Go to listing page

Hackers Use Microsoft-Signed Malicious Windows Drivers in Post-Exploitation Activity

Hackers Use Microsoft-Signed Malicious Windows Drivers in Post-Exploitation Activity
Threat actors are utilizing malicious kernel-mode hardware drivers certified by Microsoft's Windows Hardware Developer Program to bypass security checks. These drivers are being used in post-exploitation activity on systems where the attacker had already gained administrative privileges.

Abuses of genuine drivers

Microsoft was notified that several developers’ accounts for the Microsoft Partner Center were engaged in submitting malicious hardware drivers to obtain a Microsoft signature.
  • Mandiant and SentinelOne found a new toolkit consisting of two components named STONESTOP (loader) and POORTRY (kernel-mode driver). STONESTOP uses the POORTRY driver signed by Microsoft to terminate the associated protected processes or Windows services.
  • The toolkit is being used by different threat actors in Bring Your Own Vulnerable Driver (BYOVD) attacks.

Ransomware attacks using the toolkit

  • Sophos revealed that Cuba ransomware operators used the BURNTCIGAR loader utility to install a malicious driver signed using Microsoft's certificate.
  • SentinelOne found Microsoft-signed toolkits in attacks against telecommunication, BPO, MSSP, and financial service businesses. Separately, it noted a similar Microsoft-signed driver used by the Hive ransomware against a medical entity.
  • Mandiant identified a new threat actor named UNC3944 utilizing the toolkit in attacks as early as August, who is commonly known for gaining initial network access using SIM swapping attacks.

A possible connection

As multiple hacking groups are using Microsoft-signed drivers, experts assess that either the groups are leveraging a common criminal service for code signing or a supplier or service is designing and developing toolkits and drivers that other groups pay to access.

Mitigation strategy

Microsoft is already working with Microsoft Active Protections Program (MAPP) partners and Microsoft Partner Center to address these deceptive practices and prevent future customer impacts. Microsoft has revoked several Microsoft hardware developer accounts that are associated with drivers used in cyberattacks. The company has released new Microsoft Defender signatures (1.377.987.0) to detect legitimate signed drivers in post-exploitation attacks. Users are suggested to update the signatures at the earliest and do a thorough scan of their environment to check for any suspicious activities. 
Cyware Publisher

Publisher

Cyware