Attackers Continue to Leverage Signed Microsoft Drivers

/in


In December of last year, Microsoft worked with SentinelOne, Mandiant, and Sophos to respond to an issue in which drivers certified by Microsoft’s Windows Hardware Developer Program were being used to validate malware.

Unfortunately, the problem hasn’t gone away.

In a recent Mastodon post, security expert Kevin Beaumont observed, “Microsoft are still digitally signing malware kernel drivers, as they can’t identify malware (this comes up over and over again).”

Beaumont provided three examples of remote access trojans that had been verified by Microsoft as legitimate software, adding, “If you have Google’s VirusTotal (Microsoft do) you can run something like this to find them. signature:”Microsoft Windows Hardware Compatibility Publisher” p:5+ tag:signed name:.sys

In response to an email inquiry from eSecurity Planet, a Microsoft spokesperson acknowledged the ongoing issue, stating, “We have suspended the partners’ seller accounts. In addition, Microsoft Defender Antivirus provides blocking detection for these files.”

The essential challenge remains – and Microsoft has only been able to suspend individual offenders.

Microsoft’s Initial Response

In guidance first published on December 13, 2022, the company stated, “Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers.”

Microsoft was notified of the issue by SentinelOne, Mandiant, and Sophos in October 2022, and began an investigation. “This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature,” the company added. “A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers’ accounts in early October.”

Matching the Microsoft spokesperson’s more recent explanation above, the company stated at the time that Windows Security Updates were released revoking the…

Source…