Security News > 2022 > December > Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems

Microsoft on Tuesday disclosed it took steps to suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program were used to sign malware.

One notable aspect of these attacks was that the adversary had already obtained administrative privileges on compromised systems before using the drivers.

"Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature," Microsoft explained.

According to an analysis from Sophos threat actors affiliated with the Cuba ransomware planted a malicious signed driver in a failed attempt at disabling endpoint detection tools via a novel malware loader dubbed BURNTCIGAR, which was first revealed by Mandiant in February 2022.

The reasoning behind using signed drivers is that it offers a way for threat actors to get around crucial security measures which require kernel-mode drivers to be signed in order for Windows to load the package.

STONESTOP and POORTRY are said to have been used by UNC3944 in attacks aimed at telecommunication, BPO, MSSP, financial services, cryptocurrency, entertainment, and transportation sectors, SentinelOne said, adding a different threat actor utilized a similar signed driver that resulted in the deployment of Hive ransomware.

News URL

https://thehackernews.com/2022/12/ransomware-attackers-use-microsoft.html