Malicious Microsoft-signed Windows drivers wielded in cyberattacks
Handy tools to kill off security protections get Redmond's stamp of approval
Microsoft says it has suspended several third-party developer accounts that submitted malicious Windows drivers for the IT giant to digitally sign so that the code could be used in cyberattacks.
In tandem with its Patch Tuesday rollout this week, the tech goliath also revoked certificates used to sign the bad drivers, and promised to put in place measures to prevent organizations from loading the malicious code.
These moves come after eggheads at Google-owned Mandiant, SentinelOne, and Sophos told Microsoft in October that multiple cybercrime gangs were using malicious third-party-developed Microsoft-signed kernel-mode hardware drivers to help spread ransomware.
Essentially, these crews created developer accounts with Microsoft to submit malicious drivers to the software goliath's Windows Hardware Developer Program. Once Microsoft was hoodwinked into digitally signing the drivers, signalling the code was legit, the software would be trusted by the operating system.
At that point, once the miscreants had compromised a victim's Windows PC and gained admin access, they could load the drivers and use them to do privileged things, such as disable antivirus and security tools, and fully compromise the device and possibly the whole network.
According to Microsoft's advisory this week about the whole mess, the mega-biz was informed by the cybersecurity firms that Redmond-approved drivers were being used by various miscreants to hit organizations with ransomware.
"In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers," Microsoft wrote, adding that its "investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature."
The IT giant stressed there had been no compromise of its own network and systems; this was a case of rogue developers submitting bad drivers, and waiting for Microsoft to wrongly OK them, and then use the code in the wild against victims, we're told.
Now those developer accounts have been frozen, and steps taken to prevent the drivers from being deployed against any other targets, according to Microsoft.
- Microsoft realizes it hasn't updated list of banned dodgy Windows 10 drivers in years
- So you've decided you want to write a Windows rootkit. Good thing this chap's just demystified it in a talk
- Microsoft blocks Trend Micro code at center of driver 'cheatware' storm from Windows 10, rootkit detector product pulled from site
- Windows kernel vulnerability disclosed by Google's Project Zero after bug exploited in the wild by hackers
A malicious Windows kernel-mode hardware driver with Microsoft's stamp of approval is unhindered from doing all kinds of things once running on a system, such as hobble endpoint protection products and thwart intrusion detection. Microsoft has required kernel-mode drivers to be signed through the Windows Hardware Developer Program since Windows 10.
The signature indicates trust, according to Sophos researchers Andreas Klopsch and Andrew Brandt. There has been a rise in the use of trusted third-party device drivers to terminate security tools in 2022.
Dubbed the Bring Your Own Vulnerable Driver (BYOVD) approach, a miscreant with sufficient privileges on a system loads a legit, non-malicious signed Windows driver known to contain vulnerabilities that can be exploited to switch off features and fully compromise the PC.
Alternatively, the miscreant can load a signed driver specifically designed for evil. The end results are largely the same.
BlackByte ransomware took the first approach, using a driver from a legitimate publisher, the Sophos team wrote in a report.
"Threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers," Klopsch and Brandt wrote.
They said criminals likely associated with the Cuba ransomware used a loader tool called BURNTCIGAR – first detected by Mandiant in February – to try to run a malicious third-party driver dubbed POORTRY that quietly kills endpoint protections on targeted systems ahead of ransomware being planted. It's said POORTRY was designed specifically for this use case, and was signed by Microsoft via its hardware developer program.
Attempts to load the driver failed, we're told, and left behind files that the researchers could analyze.
Sophos said it found two malicious Windows driver samples that were signed on behalf of Zhuhai Liancheng Technology and another for Beijing JoinHope Image Technology, both Chinese companies.
Meanwhile, Mandiant researchers this week wrote about UNC3944, a financially motivated team active since at least May, that is using malware signed via Microsoft and its hardware driver program.
The researchers said UNC3944 used a malware loader called STONESTOP to run POORTRY to kill off any unwanted security processes. POORTRY dates back to June and has appeared with various code certificates. The UNC3944 gang usually gains initial access to a network using stolen credentials and SMS phishing.
SentinelOne's SentinelLabs unit said it found malware that includes STONESTOP, which is used to load and install POORTRY. The analysts detected three versions of this malicious code stack, with two versions of POORTRY signed through Microsoft.
The analysts said the toolkit has been used against a range of targets in such areas as telecommunications, business process outsourcing (BPO), managed security service providers (MSSPs), and financial services. It's also been used by the Hive ransomware group against a healthcare company.
Researchers at both Mandiant and SentinelLabs said multiple crews have used POORTRY, indicating the malware may be available for miscreants to buy and that the process for signing the drivers may be offered as a service.
"Other evidence supporting the 'supplier' theory stems from the similar functionality and design of the drivers," the SentinelLabs team wrote. "While they were used by two different threat actors, they functioned in very much the same way. This indicates they were possibly developed by the same person then subsequently sold for use by someone else."
In addition, the Mandiant analysts have seen cybercrooks and services claiming – in languages like English, Russian, and Chinese – to offer code-signing certificates or to sign malware for the buyers.
Microsoft in October said it is countering this trend toward using vulnerable drivers in attacks by making the vulnerable driver blocklist a default feature rather than an option for devices running the Windows 11 2022 update. In addition, the blocklist will be regularly updated and consistent across Windows 10 and other OS versions.
Not OKing malicious drivers in the first place would be cool, too. ®