Windows hardware developers duped Microsoft into signing malicious drivers

3 years ago 1

ARTICLE AD BOX

Several Microsoft hardware developer accounts have been revoked after drivers certified through their profiles were used for cyber crimes, including ransomware attacks.

Mandiant, Sophos, and SentinelOne notified Microsoft of the malicious activity, and the companies revealed the issue in a coordinated disclosure.

“Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity,” Microsoft said in its security advisory.

“In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers.”

Microsoft said that it was notified of the activity in October. However, the coordinated disclosure occurred on 13 December 2022 after Microsoft completed its investigations.

“This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature,” it said.

“A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers’ accounts in early October.”

According to Bleeping Computer, kernel-mode hardware drivers are assigned the highest privilege level when loaded in Windows, allowing them to perform various malicious activities, including eliminating security software and deleting protected files.

Microsoft made the signing of kernel-mode hardware drivers through its Windows Hardware Developer Program since Windows 10, released in July 2015.

Mandiant and SentinelOne reported on the discovery of “POORTRY” and “STONESTOP” malware that can terminate antivirus and Endpoint Detection and Response (EDR) processes.

STONESTOP is a user-mode application that tries to terminate endpoint security processes and acts as both a loader and installer for POORTRY.

POORTRY is a Microsoft-signed kernel-mode driver that terminates associated processes and Windows services.

“STONESTOP functions as both a loader/installer for POORTRY, as well as an orchestrator to instruct the driver with what actions to perform,” SentinelOne explained.

Another STONESTOP variant can overwrite and delete files.