Security News > 2022 > December > Microsoft-signed malicious Windows drivers used in ransomware attacks
Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.
"Microsoft was informed that drivers certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers," explains the advisory from Microsoft.
Since Windows 10, Microsoft has required kernel-mode hardware drivers to be signed via Microsoft's Windows Hardware Developer Program.
"In incidents investigated by Sophos, threat actors tied to Cuba ransomware used the BURNTCIGAR loader utility to install a malicious driver signed using Microsoft's certificate," explains Sophos.
Microsoft has released security updates to revoke the certificates used by malicious files and has already suspended the accounts used to submit the drivers to be signed.
New Microsoft Defender signatures have also been released to detect legitimate signed drivers in post-exploitation attacks.
News URL
Related news
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- What Is Inside Microsoft’s Major Windows 11 Update? (source)
- Microsoft warns of Windows 11 24H2 gaming performance issues (source)
- Microsoft blocks Windows 11 24H2 on some Intel PCs over BSOD issues (source)
- Microsoft Office 2024 now available for Windows and macOS users (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Microsoft: Windows 11 22H2 Home and Pro reached end of servicing (source)