Monday, February 6, 2023
HomeScience/TechnologyMicrosoft-signed malicious drivers used in cyberattacks • The Register

Microsoft-signed malicious drivers used in cyberattacks • The Register

Microsoft says it has suspended several third-party developer accounts that submitted malicious Windows drivers for the IT giant to digitally sign so the code could be used in cyberattacks.

Coinciding with the rollout of Patch Tuesday this week, the techgoliath also revoked certificates used to sign the bad drivers, promising to take steps to prevent organizations from loading the malicious code.

These moves come after Eggheads at Google-owned Mandiant, SentinelOne, and Sophos told Microsoft in October that multiple cybercriminal gangs were using malicious, third-party developed, Microsoft-signed kernel-mode hardware drivers to help spread ransomware.

Essentially, these crews created developer accounts at Microsoft to submit malicious drivers to the software goliath’s Windows Hardware Developer Program. Once Microsoft was tricked into digitally signing the drivers, indicating that the code was legitimate, the software would be trusted by the operating system.

At that point, once the miscreants compromised a victim’s Windows PC and gained administrative access, they could load the drivers and use them to do privileged things like disable antivirus and security tools, and damage the device and possibly the completely jeopardize the entire network.

According to Microsoft’s advice this week on the whole mess, the megabiz was informed by the cybersecurity firms that Redmond-approved drivers were being used by several miscreants to hit organizations with ransomware.

“In these attacks, the attacker had already obtained administrative privileges on compromised systems before using the drivers,” Microsoft wrote. Microsoft signature.”

The IT giant stressed that there had been no compromise with its own network and systems; this was a case of rogue developers submitting bad drivers and waiting for Microsoft to falsely approve them, then using the code against victims in the wild, we’re told.

See also  Intel reveals one of its 13th gen CPUs will reach 6GHz at stock, 8GHz when overclocked - ANI News

Now those developer accounts have been frozen and steps have been taken to prevent the drivers from being used against other targets, Microsoft said.

A malicious kernel-mode Windows hardware driver with Microsoft’s stamp of approval is not hindered from doing all sorts of things once running on a system, such as products for protecting hobble endpoints and thwarting intrusion detection. Since Windows 10, Microsoft has required kernel-mode drivers to be signed through the Windows Hardware Developer Program.

The signature indicates trust, according to Sophos researchers Andreas Klopsch and Andrew Brandt. There is an increase in the use of trusted third-party device drivers to end security tools in 2022.

Dubbed the Bring Your Own Vulnerable Driver (BYOVD) approach, a miscreant with sufficient privileges loads on a system a legitimate, non-malicious signed Windows driver known to contain vulnerabilities that can be exploited by malicious people to perform functions. switch and put the PC in complete danger.

Alternatively, the miscreant can load a signed driver specially designed for evil. The end results are largely the same.

The BlackByte ransomware took the first approach and used a driver from a legitimate publisher, the Sophos team wrote in a report.

“Threateners are climbing up the trust pyramid, increasingly seeking to use trusted cryptographic keys to digitally sign their drivers,” Klopsch and Brandt wrote.

They said that criminals likely associated with the Cuba ransomware used a loader tool called BURNTCIGAR – first detected by Mandiant in February – to attempt to run a malicious third-party driver called POORTRY that silently deploys endpoint protections on targeted kills systems before planting ransomware. It is said that POORTRY was designed specifically for this use case and signed by Microsoft through its hardware developer program.

See also  आखिरकार पता चल गई Samsung Galaxy Buds 2 Pro की कीमत, इस दिन है TWS की पहली सेल

Attempts to load the driver failed, we’re told, leaving behind files for the researchers to analyze.

Sophos said it found two malicious Windows driver samples signed on behalf of Zhuhai Liancheng Technology and another for Beijing JoinHope Image Technology, both Chinese companies.

Meanwhile, Mandiant researchers this week wrote about UNC3944, a financially motivated team that has been operating since at least May, using malware signed through Microsoft and its hardware driver.

The researchers said that UNC3944 used a malware loader called STONESTOP to run POORTRY to kill unwanted security processes. POORTRY dates back to June and has appeared with several code certificates. The UNC3944 gang usually gains initial access to a network using stolen credentials and SMS phishing.

SentinelOne’s SentinelLabs unit said it found malware containing STONESTOP, which is used to load and install POORTRY. The analysts discovered three versions of this malicious code stack, with two versions of POORTRY signed by Microsoft.

The analysts said the toolkit has been used against a range of targets in areas such as telecommunications, business process outsourcing (BPO), managed security service providers (MSSPs) and financial services. It has also been used by the Hive ransomware group against a healthcare company.

Researchers from both Mandiant and SentinelLabs said multiple crews have used POORTRY, indicating that the malware may be available for miscreants to purchase and that the driver signing process may be provided as a service.

“Other evidence in support of the ‘vendor’ theory stems from the similar functionality and design of the drivers,” the SentinelLabs team wrote. “Although they were used by two different attackers, they functioned in much the same way. This indicates that they may have been developed by the same person and then sold for use by someone else.”

See also  Tecno Color Changing Smartphone, कलर चेंजिंग बैक पैनल के साथ Tecno Camon 19 Pro Mondrian Edition लॉन्च, बड़ा अनोखा है इस फोन का डिजाइन - tecno camon 19 pro mondrian edition launched in india with colour changing back panel design know price and specs

In addition, the Mandiant analysts have seen cybercriminals and services claim – in languages ​​like English, Russian and Chinese – that they offer code signing certificates or malware signing for the buyers.

Microsoft said in October that it is countering this trend of using vulnerable drivers in attacks by making the vulnerable driver block list a standard feature, rather than an option for devices running the Windows 11 2022 update. In addition, the block list is regularly updated and consistent across Windows 10 and other OS versions.

It would also be cool not to find malicious drivers in the first place. ®

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments