Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems

Posted by: Interware

On Tuesday, Microsoft announced that it has taken action to put in place blocking safeguards and suspend accounts that were being used to distribute malicious drivers that had been approved by its Windows Hardware Developer Program.

The IT behemoth claimed that after conducting an investigation, it was discovered that the activity was limited to a few developer programme accounts and that no more compromise had been found.

Malware that uses cryptography to sign itself raises concerns, not least because it compromises a crucial security feature and gives threat actors access to target networks to carry out highly privileged operations while evading standard detection techniques.

Redmond claimed that the investigation was started when it was informed on October 19, 2022, by cybersecurity firms Mandiant, SentinelOne, and Sophos, that rogue drivers were being used in post-exploitation attempts, including the distribution of ransomware.

One notable aspect of these attacks was that the adversary had already obtained administrative privileges on compromised systems before using the drivers.

"Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature," Microsoft explained. "A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers' accounts in early October."

According to an analysis from Sophos, threat actors affiliated with the Cuba ransomware (aka COLDDRAW) planted a malicious signed driver in a failed attempt at disabling endpoint detection tools via a novel malware loader dubbed BURNTCIGAR, which was first revealed by Mandiant in February 2022.

The company also identified three variants of the driver signed by code signing certificates that belong to two Chinese companies, Zhuhai Liancheng Technology and Beijing JoinHope Image Technology.

The reasoning behind using signed drivers is that it offers a way for threat actors to get around crucial security measures which require kernel-mode drivers to be signed in order for Windows to load the package. What's more, the technique misuses the de facto trust security tools place in Microsoft-attested drivers to their advantage.

"Threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers," Sophos researchers Andreas Klopsch and Andrew Brandt said. "Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance."

In a combined disclosure, Google-owned Mandiant reported that it had seen the financially driven threat organisation UNC3944 use a loader called STONESTOP to instal the malicious driver POORTRY, which is intended to kill processes connected to security products and erase files.

The threat intelligence and incident response company stated that it has "continually observed threat actors use compromised, stolen, and illicitly purchased code-signing certificates to sign malware," adding that "several distinct malware families, associated with distinct threat actors, have been signed with this process."

This has raised the likelihood that these hacker groups are using a harmful driver signing as a service, in which the provider signs the malware artefacts using Microsoft's attestation process on the client's behalf.

According to SentinelOne, UNC3944 allegedly used STONESTOP and POORTRY in attacks against the telecommunications, BPO, MSSP, financial services, cryptocurrency, entertainment, and transportation sectors. SentinelOne also noted that a different threat actor used a similar signed driver to spread Hive ransomware.

The intrusion set discovered by SentinelOne also likely coincides with a "persistent" campaign run by a threat actor known as Scattered Spider that has been focusing on the same industries since June 2022. Some of the attacks have been known to breach mobile carrier networks in order to offer SIM swapping services.

Similar targets, TTPs, and malware "indicate the likelihood of a linkage with this activity," SentinelOne told The Hacker News when contacted for comment, but it noted that it cannot corroborate the research.

Microsoft has since revoked the certificates for impacted files and suspended the partners' seller accounts to counter the threats as part of its December 2022 Patch Tuesday update.

This is not the first time digital certificates have been abused to sign malware. Last year, a Netfilter driver certified by Microsoft turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers located in China.

It's not a Windows-only phenomenon, however, as Google this month published findings that compromised platform certificates managed by Android device makers including Samsung and LG had been used to sign malicious apps distributed through unofficial channels.

The development also comes amid a broader abuse of signed drivers to sabotage security software in recent months. The attack, referred to as Bring Your Own Vulnerable Driver (BYOVD), involves exploiting legitimate drivers that contain known shortcomings to escalate privileges and execute post-compromise actions.

Microsoft, in late October, said it's enabling the vulnerable driver blocklist (stored in the "DriverSiPolicy.p7b" file) by default for all devices with Windows 11 2022 update, alongside validating that it's the same across different operating system versions, following an Ars Technica report that highlighted inconsistencies in updating the blocklist for Windows 10 machines.

"Code signing mechanisms are an important feature in modern operating systems," SentinelOne said. "The introduction of driver signing enforcement was key in stemming the tide of rootkits for years. The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers."

Source: Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems (thehackernews.com)