Microsoft-Signed Windows Drivers Used Maliciously

Updated on 2022-12-15

Sophos reported that the Cuba ransomware group used malicious hardware devices certified by Microsoft’s Windows Hardware Developer Program in an attempted ransomware attack. Read more: Signed driver malware moves up the software trust chain

Overview: Microsoft-Signed Windows Drivers Used Maliciously

In October, researchers from SentinelOne, Mandiant, and Sophos notified Microsoft “that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.” Microsoft has revoked several developer certificates and suspended associated developer accounts.

Note

• Microsoft notes that their investigation “…revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.” I’d like to hear what Microsoft will do to improve the certification of Microsoft Software “Partners” just as we’ve seen Apple and Google have to improve the processes for developers to get apps through their app store mechanisms.
• It appears these drivers were used after compromising a system for post-exploitation activities, most likely tied to the Cuba Ransomware campaign (which has no known connection to the republic of Cuba). Applying this month’s updates, and Microsoft revoking the certificates associated with these developers, which should prevent execution of the drivers, are two steps needed to prevent these attacks. You still need to use strong authentication, offline backups, segmentation and keep things updated. Read the CISA bulletin for IOCs, TTPs and added mitigations.
• There has been a marked increase in reported supply chain attacks in the last couple years. In this case the malicious signed drivers can enable privilege escalation and ability to move across the victim’s network. Although the user is dependent on MSFT to correct deficiencies in its signed driver program, they can still protect themselves by limiting an attacker’s ability to gain initial access to their network. Users should revisit their configuration and patch management processes.
• Is it necessary to remind people that certificates are public information about key pairs, are not sensitive, and cannot be used to create other certificates and are cryptographically bound to the software for which they vouch? It is the private half of the key-pair that can be used to create certificates, is sensitive, must be kept secret.

Read more in

• Guidance on Microsoft Signed Drivers Being Used Maliciously
• Alert (AA22-335A) #StopRansomware: Cuba Ransomware
• I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware
• Signed driver malware moves up the software trust chain
• Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers
• Ransomware Gang Abused Microsoft Certificates to Sign Malware
• Malicious Microsoft-signed Windows drivers wielded in cyberattacks
• Microsoft-Signed Malicious Drivers Usher In EDR-Killers, Ransomware