Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems

Microsoft on Tuesday disclosed it took steps to suspend accounts
that were used to publish malicious drivers^[1]
that were certified by its Windows Hardware Developer Program^[2] were used to sign
malware.

The tech giant said its investigation revealed the activity was
restricted to a number of developer program accounts and that no
further compromise was detected.

Cryptographically signing malware is concerning not least
because it not only undermines a key security mechanism but also
allows threat actors to subvert traditional detection methods and
infiltrate target networks to perform highly privileged
operations.

The probe, Redmond stated, was initiated after it was notified
of rogue drivers being used in post-exploitation efforts, including
deploying ransomware, by cybersecurity firms Mandiant, SentinelOne,
and Sophos on October 19, 2022.

One notable aspect of these attacks was that the adversary had
already obtained administrative privileges on compromised systems
before using the drivers.

“Several developer accounts for the Microsoft Partner Center
were engaged in submitting malicious drivers to obtain a Microsoft
signature,” Microsoft explained^[3]. “A new attempt at
submitting a malicious driver for signing on September 29, 2022,
led to the suspension of the sellers’ accounts in early
October.”

According to an analysis from Sophos threat actors affiliated
with the Cuba ransomware^[4]
(aka COLDDRAW) planted a malicious signed driver in a failed
attempt at disabling endpoint detection tools via a novel malware
loader dubbed BURNTCIGAR, which was first revealed^[5]
by Mandiant in February 2022.

The company also identified three variants of the driver signed
by code signing certificates that belong to two Chinese companies,
Zhuhai Liancheng Technology and Beijing JoinHope Image
Technology.

The reasoning behind using signed drivers is that it offers a
way for threat actors to get around crucial security measures^[6] which require
kernel-mode drivers to be signed in order for Windows to load the
package. What’s more, the technique misuses the de facto trust
security tools place in Microsoft-attested drivers to their
advantage.

“Threat actors are moving up the trust pyramid, attempting to
use increasingly more well-trusted cryptographic keys to digitally
sign their drivers,” Sophos researchers Andreas Klopsch and Andrew
Brandt said^[7]. “Signatures from a
large, trustworthy software publisher make it more likely the
driver will load into Windows without hindrance.”

Google-owned Mandiant, in a coordinate disclosure, said^[8]
it observed a financially motivated threat group known as UNC3944
employing a loader named STONESTOP to install a malicious driver
dubbed POORTRY that’s designed to terminate processes associated
with security software and delete files.

Stating that it has “continually observed threat actors use
compromised, stolen, and illicitly purchased code-signing
certificates to sign malware,” the threat intelligence and incident
response firm noted that “several distinct malware families,
associated with distinct threat actors, have been signed with this
process.”

This has given rise to the possibility that these hacking groups
could be leveraging a criminal service for code signing (i.e.,
malicious driver signing as a service), wherein the provider gets
the malware artifacts signed through Microsoft’s attestation
process on behalf of the actors.

STONESTOP and POORTRY are said to have been used by UNC3944 in
attacks aimed at telecommunication, BPO, MSSP, financial services,
cryptocurrency, entertainment, and transportation sectors,
SentinelOne said^[9], adding a different
threat actor utilized a similar signed driver that resulted in the
deployment of Hive ransomware^[10].

Microsoft has since revoked the certificates for impacted files
and suspended the partners’ seller accounts to counter the threats
as part of its December 2022 Patch Tuesday^[11] update.

This is not the first time digital certificates have been abused
to sign malware. Last year, a Netfilter driver^[12] certified by Microsoft
turned out to be a malicious Windows rootkit that was observed
communicating with command-and-control (C2) servers located in
China.

It’s not a Windows-only phenomenon, however, as Google this
month published^[13] findings that
compromised platform certificates managed by Android device makers
including Samsung and LG had been used to sign malicious apps
distributed through unofficial channels.

The development also comes amid a broader^[14] abuse^[15] of signed
drivers^[16] to sabotage security software^[17] in recent months. The
attack, referred to as Bring Your Own Vulnerable Driver (BYOVD),
involves exploiting legitimate drivers that contain known
shortcomings to escalate privileges and execute post-compromise
actions.

Microsoft, in late October, said^[18] it’s enabling^[19] the vulnerable driver
blocklist (DriverSiPolicy.p7b) by default for all devices with
Windows 11 2022 update, alongside validating that it’s the same
across different operating system versions, following an Ars
Technica report^[20] that highlighted
inconsistencies in updating the blocklist for Windows 10
machines.

“Code signing mechanisms are an important feature in modern
operating systems,” SentinelOne said. “The introduction of driver
signing enforcement was key in stemming the tide of rootkits for
years. The receding effectiveness of code signing represents a
threat to security and verification mechanisms at all OS
layers.”