Threat actors used drivers signed by Microsoft hardware developer profiles for launching ransomware attacks.
On October 19, this year, cyber researchers notified Microsoft that drivers certified by their program were maliciously used by threat actors.
Microsoft opened an investigation on the matter and has already revoked several accounts belonging to the developers involved.
Microsoft claims that „In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers.”
This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.
A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers’ accounts in early October.
Cyber researchers said hackers used malicious kernel-mode hardware drivers that were previously verified with Authenticode signatures from Microsoft’s Windows Hardware Developer Program.
Why Are Kernel-Mode Drivers Important
Kernel-mode hardware drivers loaded in Windows get the highest privilege level on the OS.
This means that a driver could be allowed to perform malicious tasks that are not usually permitted for user-mode applications. Acting as rootkits to hide processes, shuting down security software, or deleting protected files are some examples.
This is why, for safety reasons, starting with Windows 10, Microsoft requires that kernel-mode hardware drivers are signed via Microsoft’s Windows Hardware Developer Program. Because the procedure is very thorough, lots of security platforms blindly trust code signed by Microsoft through this program. Regarding all these, for threat actors the ability to sign a kernel-mode driver by Microsoft to use it in malicious activities is gold.
Researchers Found New Toolkit Used in BYOVD Attacks.
Cyber researchers announced finding a new toolkit that is used in ”bring your own vulnerable driver” (BYOVD) attacks. The toolkit has two components: STONESTOP (loader) and POORTRY (kernel-mode driver).
Researchers warn that the user-mode application STONESTOP is supposed to terminate endpoint security software processes and it could even have the ability to overwrite and delete files.
Because most of the time security software processes are protected against tampering by regular applications, STONESTOP loads the POORTRY kernel-mode driver signed by Microsoft to stop the associated protected processes or Windows services.
STONESTOP functions as both a loader/installer for POORTRY, as well as an orchestrator to instruct the driver with what actions to perform
For now, Microsoft released security updates, revoked the certificates used by malicious files and suspended the accounts involved. Their recommendation for the users is, at the moment, that they install the latest Windows updates and make sure their anti-virus and endpoint detection products are updated with the latest signatures.