Security News > 2022 > December > Microsoft-signed malicious Windows drivers used in ransomware attacks
Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.
"Microsoft was informed that drivers certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers," explains the advisory from Microsoft.
Since Windows 10, Microsoft has required kernel-mode hardware drivers to be signed via Microsoft's Windows Hardware Developer Program.
"In incidents investigated by Sophos, threat actors tied to Cuba ransomware used the BURNTCIGAR loader utility to install a malicious driver signed using Microsoft's certificate," explains Sophos.
Microsoft has released security updates to revoke the certificates used by malicious files and has already suspended the accounts used to submit the drivers to be signed.
New Microsoft Defender signatures have also been released to detect legitimate signed drivers in post-exploitation attacks.
News URL
Related news
- US indicts 8Base ransomware operators for Phobos encryption attacks (source)
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset (source)
- Chinese espionage tools deployed in RA World ransomware attack (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Microsoft to remove the Location History feature in Windows (source)
- Lee Enterprises newspaper disruptions caused by ransomware attack (source)