Microsoft-Signed Malicious Drivers Usher In EDR-Killers, Ransomware

0
81

[ad_1]


Malicious drivers licensed by Microsoft’s Home windows {Hardware} Developer Program have been used to juice post-exploitation efforts by cybercriminals, Redmond warned this week — together with getting used as a part of a small toolkit aimed toward terminating safety software program in goal networks.”A number of developer accounts for the Microsoft Companion Middle have been engaged in submitting malicious drivers to acquire a Microsoft signature,” Microsoft defined in an advisory issued on Dec. 13. “A brand new try at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers’ accounts in early October.”Code signing is used to supply a stage of belief between the software program and the working system; as such, legitimately signed drivers can skate previous regular software program safety checks, serving to cybercriminals transfer laterally from machine to machine by way of a company community.SIM-Swap, Ransomware AttacksIn this case, the drivers have been doubtless utilized in a wide range of post-exploitation exercise, together with deploying ransomware, the computing large acknowledged. And Mandiant and SentinelOne, which together with Sophos collectively alerted Microsoft to the problem in October, have detailed the drivers’ use in particular campaigns.Based on their findings, additionally issued on Dec. 13, the drivers have been utilized by the risk actor often called UNC3944 in “energetic intrusions into telecommunication, BPO [business process optimization], MSSP [managed security service provider], and monetary providers companies,” leading to a wide range of outcomes.UNC3844 is a financially motivated risk group energetic since Might that normally positive factors preliminary entry to targets with phished credentials from SMS operations, in accordance with Mandiant researchers.”In some circumstances, the group’s post-compromise aims have targeted on accessing credentials or methods used to allow SIM-swapping assaults, doubtless in help of secondary legal operations occurring outdoors of sufferer environments,” Mandiant detailed in a separate Dec. 13 weblog submit on the problem.In service of these objectives, the group was noticed utilizing the Microsoft-signed drivers as a part of a toolkit designed to terminate antivirus and EDR processes. That toolkit consists of two items: Stonestop, a Home windows userland utility that terminates processes by creating and loading a malicious driver, and Poortry, a malicious Home windows driver that makes use of Stonestop to provoke course of termination.SentinelLabs additionally noticed a separate risk actor utilizing the identical driver, “which resulted within the deployment of Hive ransomware in opposition to a goal within the medical business, indicating a broader use of this method by varied actors with entry to related tooling.”To fight the risk, Microsoft has launched Home windows Safety Updates that revoke the certificates for affected information and suspended the companions’ vendor accounts.”Moreover, Microsoft has applied blocking detections (Microsoft Defender 1.377.987.0 and newer) to assist shield prospects from legitimately signed drivers which were used maliciously in post-exploit exercise,” the corporate famous within the advisory.

[ad_2]