Microsoft-signed malicious Windows drivers used in ransomware attacks

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,454
Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.

The news comes in a coordinated disclosure between Microsoft, Mandiant, Sophos, and SentinelOne. The researchers explain that threat actors are utilizing malicious kernel-mode hardware drivers whose trust was verified with Authenticode signatures from Microsoft's Windows Hardware Developer Program.

"Microsoft was informed that drivers certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers," explains the advisory from Microsoft.

"We were notified of this activity by SentinelOne, Mandiant, and Sophos on October 19, 2022, and subsequently performed an investigation into this activity."

"This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature."

"A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers' accounts in early October."
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,449
the attacker had already gained administrative privileges on compromised systems prior to use of the drivers
f616da0a6af2e385e49d4eaf5dcdc4f8.gif
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top