In a December 13 security advisory, Microsoft said the attackers obtained administrative privileges on compromised systems before using the drivers. Several security organizations notified the Redmond, Washington-based software giant of the activity on Oct. 19, and an “investigation revealed that several Microsoft Partner Center developer accounts were in the process of submitting malicious drivers to obtain a Microsoft signature. to acquire.”
An attempt to submit a malicious driver for signing led to the suspension of the merchants’ accounts in early October, the advisory continued.
Certificates for affected files were revoked in Microsoft’s latest patch Tuesday on December 13, and merchant accounts were suspended. Microsoft said it has also implemented block detections against legitimately signed drivers used maliciously for post-exploit activities.
SentinelOne, Mandiant, and Sophos have all notified Microsoft of the suspicious activity.
SentinelOne detailed its discovery of POORTRY and STONESTOP malware used to evade antivirus and endpoint detection and response (EDR) tools, as well as the types of companies targeted by the legitimately signed drivers.
SentinelOne also advanced theories that either a vendor is offering the driver signing process “as-a-service” to paying threat actors, or, less likely, that multiple threat actors have compromised legitimate driver developers to use their Extended Validation (EV) certificate to use. to sign the malicious drivers and send them to their developer account.
“We are confident that the malicious drivers listed above, as well as those dated June 2021, were used by various threat actors,” SentinelLabs wrote in its post. “…Other evidence in support of the ‘vendor’ theory comes from the similar functionality and design of the drivers. Although they were used by two different threat actors, they functioned in much the same way. This indicates that they may have been developed by the same person and then sold for use by someone else.”
Mandiant said on its security blog that the threat group it identifies as “UNC3944” used one of the signed malicious drivers to deploy the STONESTOP and POORTRY malware. It said the group has been operating since May and is financially motivated, usually gaining network access through stolen credentials obtained through SMS phishing.
Like SentinelOne, Mandiant said it believed the threat groups abusing the driver signing process are “using a common criminal code-signing service.”
“Given the different company names identified and the different development environments, Mandiant suspects that there is a service provider that has these malware samples signed on behalf of the actors through the attestation process. Unfortunately, this rating is given with little confidence at the moment.
Also on Patch Tuesday of December 13, Microsoft released fixes for 48 new vulnerabilities in its products, six of which were classified as critical, according to Dark Reading.