Skip to Content

Microsoft-Signed Windows Drivers Used Maliciously

Updated on 2022-12-15

Sophos reported that the Cuba ransomware group used malicious hardware devices certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack. Read more: Signed driver malware moves up the software trust chain

Overview: Microsoft-Signed Windows Drivers Used Maliciously

In October, researchers from SentinelOne, Mandiant, and Sophos notified Microsoft “that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.” Microsoft has revoked several developer certificates and suspended associated developer accounts.


  • Microsoft notes that their investigation “…revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.” I’d like to hear what Microsoft will do to improve the certification of Microsoft Software “Partners” just as we’ve seen Apple and Google have to improve the processes for developers to get apps through their app store mechanisms.
  • It appears these drivers were used after compromising a system for post-exploitation activities, most likely tied to the Cuba Ransomware campaign (which has no known connection to the republic of Cuba). Applying this month’s updates, and Microsoft revoking the certificates associated with these developers, which should prevent execution of the drivers, are two steps needed to prevent these attacks. You still need to use strong authentication, offline backups, segmentation and keep things updated. Read the CISA bulletin for IOCs, TTPs and added mitigations.
  • There has been a marked increase in reported supply chain attacks in the last couple years. In this case the malicious signed drivers can enable privilege escalation and ability to move across the victim’s network. Although the user is dependent on MSFT to correct deficiencies in its signed driver program, they can still protect themselves by limiting an attacker’s ability to gain initial access to their network. Users should revisit their configuration and patch management processes.
  • Is it necessary to remind people that certificates are public information about key pairs, are not sensitive, and cannot be used to create other certificates and are cryptographically bound to the software for which they vouch? It is the private half of the key-pair that can be used to create certificates, is sensitive, must be kept secret.


Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.