Security News > 2022 > December > Microsoft-signed malicious Windows drivers used in ransomware attacks

Microsoft-signed malicious Windows drivers used in ransomware attacks
2022-12-13 23:10

Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.

"Microsoft was informed that drivers certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers," explains the advisory from Microsoft.

Since Windows 10, Microsoft has required kernel-mode hardware drivers to be signed via Microsoft's Windows Hardware Developer Program.

"In incidents investigated by Sophos, threat actors tied to Cuba ransomware used the BURNTCIGAR loader utility to install a malicious driver signed using Microsoft's certificate," explains Sophos.

Microsoft has released security updates to revoke the certificates used by malicious files and has already suspended the accounts used to submit the drivers to be signed.

New Microsoft Defender signatures have also been released to detect legitimate signed drivers in post-exploitation attacks.


News URL

https://www.bleepingcomputer.com/news/microsoft/microsoft-signed-malicious-windows-drivers-used-in-ransomware-attacks/

Related news