Microsoft Signed Drivers Used in Ransomware Attacks

Microsoft has had to revoke multiple of their hardware developer accounts as some drivers which had been signed through their profiles, were used in ransomware cyberattacks.

Microsoft was informed of this on the 19th of October last year and then started its investigation.

An advisor to Microsoft stated “Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.

In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers”.

Sophos, an IT security company based in Britain, picked up a potential threat using these drivers and ended the attack before the hackers could go further.

Sophos has matched the attack to the Cuba ransomware operation, as they previously used a variant of this malware.

The company then stated,

“In Incidents investigated by Sophos, threat actors tied to Cuba ransomware used the BURNTCIGAR loader utility to install a malicious driver signed using Microsoft’s certificate”.

Sophos also identified three different variants of the driver which had been signed by code signing certificates belonging to a couple of Chinese companies, Zhuhai Liancheng Technology and Beijing JoinHope Image Technology.

These drivers are being used as it allows threat actors to pass through security measures.

In another case, picked up by a different IT security company, SentinelOne, the target was in the medical industry.

Mandiant, a Google-owned software company, found and observed a threat group named UNC3944 using a loader named STONESTOP to install a malicious driver called POORTRY which is designed to kill processes linked with security software and delete files.

Mandiant said that it “continually observed threat actors use compromised, stolen, and illicitly purchased code-signing certificates to sign malware,” the threat intelligence and incident response firm noted that “several distinct malware families, associated with distinct threat actors, have been signed with this process.”

Microsoft has since released some security updates to revoke certificates used by the threats and the accounts used to submit the drivers have been suspended.

The tech company said they were working with partners of MAPP or Microsoft Active Protections Program to detect more threats and better protect their shared customers.

Also stated, “Microsoft Partner Centre is also working on long-term solutions to address these deceptive practices and prevent future customer impacts.”

Although, Microsoft hasn’t yet explained how the drivers made it through the review process, to begin with.

Are you in need of IT Support?

Itek provides IT solutions for your entire IT infrastructure. Your business can experience a cost-effective service at a predictable fixed rate, removing the burden from you and your team and freeing you to focus on your goals.

The Itek Newsletter

Sign up for our weekly newsletter, follow along with tips and tricks as well as best practices straight to your inbox.