Security firms have reported that multiple hacking groups have been using drivers signed by Microsoft in a series of attacks, including the deployment of Cuba ransomware.
That development matters because many security services will implicitly trust anything signed by Microsoft,
During this month’s Patch Tuesday, Microsoft acknowledged reports by SentinelOne, Google-owned Mandiant, and Sophos about threat actors using a driver certified by Microsoft’s Windows Hardware Developer Program to deploy various malware.
The malicious but properly Microsoft-signed driver was used in an attempt to terminate endpoint-detection agents and antivirus on affected systems from multiple vendors. The vendors reported the malicious driver to Microsoft on October 19, according to the tech giant.
Also: Cybersecurity: These are the new things to worry about in 2023
Mandiant tracks the malicious driver as Poortry and its loader as Stonestop. Mandiant found several malware families have been signed with this process and nine unique organization names associated with the signed malware.
SentinelOne reports the drivers were used in intrusions into telecommunication, business process outsourcing, entertainment, transportation, managed security service providers, financial firms, and cryptocurrency sectors. In some cases, it was used to provide SIM-swapping services.
“Notably, SentinelLabs observed a separate threat actor also utilizing a similar Microsoft signed driver, which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling,” it said.
The attacker would have gone through an elaborate set of processes with Microsoft and Certificate Authorities (CAs) in order to obtain a Microsoft-signed driver.
“The main issue with this process is that most security solutions implicitly trust anything signed by only Microsoft, especially kernel mode drivers,” SentinelOne notes.
“Starting with Windows 10, Microsoft began requiring all kernel mode drivers to be signed using the Windows Hardware Developer Center Dashboard portal.” Microsoft did this to combat kernel mode driver rootkits, for example by exploiting vulnerabilities in legitimate kernel mode drivers.
Mandiant researchers are highly confident that to get the driver signed by Microsoft, the attackers illicitly acquired Extended Validation (EV) code signing certificates from a CA and then went through Microsoft’s process of having their malware signed by Microsoft though its attestation signing process. SentinelOne notes there are several theories about who is doing it. One is that one or more bad suppliers are offering the driver signing process as a service; Mandiant supports the supplier theory.
Microsoft said it has conducted an investigation and claims it found the activity was “limited to the abuse of several developer program accounts” and that its services were not compromised.
It also suspended the partners’ seller accounts, implemented blocking detections, and revoked the certificate for impacted files.
As Mandiant explains, for Windows 10 and 11 and Windows Server 2022, hardware vendors can submit drivers to Microsoft for attestation signing, which verifies the integrity of the submitted driver packages and the identity of the software publisher. The publisher verifies their identity by signing their driver package with an EV certificate provided by a small group of CAs.
“Attestation signed drivers take the trust granted to them by the CA and transfers it to a file whose Authenticode signature originates from Microsoft itself. We assess with high confidence that threat actors have subverted this process using illicitly obtained EV code signing certificates to submit driver packages via the attestation signing process, and in effect have their malware signed by Microsoft directly,” Mandiant says.
Also: Cybersecurity jobs: Five ways to help you build your caree
Authenticode is Microsoft’s code-signing implementation for Windows binaries. Authenticode assists hardware vendors to get their drivers signed via the Windows Hardware Compatibility Program.
Mandiant tracks the group using malware signed via attestation signing as UNC3944.
“UNC3944 is a financially motivated threat group that has been active since at least May 2022 and commonly gains initial network access using stolen credentials obtained from SMS phishing operations. In some cases, the group’s post-compromise objectives have focused on accessing credentials or systems used to enable SIM swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments,” says Mandiant.
What has come under attack in this case is the system of trust among software vendors.
“Because [endpoint detection] vendors are somewhat forced into trusting signed drivers by Microsoft, it can be difficult to distinguish between legitimate benign examples and malicious ones that slip through the security checks,” SentinelOne notes.
“Threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers,” says Sophos. Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance, improving the chances that Cuba ransomware attackers can terminate the security processes protecting their targets’ computers.