Security companies have reported that many hacking groups are using drivers signed by Microsoft in a variety of attacks, including the installation of Cuba ransomware.
That development is important because security services rely heavily on something signed by Microsoft,
In this month’s Patch Tuesday, Microsoft acknowledged reports by SentinelOne, Google-owned Mandiant, and Sophos about threats using a driver certified by Microsoft’s Windows Hardware Developer Program. to deploy various types of malware.
The malicious but unregistered driver was used by Microsoft in an attempt to disable background detection agents and antiviruses on affected systems from customers. Customers reported the faulty driver to Microsoft on October 19, according to the tech giant.
Also: Cybersecurity: These are the new things to worry about in 2023
Mandiant connects the criminal driver Poortry and his attacker Stonestop. Mandiant has identified a number of malware families that have been registered with this process and nine unique names associated with the registered malware.
SentinelOne reported that the devices are used in the telecommunications, outsourcing, entertainment, transportation, custodial services, financial services, and cryptocurrency sectors. In some cases, it is used to provide SIM replacement services.
“Importantly, SentinelLabs identified a different threat that also uses a different Microsoft driver, resulting in the deployment of Hive ransomware against a target in the medical industry, indicating the widespread use of this method by various manufacturers with the availability of similar equipment,” it said.
The attacker went through the process with Microsoft and the Certification Authorities (CA) in order to obtain a driver signed by Microsoft.
“The main problem with this process is that most security solutions rely on everything signed by Microsoft only, especially kernel mode drivers,” SentinelOne said.
“Starting with Windows 10, Microsoft began requiring kernel mode drivers to be signed in using the Windows Hardware Developer Center Dashboard portal.” Microsoft has done this to combat kernel mode driver rootkits, for example by exploiting vulnerabilities in legitimate kernel mode drivers.
Mandiant researchers believe that in order to obtain a Microsoft-signed driver, attackers have mistakenly obtained the Extended Validation (EV) code from a CA and then gone through the process of Microsoft for registering their malware by Microsoft despite its verification process. SentinelOne understands that there are many theories about what is going on. One or more service providers providing the registration process as a service; Mandiant supports the supply chain.
Microsoft said it had conducted an investigation and said it found that the activity was “limited to the abuse of a few developer accounts” and that its services were not compromised.
It also suspended the partners’ customer accounts, enforced security checks, and revoked the certificate for the affected files.
As Mandiant explains, for Windows 10 and 11 and Windows Server 2022, hardware vendors can send drivers to Microsoft for registration, confirming the validity of installed management packages and software publisher information. The publisher verifies their identity by signing their management package with an EV certificate issued by a small group of CAs.
“Registered drivers take the trust given to them by the CA and transfer it to a file named Authenticode that comes from Microsoft itself. We believe with high confidence that the attackers have turned to This process uses EV code signatures to send the management packages through the verification process, and in the end their malware is directly signed by Microsoft,” Mandiant said. .
Also: Cybersecurity measures: Five ways to help you build your security
Authenticode is Microsoft’s signature implementation for Windows binaries. Authenticode helps hardware vendors register their drivers through the Windows Hardware Compatibility Program.
Mandiant infects the group using malware labeled as UNC3944.
“UNC3944 is a financial threat group that has been active since at least May 2022 and often obtains online information using stolen credentials obtained from SMS phishing activities. It enables SIM attacks , by supporting secondary criminal activities that occur outside the affected areas,” Mandiant said.
What is attacked in this case is the trust system between software vendors.
“Because [endpoint detection] Consumers are forced to rely on Microsoft-approved drivers, which can make it difficult to distinguish between good features and bad ones that get diluted in security reviews,” reports SentinelOne. .
“Threat actors are moving up the trust pyramid, trying to use highly trusted cryptographic keys to sign their drivers,” Sophos said. Signatures from a trusted software vendor install the driver into Windows without interruption, improving the chances that Cuban ransomware attackers can take down processes security measures that protect the computers of their targets.
