Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems
Microsoft on Tuesday disclosed it took steps to suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program were used to sign malware.
The tech giant said its investigation revealed the activity was restricted to a number of developer program accounts and that no further compromise was detected.
Cryptographically signing malware is concerning not least because it not only undermines a key security mechanism but also allows threat actors to subvert traditional detection methods and infiltrate target networks to perform highly privileged operations.
The probe, Redmond stated, was initiated after it was notified of rogue drivers being used in post-exploitation efforts, including deploying ransomware, by cybersecurity firms Mandiant, SentinelOne, and Sophos on October 19, 2022.
One notable aspect of these attacks was that the adversary had already obtained administrative privileges on compromised systems before using the drivers.
“Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature,” Microsoft explained. “A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers’ accounts in early October.”
According to an analysis from Sophos threat actors affiliated with the Cuba ransomware (aka COLDDRAW) planted a malicious signed driver in a failed attempt at disabling endpoint detection tools via a novel malware loader dubbed BURNTCIGAR, which was first revealed by Mandiant in February 2022.
The company also identified three variants of the driver signed by code signing certificates that belong to two Chinese companies, Zhuhai Liancheng Technology and Beijing JoinHope Image Technology.
The reasoning behind using signed drivers is that it offers a way for threat actors to get around crucial security measures which require kernel-mode drivers to be signed in order for Windows to load the package. What’s more, the technique misuses the de facto trust security tools place in Microsoft-attested drivers to their advantage.
“Threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers,” Sophos researchers Andreas Klopsch and Andrew Brandt said. “Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance.”
Google-owned Mandiant, in a coordinate disclosure, said it observed a financially motivated threat group known as UNC3944 employing a loader named STONESTOP to install a malicious driver dubbed POORTRY that’s designed to terminate processes associated with security software and delete files.
Stating that it has “continually observed threat actors use compromised, stolen, and illicitly purchased code-signing certificates to sign malware,” the threat intelligence and incident response firm noted that “several distinct malware families, associated with distinct threat actors, have been signed with this process.”
This has given rise to the possibility that these hacking groups could be leveraging a criminal service for code signing (i.e., malicious driver signing as a service), wherein the provider gets the malware artifacts signed through Microsoft’s attestation process on behalf of the actors.
STONESTOP and POORTRY are said to have been used by UNC3944 in attacks aimed at telecommunication, BPO, MSSP, financial services, cryptocurrency, entertainment, and transportation sectors, SentinelOne said, adding a different threat actor utilized a similar signed driver that resulted in the deployment of Hive ransomware.
Microsoft has since revoked the certificates for impacted files and suspended the partners’ seller accounts to counter the threats as part of its December 2022 Patch Tuesday update.
This is not the first time digital certificates have been abused to sign malware. Last year, a Netfilter driver certified by Microsoft turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers located in China.
It’s not a Windows-only phenomenon, however, as Google this month published findings that compromised platform certificates managed by Android device makers including Samsung and LG had been used to sign malicious apps distributed through unofficial channels.
The development also comes amid a broader abuse of signed drivers to sabotage security software in recent months. The attack, referred to as Bring Your Own Vulnerable Driver (BYOVD), involves exploiting legitimate drivers that contain known shortcomings to escalate privileges and execute post-compromise actions.
Microsoft, in late October, said it’s enabling the vulnerable driver blocklist (DriverSiPolicy.p7b) by default for all devices with Windows 11 2022 update, alongside validating that it’s the same across different operating system versions, following an Ars Technica report that highlighted inconsistencies in updating the blocklist for Windows 10 machines.
“Code signing mechanisms are an important feature in modern operating systems,” SentinelOne said. “The introduction of driver signing enforcement was key in stemming the tide of rootkits for years. The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers.”