Microsoft Suspends Dev Accounts That Used Its Certs to Authenticate Malware
Multiple threat actors have leveraged malware signed with fraudulently obtained certificates to deploy Hive and possibly other ransomware.
This week, Microsoft said it suspended several developer accounts that were surreptitiously being used to get the IT giant to digitally sign malicious drivers. According to several security researchers, hackers used these malicious but legitimized drivers to carry out cyberattacks.
Researchers at SentinelOne, Mandiant, and Sophos coordinated with Microsoft to fix a lapse in the Windows maker’s security checks. The disclosure comes two months after ArsTechnica’s Dan Goodin reported deficiencies in hypervisor-protected code integrity (HVCI), a tool that protects the Windows kernel that, if enabled, can allow anyone to download and install a malicious driver on a device.
Drivers usually require OS kernel access, considering they interface between different software/hardware components within a system that may be manufactured by multiple vendors. Drivers are signed off with a digital certificate for authenticity.
As such, several threat actors were submitting malicious drivers to Microsoft’s Windows Hardware Developer Program to lend the company’s credibility to the driver with a digital signature. The OS trusts a driver signed with a valid cryptographic signature to load it onto the system.
“This validation was important in combating the scourge of kernel mode rootkits, malware designed to run with the highest privileges and thereby subvert attempts to detect or root them out,” SentinelOne noted. “That battle has been going on for quite some time.”
Specifically, malicious drivers signed with Microsoft certificates were designed to terminate security products’ antivirus and extended detection and response (EDR) processes. Microsoft noted that drivers were being used in the post-exploitation activity.
This means the attacker would necessarily have to gain administrative privileges on compromised systems. One of the threat actors, UNC3944, is deploying STONESTOP, a loader/installer, to set up POORTRY, another malware tasked with terminating antivirus and EDR processes. Researchers discovered three versions of POORTRY, two of which were signed with Microsoft certificates.
As of this week, multiple threat actors have leveraged malware signed with fraudulently obtained certificates to deploy Hive and possibly other ransomware. Sophos added that the method is also being used to deploy Cuba ransomware.
“Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance, improving the chances that Cuba ransomware attackers can terminate the security processes protecting their targets’ computers,” Sophos researchers noted.
See More: Microsoft Windows Vulnerable to BYOVD Attacks for Three Years: Report
The toolkit is being used to target business process outsourcing (BPO), telecommunications, managed security service providers (MSSPs), entertainment, transportation, cryptocurrency, and financial services.
Microsoft’s assessment of the report from the three cybersecurity companies revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a signature. The company has responded by suspending these accounts and revoking the certificate for impacted files through an update in December Patch Tuesday.
While this particular problem has been addressed, Mandiant said it suspects that multiple threat groups leverage code signing services, thereby hinting at the existence of a Malicious Driver Signing as a Service. Hackers have previously leveraged Microsoft code signing to digitally sign the Netfilter rootkit.
“The attestation signing process offloads the responsibility of verifying the identity of the requesting hardware or software vendor to the Certificate Authorities (CAs). In theory this is a valid process as the CAs must follow agreed upon procedures to verify the identity of the requesting entity and the authority of the individual making the request to represent the software vendor,” Mandiant said.
“However, this process is being abused to obtain malware signed by Microsoft.” It is unclear how threat actors got their hands on extended validation certificates, which are required to verify the hardware identity.
The entire episode points to the deficiencies in the code signing process, which Microsoft attempted to make more stringent by requiring kernel mode drivers to be signed through the Windows Hardware Developer Center Dashboard portal, to the detriment of open-source or self-signed drivers.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON CYBER THREATS
