Malicious drivers licensed by Microsoft’s Home windows {Hardware} Developer Program have been used to juice post-exploitation efforts by cybercriminals, Redmond warned this week — together with getting used as a part of a small toolkit geared toward terminating safety software program in goal networks.
“A number of developer accounts for the Microsoft Accomplice Heart have been engaged in submitting malicious drivers to acquire a Microsoft signature,” Microsoft defined in an advisory issued on Dec. 13. “A brand new try at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers’ accounts in early October.”
Code signing is used to offer a degree of belief between the software program and the working system; as such, legitimately signed drivers can skate previous regular software program safety checks, serving to cybercriminals transfer laterally from gadget to gadget by way of a company community.
SIM-Swap, Ransomware Assaults
On this case, the drivers have been possible utilized in quite a lot of post-exploitation exercise, together with deploying ransomware, the computing big acknowledged. And Mandiant and SentinelOne, which together with Sophos collectively alerted Microsoft to the problem in October, have detailed the drivers’ use in particular campaigns.
In response to their findings, additionally issued on Dec. 13, the drivers have been utilized by the menace actor often known as UNC3944 in “energetic intrusions into telecommunication, BPO [business process optimization], MSSP [managed security service provider], and monetary companies companies,” leading to quite a lot of outcomes.
UNC3844 is a financially motivated menace group energetic since Might that normally positive factors preliminary entry to targets with phished credentials from SMS operations, in response to Mandiant researchers.
“In some circumstances, the group’s post-compromise targets have targeted on accessing credentials or methods used to allow SIM-swapping assaults, possible in assist of secondary prison operations occurring outdoors of sufferer environments,” Mandiant detailed in a separate Dec. 13 weblog publish on the problem.
In service of these targets, the group was noticed utilizing the Microsoft-signed drivers as a part of a toolkit designed to terminate antivirus and EDR processes. That toolkit consists of two items: Stonestop, a Home windows userland utility that terminates processes by creating and loading a malicious driver, and Poortry, a malicious Home windows driver that makes use of Stonestop to provoke course of termination.
SentinelLabs additionally noticed a separate menace actor utilizing the identical driver, “which resulted within the deployment of Hive ransomware in opposition to a goal within the medical business, indicating a broader use of this system by numerous actors with entry to related tooling.”
To fight the menace, Microsoft has launched Home windows Safety Updates that revoke the certificates for affected recordsdata and suspended the companions’ vendor accounts.
“Moreover, Microsoft has carried out blocking detections (Microsoft Defender 1.377.987.0 and newer) to assist defend clients from legitimately signed drivers which were used maliciously in post-exploit exercise,” the corporate famous within the advisory.
