Microsoft-Signed Windows Drivers Used Maliciously
In October, researchers from SentinelOne, Mandiant, and Sophos notified Microsoft “that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.” Microsoft has revoked several developer certificates and suspended associated developer accounts.
Microsoft notes that their investigation “…revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.” I’d like to hear what Microsoft will do to improve the certification of Microsoft Software “Partners” just as we’ve seen Apple and Google have to improve the processes for developers to get apps through their app store mechanisms.
It appears these drivers were used after compromising a system for post-exploitation activities, most likely tied to the Cuba Ransomware campaign (which has no known connection to the republic of Cuba). Applying this month's updates, and Microsoft revoking the certificates associated with these developers, which should prevent execution of the drivers, are two steps needed to prevent these attacks. You still need to use strong authentication, offline backups, segmentation and keep things updated. Read the CISA bulletin for IOCs, TTPs and added mitigations.
There has been a marked increase in reported supply chain attacks in the last couple years. In this case the malicious signed drivers can enable privilege escalation and ability to move across the victim’s network. Although the user is dependent on MSFT to correct deficiencies in its signed driver program, they can still protect themselves by limiting an attacker’s ability to gain initial access to their network. Users should revisit their configuration and patch management processes.
Is it necessary to remind people that certificates are public information about key pairs, are not sensitive, and cannot be used to create other certificates and are cryptographically bound to the software for which they vouch? It is the private half of the key-pair that can be used to create certificates, is sensitive, must be kept secret.