Microsoft Blocks Deploy Ransomware to Signed Drivers

May 1, 2023

Microsoft recently issued an alert indicating threat actors are obtaining signed drivers from legitimate Microsoft hardware developer accounts and using them in ransomware incidents. As a result, the company has suspended partner sellers’ seller accounts and released Windows security updates to revoke their certificates.

SentinelOne, Mandiant and Sophos have all identified this driver toolkit in attacks against various sectors including telecommunications, business process outsourcing (BPO), managed services providers (MSSP) and financial services firms. In some cases, it was deployed to disable antivirus and endpoint detection and response (EDR) software.

Detecting Signed Drivers

Signed drivers are a common method threat actors use to obscure malware from antivirus and endpoint detection and response (EDR) systems. Before these kernel-mode drivers can be loaded into Windows, they need to be digitally signed by their publisher; Microsoft had been alerting about this risk since last month when multiple cybersecurity firms reported using drivers certified by its Windows Hardware Developer Program in multiple attacks.

Microsoft noted this technique has been employed by a range of hacking groups to gain access to networks and perform highly privileged operations. Threat actors have utilized it in order to eliminate processes associated with endpoint detection agents and antivirus. On this month’s Patch Tuesday event, Microsoft acknowledged reports from Google-owned Mandiant and Sophos that malicious actors utilized a driver certified by Microsoft in an effort to terminate their endpoint protection products.

Microsoft ultimately determined that malicious activity was limited to certain accounts in its Windows Hardware Developer Program and no compromise had been identified. Nonetheless, they took steps to stop this activity and suspended partners’ seller accounts in a December 2022 advisory released along with Patch Tuesday updates.

Investigating further, the firm discovered that threat actors were using drivers certified by Microsoft to distribute various types of malware. The malicious programs were intended to circumvent security tools that trust components signed by Microsoft as well as exploit vulnerabilities within the software itself – including CVE-2017-5752 in the Windows file system.

One of the threats being used by this group was POORTRY and its loader STONESTOP, which can stop processes related to antivirus and EDR software. UNC3944 used these malicious drivers in intrusions into telecommunication, business process outsourcing (BPO), managed security service providers (MSSP), financial services, cryptocurrency mining operations, and entertainment sectors. SentinelOne reported another separate malicious actor abusing driver-signing processes in deploying Hive ransomware against a medical organization.

Blocking Signed Drivers

Microsoft has identified that malicious actors have been exploiting drivers signed by the company to distribute ransomware. As a result, the company has suspended several accounts from its developer program that were submitting malicious drivers for Microsoft signatures and revoked the certificates associated with those files.

Drivers provide the interface between an operating system and applications, enabling them to communicate with and control hardware devices. As these drivers require privileged access to Windows, it’s essential that they be digitally signed with an approved cryptographic signature. Unfortunately, malicious actors may circumvent these requirements by creating legitimate drivers which they then digitally sign themselves and submit to the Windows Hardware Developer Program (WHDDP).

At one time, hackers could quickly sign their own drivers with valid Microsoft digital certificates. Ultimately, Microsoft tightened security around digital signatures and now requires all drivers to be signed by the Windows Hardware Developer Program in order to load.

Microsoft also provides a code-signing program to assist hardware vendors with getting their drivers signed via the WHDDP. Furthermore, it has a tool that enables security applications to verify whether drivers have been signed by Microsoft and block those that aren’t.

Recently, security researchers from SentinelOne, Mandiant and Sophos observed threat actors using signed drivers to circumvent endpoint detection and response (EDR) software. These drivers could terminate processes associated with antivirus (AV) and endpoint protection (EP) products as well as disable antimalware and firewalls.

Researchers from Sophos recently identified two malicious drivers signed by Zhuhai Liancheng Technology and Beijing JoinHope Image Technology – both Chinese companies. These malware, known as POORTRY and STONESTOP, were created by UNC3944, a financially motivated threat actor active since May. According to Sophos, these teams typically gain initial network access using stolen credentials or SMS phishing operations.

The UNC3944 crew has also been using drivers to terminate processes scanned by endpoint security tools, using StoneStop, a userland component. This enables them to run POORTRY in kernel mode, terminating antivirus and EDR processes as well as deleting file information, Mandiant explained. They’ve used the malware in attacks across sectors such as business process outsourcing (BPO), telecommunications, transportation, MSSP and financial services.

Mitigating Signed Driver Risk

Drivers that must load properly into Windows must possess a digital signature from an approved software publisher. This security measure helps prevent malicious code from running in kernel mode or circumventing privileged access protections such as hypervisor-protected code integrity (HVCI).

Threat actors have discovered a way around this defense and are cryptographically signing malware and drivers that were previously legitimately signed by Microsoft to carry out their attacks. While this tactic is not new, it has become more frequent as the threat landscape changes.

Security firms recently discovered hacking groups using developer accounts for the Microsoft Partner Center to submit malicious drivers certified by the Windows Hardware Developer Program. Researchers from SentinelOne, Mandiant and Sophos discovered these rogue drivers were then utilized in post-exploitation operations to distribute ransomware.

Microsoft acknowledged the report from three cybersecurity firms and took steps to mitigate the risk posed by signed drivers. Microsoft blocks deploy ransomware to signed drivers. It announced blocking protections and suspending several developer accounts, as well as refining partner access policies and validation further.

Cryptographically signing malware is not a new technique, but experts warn it has the potential for being exploited by malicious actors due to its incapability to circumvent detection methods and infiltrate target networks with high-privileged privileges.

Recent analysis by Sophos revealed that Cuba ransomware operators were exploiting a driver signed by Microsoft to disable endpoint security tools on affected systems. The malicious driver was loaded onto the victim’s system along with an executable “loader” application, and this tool had previously been employed in prior attacks to execute a variant of BURNTCIGAR malware, according to Sophos researchers.

SentinelOne eventually identified this malicious driver, which it discovered to be used to undermine antivirus and endpoint detection and response (EDR) tools at telecommunications, business process outsourcing (BPO), managed security service providers (MSSPs), financial services firms and medical entities. Furthermore, the firm discovered it in a Hive ransomware attack against one such medical entity.

Managing Signed Driver Risk

Drivers are an essential element of Windows, used for everything from execution of malware to lateral movement. Microsoft has implemented numerous security measures to guard against threat actors abusing drivers to gain privileged access to systems; one example being their Driver Signature Enforcement policy which prevents unsigned kernel-mode drivers from loading by default on Windows Vista and later versions.

This policy requires drivers to be signed by the Windows Hardware Developer Program before being loaded onto a Windows device, and Windows will throw an error if not signed. Furthermore, when signed by a trusted certification authority such as Microsoft’s WHQL program, it becomes implicitly trusted by most security tools that use its certificate for authenticating its legitimacy.

De facto trust between users and Microsoft is beneficial, but it also opens the door for malicious actors to circumvent Windows’ own security measures and gain privileged access to the operating system. For instance, malicious attackers can exploit Bring Your Own Driver (BYOVD) functionality to map non-signed drivers into memory. In some cases, malicious individuals have even utilized publicly accessible tools to craft malicious drivers signed with legitimate certificates that ran on a Windows machine.

Therefore, Microsoft’s signed drivers have a high potential to be exploited by ransomware actors. That was confirmed this week when several security vendors discovered that attackers have been using drivers certified by Microsoft to hack telecommunications companies, business process outsourcing (BPO) providers, managed security service providers (MSSPs) and financial services firms.

Google-owned Mandiant and SentinelOne recently disclosed they had identified UNC3944, a financially motivated team using malware signed with Microsoft’s driver program to attack various targets. This group uses STONESTOP loader software to install malicious driver POORTRY that terminates processes associated with endpoint detection and response (EDR) software as well as delete files on affected systems.

As part of its December 2022 Patch Tuesday update, Microsoft suspended the seller accounts of two Chinese companies that were suspected to be involved in signing these drivers: Zhuhai Liancheng Technology and Beijing JoinHope Image Technology. Furthermore, Microsoft revoked certificates for affected files, taking other steps to protect against abuse like this.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us