Malicious drivers licensed by Microsoft’s Home windows {Hardware} Developer Program have been used to juice post-exploitation efforts by cybercriminals, Redmond warned this week — together with getting used as a part of a small toolkit aimed toward terminating safety software program in goal networks.
“A number of developer accounts for the Microsoft Associate Middle had been engaged in submitting malicious drivers to acquire a Microsoft signature,” Microsoft defined in an advisory issued on Dec. 13. “A brand new try at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers’ accounts in early October.”
Code signing is used to offer a degree of belief between the software program and the working system; as such, legitimately signed drivers can skate previous regular software program safety checks, serving to cybercriminals transfer laterally from gadget to gadget by way of a company community.
SIM-Swap, Ransomware Assaults
On this case, the drivers had been probably utilized in a wide range of post-exploitation exercise, together with deploying ransomware, the computing large acknowledged. And Mandiant and SentinelOne, which together with Sophos collectively alerted Microsoft to the difficulty in October, have detailed the drivers’ use in particular campaigns.
In response to their findings, additionally issued on Dec. 13, the drivers have been utilized by the menace actor referred to as UNC3944 in “lively intrusions into telecommunication, BPO [business process optimization], MSSP [managed security service provider], and monetary companies companies,” leading to a wide range of outcomes.
UNC3844 is a financially motivated menace group lively since Could that often positive aspects preliminary entry to targets with phished credentials from SMS operations, in keeping with Mandiant researchers.
“In some instances, the group’s post-compromise goals have targeted on accessing credentials or programs used to allow SIM-swapping assaults, probably in help of secondary felony operations occurring outdoors of sufferer environments,” Mandiant detailed in a separate Dec. 13 weblog submit on the difficulty.
In service of these objectives, the group was noticed utilizing the Microsoft-signed drivers as a part of a toolkit designed to terminate antivirus and EDR processes. That toolkit consists of two items: Stonestop, a Home windows userland utility that terminates processes by creating and loading a malicious driver, and Poortry, a malicious Home windows driver that makes use of Stonestop to provoke course of termination.
SentinelLabs additionally noticed a separate menace actor utilizing the identical driver, “which resulted within the deployment of Hive ransomware towards a goal within the medical trade, indicating a broader use of this method by numerous actors with entry to related tooling.”
To fight the menace, Microsoft has launched Home windows Safety Updates that revoke the certificates for affected information and suspended the companions’ vendor accounts.
“Moreover, Microsoft has applied blocking detections (Microsoft Defender 1.377.987.0 and newer) to assist defend prospects from legitimately signed drivers which have been used maliciously in post-exploit exercise,” the corporate famous within the advisory.
